Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. foundry
ACL matching on multicast sources
bdflemin at gmail
Sep 18, 2013, 4:56 PM
Post #1 of 5 (2994 views)
Permalink
I'm having an issue trying to match traffic based on IP source of a multicast group. Traffic is flowing through a VE interface if that makes any difference. I know the traffic is actually moving because I'm watching the video broadcast on my laptop right now via VLC. I'm also seeing traffic that should match coming through the port in our sFlow monitoring system. Any suggestions would be appreciated.

Here's the ACL:
!
ip access-list extended internet2_in
remark deny traffic with bogus source or destination addresses
deny ip any 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip any 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 any
deny ip any host 0.0.0.0
deny ip host 0.0.0.0 any
deny ip any 127.0.0.0 0.255.255.255
deny ip 127.0.0.0 0.255.255.255 any
deny ip any 192.0.2.0 0.0.0.255
deny ip 192.0.2.0 0.0.0.255 any
deny ip any 169.254.0.0 0.0.255.255
deny ip 169.254.0.0 0.0.255.255 any
remark deny all off-network SNMP access to Internal Networks
deny udp any <internal>192.0 0.0.7.255 eq snmp
deny udp any <internal>208.0 0.0.7.255 eq snmp
deny udp any <internal>192.0 0.0.7.255 eq snmp-trap
deny udp any <internal>208.0 0.0.7.255 eq snmp-trap
remark allow traffic with microsoft windows networking destination ports to storage system
permit tcp any <internal>33.240 0.0.0.15 eq loc-srv
permit udp any <internal>33.240 0.0.0.15 eq loc-srv
permit tcp any <internal>33.240 0.0.0.15 range 137 netbios-ssn
permit udp any <internal>33.240 0.0.0.15 range netbios-ns netbios-ssn
permit tcp any <internal>33.240 0.0.0.15 eq microsoft-ds
remark deny traffic with microsoft windows networking source or destination ports
deny tcp any any eq loc-srv
deny udp any any eq loc-srv
deny tcp any any range 137 netbios-ssn
deny udp any any range netbios-ns netbios-ssn
deny tcp any any eq microsoft-ds
remark prioritize traffic from NSF TV station
permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
permit ip any any drop-precedence-force 1 priority-force 1
!

And here's output from the show access-list accounting command after being applied for several minutes:
27: permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
Hit count: (1 sec) 0 (1 min) 0
(5 min) 0 (accum) 0

There's no other allow ACL lines with matches but I'm receiving roughly 30-40 packets per second from the stream.
Re: ACL matching on multicast sources [ In reply to ]
niels=foundry-nsp at bakker
Sep 18, 2013, 5:29 PM
Post #2 of 5 (2916 views)
Permalink
* bdflemin@gmail.com (Brad Fleming) [Thu 19 Sep 2013, 02:03 CEST]:
>I'm having an issue trying to match traffic based on IP source of
>a multicast group. Traffic is flowing through a VE interface if that
>makes any difference. I know the traffic is actually moving because
>I'm watching the video broadcast on my laptop right now via VLC. I'm
>also seeing traffic that should match coming through the port in our
>sFlow monitoring system. Any suggestions would be appreciated.

Do you have enable-acl-accounting configured? Have you rebound the
ACL to the interface after modifying it (assuming you're on an MLX/XMR
before 5.4) using "ip rebind-acl internet2_in" in config mode?


-- Niels.

--
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: ACL matching on multicast sources [ In reply to ]
bdflemin at gmail
Sep 18, 2013, 5:47 PM
Post #3 of 5 (2918 views)
Permalink
On Sep 18, 2013, at 7:29 PM, Niels Bakker <niels=foundry-nsp@bakker.net> wrote:

> * bdflemin@gmail.com (Brad Fleming) [Thu 19 Sep 2013, 02:03 CEST]:
>> I'm having an issue trying to match traffic based on IP source of a multicast group. Traffic is flowing through a VE interface if that makes any difference. I know the traffic is actually moving because I'm watching the video broadcast on my laptop right now via VLC. I'm also seeing traffic that should match coming through the port in our sFlow monitoring system. Any suggestions would be appreciated.
>
> Do you have enable-acl-accounting configured? Have you rebound the ACL to the interface after modifying it (assuming you're on an MLX/XMR before 5.4) using "ip rebind-acl internet2_in" in config mode?
>
Yes on both accounts. I see tons of matches for other ACL entries; just not the one I care about. :D

This was a brand new ACL that was configured immediately prior to binding it to the VE interface. I've rebound it for the good measure and I'm still not seeing any accounting matches.
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: ACL matching on multicast sources [ In reply to ]
hardenrm at uchicago
Sep 18, 2013, 8:11 PM
Post #4 of 5 (2913 views)
Permalink
By chance can you list the Source IP that you're expecting to be blocking with the listed ACL?

