cancel
Showing results for 
Search instead for 
Did you mean: 

access list for ports can not block multicast ips

farid_hajizeina
New Contributor II
Hello,
i have 10x brocade icx 6450 switches so i have a acl like as following :

Standard IP access list port5: 2 entries
permit host x.x.x.x
deny any

then i have applied it to a port switch which is connected to x.x.x.x and when i send tcp syn attack with random source i see all sources dropped at port level but sources like as 224.0.0.0 reach my router! 

why does access list does not block multicast ips?! its really strange because i have deny any at end of my access list!
so can anyone help me with this?
thanks

5 REPLIES 5

netwizz
Contributor III
Generally speaking, ACLs work at Layer-3.  I have always put them on Layer-3 interfaces.  That is all that I am saying.  I am not saying it won't work otherwise only that I haven't tried it that way.  Most switchports really do not examine all the way up to the packet.  The really deal with VLAN membership and whether or not it's tagged looking only at the Layer-2 Frame to make forwarding decisions.

Any reason why you can't drop it at your router?

If you are going to drop it on a switch with a standard ACL, it would be placed on the ingress interface that receives the traffic if it is going to work at all.

If you want to drop outbound traffic, that would require a direction and an extended ACL be applied.


Personally, I would probably just drop it on the router provided the reason you want to drop it earlier isn't to try and keep congestion off of a slow link.