Question about no ip-directed broadcast

Milan 195 posts since Sep 3, 2008

Question about no ip-directed broadcast Mar 7, 2010 6:51 PM
Hi,

Could someone explain to me in plain english what no ip-directed broadcast is meant to do and why its
beneficial to have it disabled?

Thanks in advance
Milan

JohnMoore 120 posts since Apr 3, 2009

Re: Question about no ip-directed broadcast Mar 7, 2010 6:53 PM
It is to prevent someone doing a broadcast which could flood the nic/router/subnet, otherwise if enabled will
allow broadcasts.

Angela 746 posts since Jan 29, 2010

Re: Question about no ip-directed broadcast Mar 7, 2010 8:18 PM
'no ip-directed broadcast' is a command that prevent a router from broadcasting its IP address. This is a
security concern.

As you advance, you will know that you can send a continuous ping to a location to test for network activity.
However, some malicious hacker can take advantage of this ping utility and use many computers to ping a
single site. This create a lot of traffic, and so, jams up the network resources. By preventing sending out IP
address in the first place greatly reduces the risk.

Another, similar approach is to disable ICMP protocol, which is responsible for the functioning of 'ping' utility.
When doing so, you reject any 'ping' or 'traceroute', thus effectively eliminate risk of DoS attacks.

In summary, disabling ICMP is more effective than 'no ip-directed broadcast' as it actively deny access to all
ICMP traffic, while 'no ip-directed broadcast' just limit the distribution of some IP address; the hacker STILL
CAN obtain your address through other means. On the other hand, 'ping' and 'traceroute' are very important
troubleshooting tools, so disabling them brings somewhat increase in the level of difficulty in troubleshooting.

Regards,

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
1
Question about no ip-directed broadcast

Milan 195 posts since Sep 3, 2008

Re: Question about no ip-directed broadcast Mar 7, 2010 8:29 PM
in response to Angela
so does this stop you from being able to get replies when you ping the routers interface where you have "no ip-
directed broadcast" enabled?

Matthew Bartlett 10 posts since Jan 25, 2010

Re: Question about no ip-directed broadcast Mar 7, 2010 8:38 PM
in response to Angela
Angela, I don't think this is correct, as it has to do with broadcast from outside of the destination subnet (a
broadcast that doesn't originate from the subnet it is intended for). This is from the Cisco website, http://
www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245 :

Usage Guidelines
An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP
subnet, but which originates from a node that is not itself part of that destination subnet.
A router that is not directly connected to its destination subnet forwards an IP directed broadcast in the same
way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet
reaches a router that is directly connected to its destination subnet, that packet is "exploded" as a broadcast on
the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP
broadcast address for the subnet, and the packet is sent as a link-layer broadcast.
The ip directed-broadcast interface command controls the explosion of directed broadcasts when they reach
their target subnets. The command affects only the final transmission of the directed broadcast on its ultimate
destination subnet. It does not affect the transit unicast routing of IP directed broadcasts.
If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as
directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts
on that subnet. If an access list has been configured with the ip directed-broadcast command, only directed
broadcasts that are permitted by the access list in question will be forwarded; all other directed broadcasts
destined for the interface subnet will be dropped.
If the no ip directed-broadcast command has been configured for an interface, directed broadcasts destined
for the subnet to which that interface is attached will be dropped, rather than being broadcast.

Matthew

sbjones 242 posts since Nov 14, 2009

Re: Question about no ip-directed broadcast Mar 7, 2010 9:38 PM

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
2
Question about no ip-directed broadcast

More simply put: a network a broadcast address is 255.255.255.255 and as a broadcast it is sent to all hosts
-on that network (or subnet), the network on which the packet originated. All hosts see it and act upon it or
drop it depending on what is in the broadcast packet. The broadcast does not go any further than the network
that originated it. The router does not route it.

A directed broadcast is a packet sent from a different network (or subnet) to a legitimate broadcast address
on another network. For example a device from 172.16.1.1 sends a packet (directed) to 192.168.1.255/24 (the
broadcast address on network 192.168.1.0/24). The packet has a network and subnet address with the host
bits all ones. This will be routed to 192.168.1.0 and sent to all hosts on 192.168.1.0.

These are not desireable for the same reason as other broadcasts- lots of bandwidth consumption and hosts
processing packets unnecessarily.

Will not affect ping on the router interface.

Scott Morris - CCDE/4xCCIE/2xJNCIE 8,435 posts since Oct 7, 2008

Re: Question about no ip-directed broadcast Mar 8, 2010 5:03 AM
While it's cool to have YOU talk to all your friends, you don't exactly want anyone and everyone to be able to
reach your group of friends without prior authorization. (Your friends may get upset with you!)

Scott

Lexis 1 posts since May 23, 2012

Re: Question about no ip-directed broadcast May 23, 2012 7:56 AM
Hello,

Does the "no ip-directed broadcast" will also block the DHCP request?

If I put this option and a helper-address on an interface, does the dhcp relay work?

Thanks,

Brian 2,971 posts since Aug 17, 2009

Re: Question about no ip-directed broadcast May 23, 2012 11:37 AM
in response to Lexis
No. the "no ip-directed broadcast" is used to stop the router from converting the directed broadcast address to
the local broadcast address. If you put the "ip helper-address" on an interface for DHCP relay it will work just
fine.

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
3
Question about no ip-directed broadcast

Here are some other great links to similar discussions about the "directed broadcast" and "local broadcast".

https://learningnetwork.cisco.com/message/59951#59951

https://learningnetwork.cisco.com/message/146050#146050

https://learningnetwork.cisco.com/message/167943#167943

Hope this helps.

Brian

YapChinHoong 61 posts since Mar 1, 2009

Re: Question about no ip-directed broadcast May 23, 2012 8:04 PM
I have did some labs regarding the no ip directed-broadcast interface subcommand before. Thanks.
http://www.itcertnotes.com/2011/05/directed-broadcast-forwarding.html

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
4