topic Re: access list for ports can not block multicast ips in ICX Switches

access list for ports can not block multicast ips

farid_hajizeina — Mon, 08 Oct 2018 17:44:28 GMT

Hello,
i have 10x brocade icx 6450 switches so i have a acl like as following :

Standard IP access list port5: 2 entries
permit host x.x.x.x
deny any

then i have applied it to a port switch which is connected to x.x.x.x and when i send tcp syn attack with random source i see all sources dropped at port level but sources like as 224.0.0.0 reach my router!

why does access list does not block multicast ips?! its really strange because i have deny any at end of my access list!
so can anyone help me with this?
thanks

Re: access list for ports can not block multicast ips

netwizz — Mon, 08 Oct 2018 17:54:23 GMT

I believe those are considered multicast reserved or IGMP.

http://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-ipmulticastguide/GUID-6540A2CF-04B3-4...

You probably want to look at "Disabling the flooding of unregistered IPv4 multicast frames in an IGMP-snooping-enabled VLAN"

08.0.30 probably has the same settings...

Re: access list for ports can not block multicast ips

farid_hajizeina — Mon, 08 Oct 2018 18:02:36 GMT

i have 8.0.30 but i can not use ip multicast disable flood...
see this :

Copyright (c) 1996-2015 Brocade Communications Systems, Inc. All rights reserved.
UNIT 1: compiled on Dec 9 2015 at 22:16:02 labeled as ICX64R08030e
(9784800 bytes) from Secondary secondary
SW: Version 08.0.30eT313
Boot-Monitor Image size = 776680, Version:07.4.01T310 (kxz07401)
HW: Stackable ICX6450-48
==========================================================================
UNIT 1: SL 1: ICX6450-48 48-port Management Module
Serial #: BZ6D
License: ICX6450_PREM_ROUTER_SOFT_PACKAGE (LID: df)
P-ENGINE 0: type DEF0, rev 01
P-ENGINE 1: type DEF0, rev 01
==========================================================================
UNIT 1: SL 2: ICX6450-SFP-Plus 4port 40G Module
==========================================================================
800 MHz ARM processor ARMv5TE, 400 MHz bus
65536 KB flash memory
512 MB DRAM
STACKID 1 system uptime is 95 day(s) 19 hour(s) 17 minute(s) 40 second(s)
The system : started=cold start

SSH@ICX6450.302.K11(config)#ip multicast
active IGMP snooping: device generates IGMP queries
age-interval IGMP snooping: membership aging. dft: 260s (
robustness*query-interval + max response time)
leave-wait-time IGMP snooping: stop traffic wait time. dft: 2s
max-response-time IGMP snooping: query max response time, 1-10s, dft: 10
mcache-age IGMP snooping: remove mcache if no traffic. dft: 60s
passive IGMP snooping: device listens for IGMP packets
query-interval IGMP snooping: time to send queries. dft: 125s
report-control IGMP snooping: rate limit reports to router (querier)
ports, same as ip igmp-report-control
robustness Robustness variable: 1-7, dft: 2
verbose-off IGMP snooping: does not print warning/error messages
version IGMP snooping: version 2 or 3. dft: 2

SSH@ICX6450.302.K11(config)#ip multicast

Re: access list for ports can not block multicast ips

netwizz — Mon, 08 Oct 2018 18:16:59 GMT

Well, you aren't going to like this... I cannot find that option on either a 6450 or a 6610 running 08030sa

********

I can find it on an ICX 7450, which of course is running a different branch of code... 08070b is what I have installed. Of course, the ICX 64XX is limited to 08030x

Maybe someone else can chime in. Otherwise, maybe you can drop this at the router. If you are dropping it out-bound, you would want to try an extended access list anyway...

Lastly, you can get rid of the "deny ip any" statement at the end. That is already implied.

****

Usually on switches, you don't apply ACLs on physical interfaces anyway. Where I am going with this is they typically run on Layer-3 interfaces. If you put an IP address on an Interface, well then... go ahead and attach an ACL. Otherwise the common place to put it would be on the SVI or the "interface ve 123" interface.

Re: access list for ports can not block multicast ips

farid_hajizeina — Mon, 08 Oct 2018 18:39:14 GMT

My switches are working in layer 2 ... So your mean is maybe with extended acl i will be able to control this?
Actually i do not want this traffic reach my router ... Any other idea?

Re: access list for ports can not block multicast ips

netwizz — Mon, 08 Oct 2018 18:53:24 GMT

Generally speaking, ACLs work at Layer-3. I have always put them on Layer-3 interfaces. That is all that I am saying. I am not saying it won't work otherwise only that I haven't tried it that way. Most switchports really do not examine all the way up to the packet. The really deal with VLAN membership and whether or not it's tagged looking only at the Layer-2 Frame to make forwarding decisions.

Any reason why you can't drop it at your router?

If you are going to drop it on a switch with a standard ACL, it would be placed on the ingress interface that receives the traffic if it is going to work at all.

If you want to drop outbound traffic, that would require a direction and an extended ACL be applied.

Personally, I would probably just drop it on the router provided the reason you want to drop it earlier isn't to try and keep congestion off of a slow link.