[c-nsp] security

Paul Cosgrove paul.cosgrove at heanet.ie
Tue Dec 2 10:29:58 EST 2008

Michael Simpson wrote:
> On 12/2/08, Adam Greene <maillist at webjogger.net> wrote:
>> How does one get around the side-effect of not allowing broadcasts; i.e.
>> wouldn't this break ARP functionality?
>  Not within the subnet
> using ethernet arp is only on the local segment and won't traverse the router
> no ip directed broadcast stops broadcasts from a different subnet
> snipped from <http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245>
> An IP directed broadcast is an IP packet whose destination address is
> a valid broadcast address for some IP subnet, but which originates
> from a node that is not itself part of that destination subnet.
> A router that is not directly connected to its destination subnet
> forwards an IP directed broadcast in the same way it would forward
> unicast IP packets destined to a host on that subnet. When a directed
> broadcast packet reaches a router that is directly connected to its
> destination subnet, that packet is "exploded" as a broadcast on the
> destination subnet. The destination address in the IP header of the
> packet is rewritten to the configured IP broadcast address for the
> subnet, and the packet is sent as a link-layer broadcast.
> mike
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
Or to put it another way...

Arp uses a destination IP of, which  is the 'limited 
broadcasts address'.  Packets with this destination are never routed 
between subnets.
Directed broadcast destination IPs begin with a subnet's network prefix, 
so for an interface with IP the directed broadcast 
address of its attached subnet is  These can be routed 
between subnets.


More information about the cisco-nsp mailing list