access list for ports can not block multicast ips

  • 1
  • Question
  • Updated 2 months ago
Hello,
i have 10x brocade icx 6450 switches so i have a acl like as following :

Standard IP access list port5: 2 entries
permit host x.x.x.x
deny any

then i have applied it to a port switch which is connected to x.x.x.x and when i send tcp syn attack with random source i see all sources dropped at port level but sources like as 224.0.0.0 reach my router! 

why does access list does not block multicast ips?! its really strange because i have deny any at end of my access list!
so can anyone help me with this?
thanks

Photo of Farid Hajizeinalabedin

Farid Hajizeinalabedin

  • 4 Posts
  • 0 Reply Likes

Posted 2 months ago

  • 1
Photo of NETWizz

NETWizz

  • 56 Posts
  • 18 Reply Likes
I believe those are considered multicast reserved or IGMP.

http://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-ipmulticastguide/GUID-6540A2CF-04B3-4...


You probably want to look at "Disabling the flooding of unregistered IPv4 multicast frames in an IGMP-snooping-enabled VLAN"

08.0.30 probably has the same settings...
(Edited)
Photo of Farid Hajizeinalabedin

Farid Hajizeinalabedin

  • 4 Posts
  • 0 Reply Likes
i  have 8.0.30 but i can not use ip multicast disable flood...
see this :


  Copyright (c) 1996-2015 Brocade Communications Systems, Inc. All rights reserved.
    UNIT 1: compiled on Dec  9 2015 at 22:16:02 labeled as ICX64R08030e
                (9784800 bytes) from Secondary secondary
        SW: Version 08.0.30eT313
  Boot-Monitor Image size = 776680, Version:07.4.01T310 (kxz07401)
  HW: Stackable ICX6450-48
==========================================================================
UNIT 1: SL 1: ICX6450-48 48-port Management Module
         Serial  #: BZ6D
         License: ICX6450_PREM_ROUTER_SOFT_PACKAGE   (LID: df)
         P-ENGINE  0: type DEF0, rev 01
         P-ENGINE  1: type DEF0, rev 01
==========================================================================
UNIT 1: SL 2: ICX6450-SFP-Plus 4port 40G Module
==========================================================================
  800 MHz ARM processor ARMv5TE, 400 MHz bus
65536 KB flash memory
  512 MB DRAM
STACKID 1  system uptime is 95 day(s) 19 hour(s) 17 minute(s) 40 second(s)
The system : started=cold start

[email protected](config)#ip multicast
  active              IGMP snooping: device generates IGMP queries
  age-interval        IGMP snooping: membership aging. dft: 260s (
                      robustness*query-interval + max response time)
  leave-wait-time     IGMP snooping: stop traffic wait time. dft: 2s
  max-response-time   IGMP snooping: query max response time, 1-10s, dft: 10
  mcache-age          IGMP snooping: remove mcache if no traffic. dft: 60s
  passive             IGMP snooping: device listens for IGMP packets
  query-interval      IGMP snooping: time to send queries. dft: 125s
  report-control      IGMP snooping: rate limit reports to router (querier)
                      ports, same as ip igmp-report-control
  robustness          Robustness variable: 1-7, dft: 2
  verbose-off         IGMP snooping: does not print warning/error messages
  version             IGMP snooping: version 2 or 3. dft: 2
  <cr>
[email protected](config)#ip multicast

Photo of NETWizz

NETWizz

  • 56 Posts
  • 18 Reply Likes
Well, you aren't going to like this... I cannot find that option on either a 6450 or a 6610 running 08030sa

********

I can find it on an ICX 7450, which of course is running a different branch of code... 08070b is what I have installed.  Of course, the ICX 64XX is limited to 08030x

Maybe someone else can chime in.  Otherwise, maybe you can drop this at the router.  If you are dropping it out-bound, you would want to try an extended access list anyway...

Lastly, you can get rid of the "deny ip any" statement at the end.  That is already implied.


****

Usually on switches, you don't apply ACLs on physical interfaces anyway.  Where I am going with this is they typically run on Layer-3 interfaces.  If you put an IP address on an Interface, well then... go ahead and attach an ACL.  Otherwise the common place to put it would be on the SVI or the "interface ve 123" interface.
Photo of Farid Hajizeinalabedin

Farid Hajizeinalabedin

  • 4 Posts
  • 0 Reply Likes
My switches are working in layer 2 ... So your mean is maybe with extended acl i will be able to control this?
Actually i do not want this traffic reach my router ... Any other idea?
Photo of NETWizz

NETWizz

  • 56 Posts
  • 18 Reply Likes
Generally speaking, ACLs work at Layer-3.  I have always put them on Layer-3 interfaces.  That is all that I am saying.  I am not saying it won't work otherwise only that I haven't tried it that way.  Most switchports really do not examine all the way up to the packet.  The really deal with VLAN membership and whether or not it's tagged looking only at the Layer-2 Frame to make forwarding decisions.

Any reason why you can't drop it at your router?

If you are going to drop it on a switch with a standard ACL, it would be placed on the ingress interface that receives the traffic if it is going to work at all.

If you want to drop outbound traffic, that would require a direction and an extended ACL be applied.


Personally, I would probably just drop it on the router provided the reason you want to drop it earlier isn't to try and keep congestion off of a slow link.