ACLs can block IP Based Multicast Protocols

  • 12 December 2013
  • 0 replies

Userlevel 3
Article ID: 5775


ACL unexpectedly blocks the operation of IP based multicast protocols
Keep-alives are filtered
Advertisements are filtered

When implementing IP-specific ACLs, care should be taken to not only permit the conversations of certain users or user groups, but also to permit the operation of certain common IP-based (Ethernet_II EtherType 0x0800) multicast protocols, including but not limited to: VRRP, HSRP, BGP, OSPF, RIP, PIM, DVMRP, and IGMP.

The implicit "deny all" that is at the end of every ACL will otherwise drop the packet before the router's IP stack is allowed to look at it. Under these conditions:
  • VRRP & HSRP will consider one or more of its Backup interfaces to be Master.
  • BGP, OSPF, RIP, PIM, & DVMRP will lose visiblity to the advertisements (and thus the routes and adjacencies) of one or more neighboring routers.
  • IGMP will fail to keep multicast flows active as desired by requesting users.
This dependency is somewhat unexpected, since ACLs are generally considered to affect routed traffic only, and these protocols do not readily fit into that category. However...
  • Input ACLs may regulate traffic directed to the router interface address (or routed due to the effects of Proxy ARP), or multicast or broadcast traffic to be examined by the router interface.
  • Output ACLs may regulate traffic that would (if permitted by the ACL) end up having the router interface MAC address as a L2 source address.
The protocols under discussion, being "multicast or broadcast traffic to be examined by the router interface" (though they will not necessarily be routed by that interface), fall under the purview of Input ACLs.

Here are some protocol identifiers:

DVMRP: MAC 01-00-5E-00-00-04, EtherType 0x0800, Protocol 0x02 (2), IP
OSPF: MAC 01-00-5E-00-00-05, EtherType 0x0800, Protocol 0x59 (89), IP
OSPF: MAC 01-00-5E-00-00-06, EtherType 0x0800, Protocol 0x59 (89), IP
VRRP: MAC 01-00-5E-00-00-12, EtherType 0x0800, Protocol 0x70 (112), IP[/code]

Destination MAC address is at Ethernet_II frame displacement 00.
EtherType is at Ethernet_II frame displacement 12.
IP Protocol is at Ethernet_II frame displacement 23.
Destination IP address is at Ethernet_II frame displacement 30.[/code]
FAD (Functions as Designed)

Modify the ACL to accommodate. Here are some different forms of ACL command lines (to be added to the existing Input ACL) which will permit incoming protocol traffic in the ACL:

access-list 101 permit ip any host (permit any DVMRP peer)
access-list 102 permit ip any host
access-list 102 permit ip any host (permit any OSPF peer)
access-list 103 permit ip any host (permit any VRRP peer)

You may also be more specific; allowing the protocol only if it is transmitted by a recognized peer device, such as in this VRRP example:

access-list 106 permit ip host host

For protocols referenced in this document but not specified as to identifying characteristic, a quick sniffer trace should tell you what you need to know.
For more about ACL formatting and use, please refer to the Configuration Guide specific to your product.

0 replies

Be the first to reply!