CommScope RUCKUS Community Forums

farid_hajizeina · ‎10-08-2018

Hello,
i have 10x brocade icx 6450 switches so i have a acl like as following :

Standard IP access list port5: 2 entries
permit host x.x.x.x
deny any

then i have applied it to a port switch which is connected to x.x.x.x and when i send tcp syn attack with random source i see all sources dropped at port level but sources like as 224.0.0.0 reach my router!

why does access list does not block multicast ips?! its really strange because i have deny any at end of my access list!
so can anyone help me with this?
thanks

netwizz · ‎10-08-2018

I believe those are considered multicast reserved or IGMP.

http://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-ipmulticastguide/GUID-6540A2CF-04B3-4...

You probably want to look at "Disabling the flooding of unregistered IPv4 multicast frames in an IGMP-snooping-enabled VLAN"

08.0.30 probably has the same settings...

farid_hajizeina · ‎10-08-2018

i have 8.0.30 but i can not use ip multicast disable flood...
see this :

Copyright (c) 1996-2015 Brocade Communications Systems, Inc. All rights reserved.
UNIT 1: compiled on Dec 9 2015 at 22:16:02 labeled as ICX64R08030e
(9784800 bytes) from Secondary secondary
SW: Version 08.0.30eT313
Boot-Monitor Image size = 776680, Version:07.4.01T310 (kxz07401)
HW: Stackable ICX6450-48
==========================================================================
UNIT 1: SL 1: ICX6450-48 48-port Management Module
Serial #: BZ6D
License: ICX6450_PREM_ROUTER_SOFT_PACKAGE (LID: df)
P-ENGINE 0: type DEF0, rev 01
P-ENGINE 1: type DEF0, rev 01
==========================================================================
UNIT 1: SL 2: ICX6450-SFP-Plus 4port 40G Module
==========================================================================
800 MHz ARM processor ARMv5TE, 400 MHz bus
65536 KB flash memory
512 MB DRAM
STACKID 1 system uptime is 95 day(s) 19 hour(s) 17 minute(s) 40 second(s)
The system : started=cold start

SSH@ICX6450.302.K11(config)#ip multicast
active IGMP snooping: device generates IGMP queries
age-interval IGMP snooping: membership aging. dft: 260s (
robustness*query-interval + max response time)
leave-wait-time IGMP snooping: stop traffic wait time. dft: 2s
max-response-time IGMP snooping: query max response time, 1-10s, dft: 10
mcache-age IGMP snooping: remove mcache if no traffic. dft: 60s
passive IGMP snooping: device listens for IGMP packets
query-interval IGMP snooping: time to send queries. dft: 125s
report-control IGMP snooping: rate limit reports to router (querier)
ports, same as ip igmp-report-control
robustness Robustness variable: 1-7, dft: 2
verbose-off IGMP snooping: does not print warning/error messages
version IGMP snooping: version 2 or 3. dft: 2

SSH@ICX6450.302.K11(config)#ip multicast

netwizz · ‎10-08-2018

Well, you aren't going to like this... I cannot find that option on either a 6450 or a 6610 running 08030sa

********

I can find it on an ICX 7450, which of course is running a different branch of code... 08070b is what I have installed. Of course, the ICX 64XX is limited to 08030x

Maybe someone else can chime in. Otherwise, maybe you can drop this at the router. If you are dropping it out-bound, you would want to try an extended access list anyway...

Lastly, you can get rid of the "deny ip any" statement at the end. That is already implied.

****

Usually on switches, you don't apply ACLs on physical interfaces anyway. Where I am going with this is they typically run on Layer-3 interfaces. If you put an IP address on an Interface, well then... go ahead and attach an ACL. Otherwise the common place to put it would be on the SVI or the "interface ve 123" interface.

farid_hajizeina · ‎10-08-2018

My switches are working in layer 2 ... So your mean is maybe with extended acl i will be able to control this?
Actually i do not want this traffic reach my router ... Any other idea?

CommScope RUCKUS Community Forums

access list for ports can not block multicast ips