cancel
Showing results for 
Search instead for 
Did you mean: 

ACLs and OSPF Transit VLANS (exception?)

SOLVED
Here to help

ACLs and OSPF Transit VLANS (exception?)

Soooo while trying to restrict all clients on my campus network to access for the internet only, I did something dangerous and created an ACL that should have broken OSPF Routing on my network.

 

Deny IPv4 Any 10.0.0.0/8 Any 10.0.0.0/8 Any Any 

 

In theory, this should block all private addresses (I'm only using 10.0.0.0/8) from talking to each other across VLANs.  But then I realised, my transit links should have stopped being able to send/receive OSPF hello messages due to this, but they're still up.

 

In addition, clients are still able to see each hop along a traceroute.  In theory the ICMP TTL Exceeded messages should have been dropped also.

 

Are there some additional nuances to how ACLs work which might not have been documented?

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: ACLs and OSPF Transit VLANS (exception?)

OSPF Hellos are sent to a multicast address, not a 10 dot address. Your ACL doesn't match them. 

 

They're also not TCP or UDP. OSPF is its own L4 protocol. 

7 REPLIES 7
Kind of a big deal

Re: ACLs and OSPF Transit VLANS (exception?)

OSPF Hellos are sent to a multicast address, not a 10 dot address. Your ACL doesn't match them. 

 

They're also not TCP or UDP. OSPF is its own L4 protocol. 

Here to help

Re: ACLs and OSPF Transit VLANS (exception?)

Thank you, I totally forgot about that!

Am I right to assume that the ACLs only work against TCP/UDP and not ICMP or other L4 protocols?

 

Also, I was trying to prevent IPv6 on the network but IPv4 stopped working when I tried a "Deny IPv6 any any any any" rule.  Is this something I should dig into with TAC?

Kind of a big deal

Re: ACLs and OSPF Transit VLANS (exception?)

in the drop down there's TCP, UDP, ICMP, or Any. I'm not totally clear on what "Any" does. I haven't tested it against other L4 protocols to see if it's any of the drop down options, or an absolute ANY.

Kind of a big deal

Re: ACLs and OSPF Transit VLANS (exception?)


@80211WiGuy wrote:

 

Also, I was trying to prevent IPv6 on the network but IPv4 stopped working when I tried a "Deny IPv6 any any any any" rule.  Is this something I should dig into with TAC?


I think this is an open bug. See this thread:

 

https://community.meraki.com/t5/Switching/IPv6-ACL-Deny-Any-drops-all-IPv4-traffic/m-p/19762

 

 

Here to help

Re: ACLs and OSPF Transit VLANS (exception?)

My drop down list only offers TCP, UDP, ANY  (ICMP is not listed)Screen Shot 2019-01-14 at 4.19.04 PM.png

 

 

Highlighted
Kind of a big deal

Re: ACLs and OSPF Transit VLANS (exception?)

Sorry, I was thinking the L3 Firewall rules, not the switch ACLs. There is no ICMP there. 

 

But even here, I'm still not totally sure what Any means. Is it Any of the other choices? Or is it absolutely Any?

Here to help

Re: ACLs and OSPF Transit VLANS (exception?)

I'm with you, not sure either.

I just did a test and "Any" seems to include ICMP as it's allowing it on explicit allows but denying it on my 10.0.0.0/8 deny.

 

I think I might have gotten mixed up on my original statement, I thought ICMP TTL Exceeded was coming back from the transit links but it seems to have stopped now.  I must have made a mistake my original ACL.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels