This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

access list for ports can not block multicast ips

farid_hajizeina
New Contributor II

‎10-08-2018 10:44 AM

Hello,
i have 10x brocade icx 6450 switches so i have a acl like as following :

Standard IP access list port5: 2 entries
permit host x.x.x.x
deny any

then i have applied it to a port switch which is connected to x.x.x.x and when i send tcp syn attack with random source i see all sources dropped at port level but sources like as 224.0.0.0 reach my router! 

why does access list does not block multicast ips?! its really strange because i have deny any at end of my access list!
so can anyone help me with this?
thanks

5 REPLIES 5

netwizz
Contributor III

‎10-08-2018 11:53 AM

Generally speaking, ACLs work at Layer-3.  I have always put them on Layer-3 interfaces.  That is all that I am saying.  I am not saying it won't work otherwise only that I haven't tried it that way.  Most switchports really do not examine all the way up to the packet.  The really deal with VLAN membership and whether or not it's tagged looking only at the Layer-2 Frame to make forwarding decisions.

Any reason why you can't drop it at your router?

If you are going to drop it on a switch with a standard ACL, it would be placed on the ingress interface that receives the traffic if it is going to work at all.

If you want to drop outbound traffic, that would require a direction and an extended ACL be applied.


Personally, I would probably just drop it on the router provided the reason you want to drop it earlier isn't to try and keep congestion off of a slow link.
0 Kudos
Copyright © 2024 Khoros, LLC