port acl cisco 2960

creamy_stew

I inherited this ingress port ACL, but what does it actually do? What kind of multicast/igmp traffic is allowed? And why? This is for a residential broadband switch where the clients behind the port are to get public dhcp-assigned IPs.

ip access-list extended CUSTOMER-PORT
permit igmp any any
deny ip any 224.0.0.0 15.255.255.255
permit ip <source-net> any

ConstantlyLearning

creamy_stew wrote: »

I inherited this ingress port ACL, but what does it actually do? What kind of multicast/igmp traffic is allowed? And why? This is for a residential broadband switch where the clients behind the port are to get public dhcp-assigned IPs.

ip access-list extended CUSTOMER-PORT
permit igmp any any
deny ip any 224.0.0.0 15.255.255.255
permit ip <source-net> any

Customer can send igmp traffic to any destination

Customer can't send ip traffic to multicast addresses

customer can send ip traffic from <source-net> to any destination



Multicast address range is 224.0.0.0 through 239.255.255.255

creamy_stew

Well, yeah, but you're really only reiterating my question.

Let me be clearer:
Why would you allow igmp but deny all ip multicasts?

burbankmarc

To allow multicast on the local LAN but not through the switch?

creamy_stew

At the risk of sounding stupid, what kind of igmp traffic would work without multicasts? I'm starting to think I don't understand how igmp works.

networker050184

The ACL will stop them from streaming multicast, but still allow them to subscribe to groups and receive traffic.

ConstantlyLearning

creamy_stew wrote: »

At the risk of sounding stupid, what kind of igmp traffic would work without multicasts? I'm starting to think I don't understand how igmp works.

Well don't forget that the ACL will be read top down so IGMP traffic from any address to any multicast address will be allowed.

creamy_stew

ConstantlyLearning wrote: »

Well don't forget that the ACL will be read top down so IGMP traffic from any address to any multicast address will be allowed.

Hah, turns out I actually am stupid

So, the purpose is to block something that is multicast, but isnt igmp. I still wonder why they went through the trouble of blocking it. I guess there shouldn't really be any non-igmp multicast over the internet, though.

networker050184

creamy_stew wrote: »

Hah, turns out I actually am stupid

So, the purpose is to block something that is multicast, but isnt igmp. I still wonder why they went through the trouble of blocking it. I guess there shouldn't really be any non-igmp multicast over the internet, though.

Its not blocking all multicast traffic, just multicast traffic sourced from the client. The client will still be able to receive the traffic from the groups they subscribe to. Remember the destination is the multicast address, not the source.

creamy_stew

networker050184 wrote: »

Its not blocking all multicast traffic, just multicast traffic sourced from the client. The client will still be able to receive the traffic from the groups they subscribe to. Remember the destination is the multicast address, not the source.

Ah, I don't really understand multicasting. Which exam covers that? I'm guessing BCSI/ROUTE.

Anyway, apparently the main reason for the deny statements is to block UPnP between customers.

burbankmarc

BSCI, but the section on multicast is pretty slim. I just had to trouble shot a multicast problem and I found it to be rather difficult, just because it's almost the opposite of troubleshooting normal routing.