Soooo while trying to restrict all clients on my campus network to access for the internet only, I did something dangerous and created an ACL that should have broken OSPF Routing on my network.
Deny IPv4 Any 10.0.0.0/8 Any 10.0.0.0/8 Any Any
In theory, this should block all private addresses (I'm only using 10.0.0.0/8) from talking to each other across VLANs. But then I realised, my transit links should have stopped being able to send/receive OSPF hello messages due to this, but they're still up.
In addition, clients are still able to see each hop along a traceroute. In theory the ICMP TTL Exceeded messages should have been dropped also.
Are there some additional nuances to how ACLs work which might not have been documented?
in the drop down there's TCP, UDP, ICMP, or Any. I'm not totally clear on what "Any" does. I haven't tested it against other L4 protocols to see if it's any of the drop down options, or an absolute ANY.
I just did a test and "Any" seems to include ICMP as it's allowing it on explicit allows but denying it on my 10.0.0.0/8 deny.
I think I might have gotten mixed up on my original statement, I thought ICMP TTL Exceeded was coming back from the transit links but it seems to have stopped now. I must have made a mistake my original ACL.