Are you talking layer 2 or layer 3 switch? A layer 2 switch does nothing with the ip directed broadcast. Take this example, I am on LAN 1 (192.168.1.0/24) and ping the directed broadcast address 192.168.1.255.
Host 1 <--> SW1 <--> R1 <--> R2 <--> SW2 <--> Host 2
Host 1 pings 192.168.1.255, assuming that the GW IP has already been resolved the packet gets forwarded to the router R1. assuming that "ip directed broadcast" is enabled on R1, R1 sees that the destination is "local" and converts the directed broadcast 192.168.1.255 --> 255.255.255.255 and sends back out the LAN 1 interface. All hosts will respond.
Host 2 is on LAN 2 (192.168.2.0/24). Host 1 pings the directed broadcast 192.168.2.255. Assuming that "ip directed broadcast" is enabled on R1 and R2. The packet goes from Host 1 to R1. R1 routes the packet to R2. R2 sees that the destination is "local" and converts the directed broadcast 192.168.2.255 --> 255.255.255.255 and sends ont the LAN 2 interface. All hosts on LAN 2 respond.
Why would it hit your gateway? If you are local the subnet, you will actually self-translate that into 255.255.255.255. (debug ip packet on a router will show you that)
If you try it to a different subnet, you'll need "ip directed-broadcast" enabled on the interface belonging to the subnet you're trying to send to. Otherwise, since IOS 12.0, those subnet pings have been blocked from a routing point of view. (smurf attack)
Keep in mind though that's always at the END point. Up until the last router, nobody else really knows whether an IP is a broadcast or not. Just that last router whether the subnet + mask really exists can we tell!
You have gotten some great responses.
Here is what it would look like from the CLI and wireshark, if the admin at the router send a local broadcast PING:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.234.0.255, timeout is 2 seconds:
Reply to request 0 from 10.234.0.4, 4 ms
Reply to request 0 from 10.234.0.3, 8 ms
Reply to request 1 from 10.234.0.3, 8 ms
Reply to request 1 from 10.234.0.4, 8 ms
Reply to request 2 from 10.234.0.3, 8 ms
Reply to request 2 from 10.234.0.4, 8 ms
Reply to request 3 from 10.234.0.3, 4 ms
Reply to request 3 from 10.234.0.4, 4 ms
Reply to request 4 from 10.234.0.3, 4 ms
Reply to request 4 from 10.234.0.4, 8 ms
The switch, as usual, would forward the L2 broadcast to all other ports in the same VLAN, and the devices on those ports would de-encapsulate the ICMP echo request, and respond with a unicast echo-reply back to the source address used in the request (in this example, R2 is using 10.234.0.2).
Scott Morris - CCDE/4xCCIE/2xJNCIE wrote:
You'll get lots of replies from everyone on your subnet. At least everyone who didn't have an ACL or FW blockin ICMP.
And the rest of us will wonder WHY you felt like doing that!?!??
Well I know not to do it, but that doesn't mean I can tell my users not to. I am just thinking that this could cause the pipes to clog, am I right in saying that?
It would only clog local workstations and switch throughput. Your "pipes" (connections elsewhere) would be fine unless you were routing.
Typically things like that (especially pinging to the subnet broadcast with a source IP of the broadcast as well) are meant to target the devices on the local segment.