Showing results for 
Search instead for 
Did you mean: 

access list for ports can not block multicast ips

New Contributor II
i have 10x brocade icx 6450 switches so i have a acl like as following :

Standard IP access list port5: 2 entries
permit host x.x.x.x
deny any

then i have applied it to a port switch which is connected to x.x.x.x and when i send tcp syn attack with random source i see all sources dropped at port level but sources like as reach my router! 

why does access list does not block multicast ips?! its really strange because i have deny any at end of my access list!
so can anyone help me with this?


Contributor III
I believe those are considered multicast reserved or IGMP.

You probably want to look at "Disabling the flooding of unregistered IPv4 multicast frames in an IGMP-snooping-enabled VLAN"

08.0.30 probably has the same settings...

New Contributor II
i  have 8.0.30 but i can not use ip multicast disable flood...
see this :

  Copyright (c) 1996-2015 Brocade Communications Systems, Inc. All rights reserved.
    UNIT 1: compiled on Dec  9 2015 at 22:16:02 labeled as ICX64R08030e
                (9784800 bytes) from Secondary secondary
        SW: Version 08.0.30eT313
  Boot-Monitor Image size = 776680, Version:07.4.01T310 (kxz07401)
  HW: Stackable ICX6450-48
UNIT 1: SL 1: ICX6450-48 48-port Management Module
         Serial  #: BZ6D
         License: ICX6450_PREM_ROUTER_SOFT_PACKAGE   (LID: df)
         P-ENGINE  0: type DEF0, rev 01
         P-ENGINE  1: type DEF0, rev 01
UNIT 1: SL 2: ICX6450-SFP-Plus 4port 40G Module
  800 MHz ARM processor ARMv5TE, 400 MHz bus
65536 KB flash memory
  512 MB DRAM
STACKID 1  system uptime is 95 day(s) 19 hour(s) 17 minute(s) 40 second(s)
The system : started=cold start

SSH@ICX6450.302.K11(config)#ip multicast
  active              IGMP snooping: device generates IGMP queries
  age-interval        IGMP snooping: membership aging. dft: 260s (
                      robustness*query-interval + max response time)
  leave-wait-time     IGMP snooping: stop traffic wait time. dft: 2s
  max-response-time   IGMP snooping: query max response time, 1-10s, dft: 10
  mcache-age          IGMP snooping: remove mcache if no traffic. dft: 60s
  passive             IGMP snooping: device listens for IGMP packets
  query-interval      IGMP snooping: time to send queries. dft: 125s
  report-control      IGMP snooping: rate limit reports to router (querier)
                      ports, same as ip igmp-report-control
  robustness          Robustness variable: 1-7, dft: 2
  verbose-off         IGMP snooping: does not print warning/error messages
  version             IGMP snooping: version 2 or 3. dft: 2
SSH@ICX6450.302.K11(config)#ip multicast

Contributor III
Well, you aren't going to like this... I cannot find that option on either a 6450 or a 6610 running 08030sa


I can find it on an ICX 7450, which of course is running a different branch of code... 08070b is what I have installed.  Of course, the ICX 64XX is limited to 08030x

Maybe someone else can chime in.  Otherwise, maybe you can drop this at the router.  If you are dropping it out-bound, you would want to try an extended access list anyway...

Lastly, you can get rid of the "deny ip any" statement at the end.  That is already implied.


Usually on switches, you don't apply ACLs on physical interfaces anyway.  Where I am going with this is they typically run on Layer-3 interfaces.  If you put an IP address on an Interface, well then... go ahead and attach an ACL.  Otherwise the common place to put it would be on the SVI or the "interface ve 123" interface.

New Contributor II
My switches are working in layer 2 ... So your mean is maybe with extended acl i will be able to control this?
Actually i do not want this traffic reach my router ... Any other idea?