ExtremeSwitching (EXOS)

  • 1.  ACL to Deny MDNS working?

    Posted 09-12-2015 14:30
    Have created an ACL that is meant to be blocking MDNS multicast addresses and an additional address used my Microsoft.

    Have written the ACL to every port on Ingress so that I can see hits per port.

    Problem is I'm not seeing the counters incrementing and aside from a packet trace I am confident there is this traffic on the network. I know this because we are trying to resolve an issue with a stack of X440's that keep rebooting because the CPU seems to be getting overwhelmed with packets from these address - as diagnosed by GTAC.

    Policies at Policy Server:
    Policy: Block_MDNS_Ingress
    entry Block_1_MDNS_Ingress {
    if match all {
    source-address 224.0.0.251/32 ;
    }
    then {
    deny ;
    packet-count Block_251_MDNS_Ingress ;
    }
    }
    entry Block_2_MDNS_Ingress {
    if match all {
    source-address 224.0.0.252/32 ;
    }
    then {
    deny ;
    packet-count Block_252_MDNS_Ingress ;
    }
    }
    entry Block_3_MDNS_Ingress {
    if match all {
    source-address 239.255.255.250/32 ;
    }
    then {
    deny ;
    packet-count Block_250_MDNS_Ingress ;
    }
    }
    Number of clients bound to policy: 1
    Client: acl bound once[/code]

    System Type: X440-48p (Stack)

    SysHealth check: Enabled (Normal)
    Recovery Mode: All
    System Watchdog: Enabled

    Current Time: Sat Sep 12 16:28:48 2015
    Timezone: [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC.
    Boot Time: Fri Aug 28 00:37:38 2015
    Boot Count: 135
    Next Reboot: None scheduled
    System UpTime: 15 days 15 hours 51 minutes 9 seconds

    Slot: Slot-1 * Slot-2
    ------------------------ ------------------------
    Current State: MASTER BACKUP (In Sync)

    Image Selected: secondary secondary
    Image Booted: secondary secondary
    Primary ver: 15.3.1.4 15.3.1.4
    Secondary ver: 15.5.4.2 15.5.4.2
    patch1-5 patch1-5

    Config Selected: primary.cfg
    Config Booted: Factory Default

    primary.cfg Created by ExtremeXOS version 15.5.4.2
    2246563 bytes saved on Fri Sep 11 07:54:18 2015

    Many thanks in advance.



  • 2.  RE: ACL to Deny MDNS working?

    Posted 09-12-2015 14:35
    Hi Martin,

    It looks like you specified source-address in the policy file, rather than destination-address. For MDNS traffic, the source will be the IP of the device that is sending the traffic, and the destination will be the MDNS multicast group.

    If you just change 'source-address' to 'destination-address' in the policy file, it should work.

    Note that you will need to either remove and re-apply the ACL, or refresh it with the command 'refresh policy '.

    -Brandon

    Edit: Changed 'group-address' to 'destination-address'


  • 3.  RE: ACL to Deny MDNS working?

    Posted 09-12-2015 14:40
    Brilliant! Thanks Brandon - obvious when you think about it 🙂


  • 4.  RE: ACL to Deny MDNS working?

    Posted 09-12-2015 14:44
    Got this error for group-address:

    configure access-list Block_MDNS_Ingress ports 1:1-48 ingress
    Error: Policy Block_MDNS_Ingress has syntax errors
    Line 3 : "group-address" is not a valid attribute

    I'll change it to destination address.

    Thanks.



  • 5.  RE: ACL to Deny MDNS working?

    Posted 09-12-2015 14:44
    Sorry, that should be 'destination-address'. Looks like my brain got ahead of my fingers when I was typing!