/Ryan

Ryan Harden
Senior Network Engineer
University of Chicago - ASN160
P: 773.834.5441

On Sep 18, 2013, at 6:56 PM, Brad Fleming <bdflemin@gmail.com> wrote:

> I'm having an issue trying to match traffic based on IP source of a multicast group. Traffic is flowing through a VE interface if that makes any difference. I know the traffic is actually moving because I'm watching the video broadcast on my laptop right now via VLC. I'm also seeing traffic that should match coming through the port in our sFlow monitoring system. Any suggestions would be appreciated.
>
> Here's the ACL:
> !
> ip access-list extended internet2_in
> remark deny traffic with bogus source or destination addresses
> deny ip any 10.0.0.0 0.255.255.255
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip any 192.168.0.0 0.0.255.255
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip any host 0.0.0.0
> deny ip host 0.0.0.0 any
> deny ip any 127.0.0.0 0.255.255.255
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip any 192.0.2.0 0.0.0.255
> deny ip 192.0.2.0 0.0.0.255 any
> deny ip any 169.254.0.0 0.0.255.255
> deny ip 169.254.0.0 0.0.255.255 any
> remark deny all off-network SNMP access to Internal Networks
> deny udp any <internal>192.0 0.0.7.255 eq snmp
> deny udp any <internal>208.0 0.0.7.255 eq snmp
> deny udp any <internal>192.0 0.0.7.255 eq snmp-trap
> deny udp any <internal>208.0 0.0.7.255 eq snmp-trap
> remark allow traffic with microsoft windows networking destination ports to storage system
> permit tcp any <internal>33.240 0.0.0.15 eq loc-srv
> permit udp any <internal>33.240 0.0.0.15 eq loc-srv
> permit tcp any <internal>33.240 0.0.0.15 range 137 netbios-ssn
> permit udp any <internal>33.240 0.0.0.15 range netbios-ns netbios-ssn
> permit tcp any <internal>33.240 0.0.0.15 eq microsoft-ds
> remark deny traffic with microsoft windows networking source or destination ports
> deny tcp any any eq loc-srv
> deny udp any any eq loc-srv
> deny tcp any any range 137 netbios-ssn
> deny udp any any range netbios-ns netbios-ssn
> deny tcp any any eq microsoft-ds
> remark prioritize traffic from NSF TV station
> permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
> permit ip any any drop-precedence-force 1 priority-force 1
> !
>
> And here's output from the show access-list accounting command after being applied for several minutes:
> 27: permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
> Hit count: (1 sec) 0 (1 min) 0
> (5 min) 0 (accum) 0
>
> There's no other allow ACL lines with matches but I'm receiving roughly 30-40 packets per second from the stream.
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp


_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: ACL matching on multicast sources [ In reply to ]
bdflemin at gmail
Sep 18, 2013, 11:01 PM
Post #5 of 5 (2931 views)
Permalink
Sorry, should have made the more clear. I'm not trying to block the source, I'm trying to place traffic from the source into a higher priority queue.

This is line that should be matching traffic but is not:
permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4


On Sep 18, 2013, at 10:11 PM, Ryan Harden <hardenrm@uchicago.edu> wrote:

> By chance can you list the Source IP that you're expecting to be blocking with the listed ACL?
>
> /Ryan
>
> Ryan Harden
> Senior Network Engineer
> University of Chicago - ASN160
> P: 773.834.5441
>
> On Sep 18, 2013, at 6:56 PM, Brad Fleming <bdflemin@gmail.com> wrote:
>
>> I'm having an issue trying to match traffic based on IP source of a multicast group. Traffic is flowing through a VE interface if that makes any difference. I know the traffic is actually moving because I'm watching the video broadcast on my laptop right now via VLC. I'm also seeing traffic that should match coming through the port in our sFlow monitoring system. Any suggestions would be appreciated.
>>
>> Here's the ACL:
>> !
>> ip access-list extended internet2_in
>> remark deny traffic with bogus source or destination addresses
>> deny ip any 10.0.0.0 0.255.255.255
>> deny ip 10.0.0.0 0.255.255.255 any
>> deny ip 172.16.0.0 0.15.255.255 any
>> deny ip any 192.168.0.0 0.0.255.255
>> deny ip 192.168.0.0 0.0.255.255 any
>> deny ip any host 0.0.0.0
>> deny ip host 0.0.0.0 any
>> deny ip any 127.0.0.0 0.255.255.255
>> deny ip 127.0.0.0 0.255.255.255 any
>> deny ip any 192.0.2.0 0.0.0.255
>> deny ip 192.0.2.0 0.0.0.255 any
>> deny ip any 169.254.0.0 0.0.255.255
>> deny ip 169.254.0.0 0.0.255.255 any
>> remark deny all off-network SNMP access to Internal Networks
>> deny udp any <internal>192.0 0.0.7.255 eq snmp
>> deny udp any <internal>208.0 0.0.7.255 eq snmp
>> deny udp any <internal>192.0 0.0.7.255 eq snmp-trap
>> deny udp any <internal>208.0 0.0.7.255 eq snmp-trap
>> remark allow traffic with microsoft windows networking destination ports to storage system
>> permit tcp any <internal>33.240 0.0.0.15 eq loc-srv
>> permit udp any <internal>33.240 0.0.0.15 eq loc-srv
>> permit tcp any <internal>33.240 0.0.0.15 range 137 netbios-ssn
>> permit udp any <internal>33.240 0.0.0.15 range netbios-ns netbios-ssn
>> permit tcp any <internal>33.240 0.0.0.15 eq microsoft-ds
>> remark deny traffic with microsoft windows networking source or destination ports
>> deny tcp any any eq loc-srv
>> deny udp any any eq loc-srv
>> deny tcp any any range 137 netbios-ssn
>> deny udp any any range netbios-ns netbios-ssn
>> deny tcp any any eq microsoft-ds
>> remark prioritize traffic from NSF TV station
>> permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
>> permit ip any any drop-precedence-force 1 priority-force 1
>> !
>>
>> And here's output from the show access-list accounting command after being applied for several minutes:
>> 27: permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
>> Hit count: (1 sec) 0 (1 min) 0
>> (5 min) 0 (accum) 0
>>
>> There's no other allow ACL lines with matches but I'm receiving roughly 30-40 packets per second from the stream.
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp@puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>


_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal