Wake on LAN commonly relies on a magic packet that must reach a sleeping endpoint on its local subnet. When the WoL server is in a different subnet from the sleeping clients, a unicast packet cannot always be delivered directly because the sleeping host may not have an active ARP entry or IP stack behavior suitable for normal unicast forwarding. Cisco campus designs therefore use IP directed broadcast on the Layer 3 interface for the target VLAN or subnet so a routed packet can be delivered to the subnet and then converted into a Layer 2 broadcast. This must be implemented carefully, with access control, because directed broadcasts can be abused if left unrestricted. Dynamic ARP Inspection and DHCP snooping are Layer 2 security controls; they do not provide the Layer 3 directed broadcast function required for WoL. Proxy ARP allows a router to answer ARP requests on behalf of another host, but it does not solve cross-subnet delivery of WoL magic packets. Therefore, the design must include directed broadcasts on the relevant Layer 3 devices.