Soooo while trying to restrict all clients on my campus network to access for the internet only, I did something dangerous and created an ACL that should have broken OSPF Routing on my network.
Deny IPv4 Any 10.0.0.0/8 Any 10.0.0.0/8 Any Any
In theory, this should block all private addresses (I'm only using 10.0.0.0/8) from talking to each other across VLANs. But then I realised, my transit links should have stopped being able to send/receive OSPF hello messages due to this, but they're still up.
In addition, clients are still able to see each hop along a traceroute. In theory the ICMP TTL Exceeded messages should have been dropped also.
Are there some additional nuances to how ACLs work which might not have been documented?
Solved! Go to Solution.
OSPF Hellos are sent to a multicast address, not a 10 dot address. Your ACL doesn't match them.
They're also not TCP or UDP. OSPF is its own L4 protocol.
OSPF Hellos are sent to a multicast address, not a 10 dot address. Your ACL doesn't match them.
They're also not TCP or UDP. OSPF is its own L4 protocol.
Thank you, I totally forgot about that!
Am I right to assume that the ACLs only work against TCP/UDP and not ICMP or other L4 protocols?
Also, I was trying to prevent IPv6 on the network but IPv4 stopped working when I tried a "Deny IPv6 any any any any" rule. Is this something I should dig into with TAC?
in the drop down there's TCP, UDP, ICMP, or Any. I'm not totally clear on what "Any" does. I haven't tested it against other L4 protocols to see if it's any of the drop down options, or an absolute ANY.
My drop down list only offers TCP, UDP, ANY (ICMP is not listed)
Sorry, I was thinking the L3 Firewall rules, not the switch ACLs. There is no ICMP there.
But even here, I'm still not totally sure what Any means. Is it Any of the other choices? Or is it absolutely Any?
I'm with you, not sure either.
I just did a test and "Any" seems to include ICMP as it's allowing it on explicit allows but denying it on my 10.0.0.0/8 deny.
I think I might have gotten mixed up on my original statement, I thought ICMP TTL Exceeded was coming back from the transit links but it seems to have stopped now. I must have made a mistake my original ACL.
@80211WiGuy wrote:
Also, I was trying to prevent IPv6 on the network but IPv4 stopped working when I tried a "Deny IPv6 any any any any" rule. Is this something I should dig into with TAC?
I think this is an open bug. See this thread:
https://community.meraki.com/t5/Switching/IPv6-ACL-Deny-Any-drops-all-IPv4-traffic/m-p/19762