[c-nsp] MAC ACL on CBS3020

Gert Doering gert at greenie.muc.de
Wed Dec 24 08:59:37 EST 2014


I wonder if MAC access list should generally work on a Cisco CBS3020
("HP blade system switch"), or only on access ports, or not at all.

This is - of course - a VM environment, and one of our customers is
spewing out tons of multicast junk at us...

17:51:23.101949 00:50:56:8e:4c:c6 > 33:33:00:08:00:08, ethertype IPv6 (0x86dd), length 252: fe80::250:56ff:fe8e:4cc6.45590 > ff0e::8:8:8.45590: UDP, length 190
17:51:23.102023 00:50:56:8e:4c:c6 > 33:33:00:08:00:08, ethertype IPv6 (0x86dd), length 879: fe80::250:56ff:fe8e:4cc6.45590 > ff0e::8:8:8.45590: UDP, length 817
17:51:23.109145 00:50:56:8e:4c:c6 > 33:33:00:08:00:08, ethertype IPv6 (0x86dd), length 244: fe80::250:56ff:fe8e:4cc6.45590 > ff0e::8:8:8.45590: UDP, length 182

... google suggests that this might be jboss synchronizing "things", but
it's spitting into a subnet where I need to have fairly strict multicast
flood protection, which this triggers, and the resulting multicast blocking
plus error logging is annoying me.

Customer claims they have no idea what this is, or how to make it only
happen inside "their" vlan (machine has two virtual ethernets).

So I decided to filter it, trying "all multicast packets" or even "all
IPv6 packets sourced from that MAC"...

mac access-list extended drop-jboss-mcast
 deny   any host 3333.0008.0008
 deny   host 0050.568e.4cc6 any 0x86DD 0x0
 permit any any

int gig0/17
  description trunk to vm host
  switchport mode trunk     ! <<
  mac access-group drop-jboss-mcast in

... and that did exactly nothing, as in "packets continue to flow" and
"show access-list hardware counter" shows exactly no "Drop" hits either.

Which brings me to:

 [ ] this is generally broken
 [ ] MAC ACLs do not work on trunk ports on this switch
 [ ] I'm overlooking something

IOS in question is

Cisco IOS Software, CBS30X0 Software (CBS30X0-LANBASE-M), Version 12.2(40)SE2, RELEASE SOFTWARE (fc1)

... so, any ideas welcome :-) - and no, I haven't tried "the latest release"
yet (can't reboot that switch just so, while it is perfectly well behaving


PS: whether you celebrate it or not, I wish you all a happy christmas and
a good new year (apply accordingly to your local festivity)
USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20141224/0da0bd87/attachment.sig>

More information about the cisco-nsp mailing list