Meraki

Community

ACLs and OSPF Transit VLANS (exception?)

Solved
80211WiGuy
Here to help
‎Jan 14 2019 12:51 PM
‎Jan 14 2019 12:51 PM

ACLs and OSPF Transit VLANS (exception?)

Soooo while trying to restrict all clients on my campus network to access for the internet only, I did something dangerous and created an ACL that should have broken OSPF Routing on my network.

 

Deny IPv4 Any 10.0.0.0/8 Any 10.0.0.0/8 Any Any 

 

In theory, this should block all private addresses (I'm only using 10.0.0.0/8) from talking to each other across VLANs.  But then I realised, my transit links should have stopped being able to send/receive OSPF hello messages due to this, but they're still up.

 

In addition, clients are still able to see each hop along a traceroute.  In theory the ICMP TTL Exceeded messages should have been dropped also.

 

Are there some additional nuances to how ACLs work which might not have been documented?

0 Kudos
1 Accepted Solution
jdsilva
Kind of a big deal
‎Jan 14 2019 1:07 PM
‎Jan 14 2019 1:07 PM

OSPF Hellos are sent to a multicast address, not a 10 dot address. Your ACL doesn't match them. 

 

They're also not TCP or UDP. OSPF is its own L4 protocol. 

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

7 Replies 7
jdsilva
Kind of a big deal
‎Jan 14 2019 1:07 PM
‎Jan 14 2019 1:07 PM

OSPF Hellos are sent to a multicast address, not a 10 dot address. Your ACL doesn't match them. 

 

They're also not TCP or UDP. OSPF is its own L4 protocol. 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
80211WiGuy
Here to help
‎Jan 14 2019 1:13 PM
‎Jan 14 2019 1:13 PM

Thank you, I totally forgot about that!

Am I right to assume that the ACLs only work against TCP/UDP and not ICMP or other L4 protocols?

 

Also, I was trying to prevent IPv6 on the network but IPv4 stopped working when I tried a "Deny IPv6 any any any any" rule.  Is this something I should dig into with TAC?

0 Kudos
In response to 80211WiGuy
jdsilva
Kind of a big deal
‎Jan 14 2019 1:16 PM
‎Jan 14 2019 1:16 PM

in the drop down there's TCP, UDP, ICMP, or Any. I'm not totally clear on what "Any" does. I haven't tested it against other L4 protocols to see if it's any of the drop down options, or an absolute ANY.

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
80211WiGuy
Here to help
‎Jan 14 2019 1:21 PM
‎Jan 14 2019 1:21 PM

My drop down list only offers TCP, UDP, ANY  (ICMP is not listed)Screen Shot 2019-01-14 at 4.19.04 PM.png

 

 

0 Kudos
In response to 80211WiGuy
jdsilva
Kind of a big deal
‎Jan 14 2019 1:31 PM
‎Jan 14 2019 1:31 PM

Sorry, I was thinking the L3 Firewall rules, not the switch ACLs. There is no ICMP there. 

 

But even here, I'm still not totally sure what Any means. Is it Any of the other choices? Or is it absolutely Any?

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
80211WiGuy
Here to help
‎Jan 14 2019 1:41 PM
‎Jan 14 2019 1:41 PM

I'm with you, not sure either.

I just did a test and "Any" seems to include ICMP as it's allowing it on explicit allows but denying it on my 10.0.0.0/8 deny.

 

I think I might have gotten mixed up on my original statement, I thought ICMP TTL Exceeded was coming back from the transit links but it seems to have stopped now.  I must have made a mistake my original ACL.

0 Kudos
In response to 80211WiGuy
jdsilva
Kind of a big deal
‎Jan 14 2019 1:19 PM
‎Jan 14 2019 1:19 PM

@80211WiGuy wrote:

 

Also, I was trying to prevent IPv6 on the network but IPv4 stopped working when I tried a "Deny IPv6 any any any any" rule.  Is this something I should dig into with TAC?

I think this is an open bug. See this thread:

 

https://community.meraki.com/t5/Switching/IPv6-ACL-Deny-Any-drops-all-IPv4-traffic/m-p/19762

 

 

http://blog.brokennetwork.ca | @jdsilva
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.