topic ACL to Deny MDNS working? in ExtremeSwitching (EXOS/Switch Engine)

ACL to Deny MDNS working?

Anonymous — Sat, 12 Sep 2015 21:30:00 GMT

Have created an ACL that is meant to be blocking MDNS multicast addresses and an additional address used my Microsoft.

Have written the ACL to every port on Ingress so that I can see hits per port.

Problem is I'm not seeing the counters incrementing and aside from a packet trace I am confident there is this traffic on the network. I know this because we are trying to resolve an issue with a stack of X440's that keep rebooting because the CPU seems to be getting overwhelmed with packets from these address - as diagnosed by GTAC.

Policies at Policy Server:
Policy: Block_MDNS_Ingress
entry Block_1_MDNS_Ingress {
if match all {
source-address 224.0.0.251/32 ;
}
then {
deny ;
packet-count Block_251_MDNS_Ingress ;
}
}
entry Block_2_MDNS_Ingress {
if match all {
source-address 224.0.0.252/32 ;
}
then {
deny ;
packet-count Block_252_MDNS_Ingress ;
}
}
entry Block_3_MDNS_Ingress {
if match all {
source-address 239.255.255.250/32 ;
}
then {
deny ;
packet-count Block_250_MDNS_Ingress ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

System Type: X440-48p (Stack)

SysHealth check: Enabled (Normal)
Recovery Mode: All
System Watchdog: Enabled

Current Time: Sat Sep 12 16:28:48 2015
Timezone: [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC.
Boot Time: Fri Aug 28 00:37:38 2015
Boot Count: 135
Next Reboot: None scheduled
System UpTime: 15 days 15 hours 51 minutes 9 seconds

Slot: Slot-1 * Slot-2
------------------------ ------------------------
Current State: MASTER BACKUP (In Sync)

Image Selected: secondary secondary
Image Booted: secondary secondary
Primary ver: 15.3.1.4 15.3.1.4
Secondary ver: 15.5.4.2 15.5.4.2
patch1-5 patch1-5

Config Selected: primary.cfg
Config Booted: Factory Default

primary.cfg Created by ExtremeXOS version 15.5.4.2
2246563 bytes saved on Fri Sep 11 07:54:18 2015

Many thanks in advance.

RE: ACL to Deny MDNS working?

BrandonC — Sat, 12 Sep 2015 21:35:00 GMT

Hi Martin,

It looks like you specified source-address in the policy file, rather than destination-address. For MDNS traffic, the source will be the IP of the device that is sending the traffic, and the destination will be the MDNS multicast group.

If you just change 'source-address' to 'destination-address' in the policy file, it should work.

Note that you will need to either remove and re-apply the ACL, or refresh it with the command 'refresh policy '.

-Brandon

Edit: Changed 'group-address' to 'destination-address'

RE: ACL to Deny MDNS working?

Anonymous — Sat, 12 Sep 2015 21:40:00 GMT

Brilliant! Thanks Brandon - obvious when you think about it 

RE: ACL to Deny MDNS working?

Anonymous — Sat, 12 Sep 2015 21:44:00 GMT

Got this error for group-address:

configure access-list Block_MDNS_Ingress ports 1:1-48 ingress
Error: Policy Block_MDNS_Ingress has syntax errors
Line 3 : "group-address" is not a valid attribute

I'll change it to destination address.

Thanks.

RE: ACL to Deny MDNS working?

BrandonC — Sat, 12 Sep 2015 21:44:00 GMT

Sorry, that should be 'destination-address'. Looks like my brain got ahead of my fingers when I was typing!