ACL to Deny MDNS working?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)

Have created an ACL that is meant to be blocking MDNS multicast addresses and an additional address used my Microsoft.

Have written the ACL to every port on Ingress so that I can see hits per port.

Problem is I'm not seeing the counters incrementing and aside from a packet trace I am confident there is this traffic on the network. I know this because we are trying to resolve an issue with a stack of X440's that keep rebooting because the CPU seems to be getting overwhelmed with packets from these address - as diagnosed by GTAC.


Policies at Policy Server:
Policy: Block_MDNS_Ingress
entry Block_1_MDNS_Ingress {
if match all {
    source-address 224.0.0.251/32 ;
}
then {
    deny  ;
    packet-count Block_251_MDNS_Ingress ;
}
}
entry Block_2_MDNS_Ingress {
if match all {
    source-address 224.0.0.252/32 ;
}
then {
    deny  ;
    packet-count Block_252_MDNS_Ingress ;
}
}
entry Block_3_MDNS_Ingress {
if match all {
    source-address 239.255.255.250/32 ;
}
then {
    deny  ;
    packet-count Block_250_MDNS_Ingress ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

System Type:      X440-48p (Stack)

SysHealth check:  Enabled (Normal)
Recovery Mode:    All
System Watchdog:  Enabled

Current Time:     Sat Sep 12 16:28:48 2015
Timezone:         [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC.
Boot Time:        Fri Aug 28 00:37:38 2015
Boot Count:       135
Next Reboot:      None scheduled
System UpTime:    15 days 15 hours 51 minutes 9 seconds

Slot:             Slot-1 *                     Slot-2
                  ------------------------     ------------------------
Current State:    MASTER                       BACKUP (In Sync)

Image Selected:   secondary                    secondary
Image Booted:     secondary                    secondary
Primary ver:      15.3.1.4                     15.3.1.4
Secondary ver:    15.5.4.2                     15.5.4.2
                  patch1-5                     patch1-5

Config Selected:  primary.cfg
Config Booted:    Factory Default

primary.cfg       Created by ExtremeXOS version 15.5.4.2
                  2246563 bytes saved on Fri Sep 11 07:54:18 2015

Many thanks in advance.

Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,594 Points 10k badge 2x thumb
Official Response
Hi Martin,

It looks like you specified source-address in the policy file, rather than destination-address. For MDNS traffic, the source will be the IP of the device that is sending the traffic, and the destination will be the MDNS multicast group.

If you just change 'source-address' to 'destination-address' in the policy file, it should work.

Note that you will need to either remove and re-apply the ACL, or refresh it with the command 'refresh policy '.

-Brandon

Edit: Changed 'group-address' to 'destination-address'
(Edited)