ACL unexpectedly blocks the operation of IP based multicast protocols
Keep-alives are filtered
Advertisements are filtered
When implementing IP-specific ACLs, care should be taken to not only permit the conversations of certain users or user groups, but also to permit the operation of certain common IP-based (Ethernet_II EtherType 0x0800) multicast protocols, including but not limited to: VRRP, HSRP, BGP, OSPF, RIP, PIM, DVMRP, and IGMP.
The implicit "deny all" that is at the end of every ACL will otherwise drop the packet before the router's IP stack is allowed to look at it. Under these conditions:
- VRRP & HSRP will consider one or more of its Backup interfaces to be Master.
- BGP, OSPF, RIP, PIM, & DVMRP will lose visiblity to the advertisements (and thus the routes and adjacencies) of one or more neighboring routers.
- IGMP will fail to keep multicast flows active as desired by requesting users.
- Input ACLs may regulate traffic directed to the router interface address (or routed due to the effects of Proxy ARP), or multicast or broadcast traffic to be examined by the router interface.
- Output ACLs may regulate traffic that would (if permitted by the ACL) end up having the router interface MAC address as a L2 source address.
Here are some protocol identifiers:
DVMRP: MAC 01-00-5E-00-00-04, EtherType 0x0800, Protocol 0x02 (2), IP 220.127.116.11
OSPF: MAC 01-00-5E-00-00-05, EtherType 0x0800, Protocol 0x59 (89), IP 18.104.22.168
OSPF: MAC 01-00-5E-00-00-06, EtherType 0x0800, Protocol 0x59 (89), IP 22.214.171.124
VRRP: MAC 01-00-5E-00-00-12, EtherType 0x0800, Protocol 0x70 (112), IP 126.96.36.199[/code]
Destination MAC address is at Ethernet_II frame displacement 00.
EtherType is at Ethernet_II frame displacement 12.
IP Protocol is at Ethernet_II frame displacement 23.
Destination IP address is at Ethernet_II frame displacement 30.[/code]
FAD (Functions as Designed)
Modify the ACL to accommodate. Here are some different forms of ACL command lines (to be added to the existing Input ACL) which will permit incoming protocol traffic in the ACL:
access-list 101 permit ip any host 188.8.131.52 (permit any DVMRP peer)
access-list 102 permit ip any host 184.108.40.206
access-list 102 permit ip any host 220.127.116.11 (permit any OSPF peer)
access-list 103 permit ip any host 18.104.22.168 (permit any VRRP peer)
You may also be more specific; allowing the protocol only if it is transmitted by a recognized peer device, such as in this VRRP example:
access-list 106 permit ip host 10.20.30.41 host 22.214.171.124
For protocols referenced in this document but not specified as to identifying characteristic, a quick sniffer trace should tell you what you need to know.
For more about ACL formatting and use, please refer to the Configuration Guide specific to your product.