[f-nsp] ACL matching on multicast sources

Brad Fleming bdflemin at gmail.com
Wed Sep 18 19:56:32 EDT 2013 

I'm having an issue trying to match traffic based on IP source of a multicast group. Traffic is flowing through a VE interface if that makes any difference. I know the traffic is actually moving because I'm watching the video broadcast on my laptop right now via VLC. I'm also seeing traffic that should match coming through the port in our sFlow monitoring system. Any suggestions would be appreciated.

Here's the ACL:
!
ip access-list extended internet2_in
 remark deny traffic with bogus source or destination addresses
 deny ip any 10.0.0.0 0.255.255.255
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip any 192.168.0.0 0.0.255.255
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip any host 0.0.0.0
 deny ip host 0.0.0.0 any
 deny ip any 127.0.0.0 0.255.255.255
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip any 192.0.2.0 0.0.0.255
 deny ip 192.0.2.0 0.0.0.255 any
 deny ip any 169.254.0.0 0.0.255.255
 deny ip 169.254.0.0 0.0.255.255 any
 remark deny all off-network SNMP access to Internal Networks
 deny udp any <internal>192.0 0.0.7.255 eq snmp
 deny udp any <internal>208.0 0.0.7.255 eq snmp
 deny udp any <internal>192.0 0.0.7.255 eq snmp-trap
 deny udp any <internal>208.0 0.0.7.255 eq snmp-trap
 remark allow traffic with microsoft windows networking destination ports to storage system
 permit tcp any <internal>33.240 0.0.0.15 eq loc-srv
 permit udp any <internal>33.240 0.0.0.15 eq loc-srv
 permit tcp any <internal>33.240 0.0.0.15 range 137  netbios-ssn
 permit udp any <internal>33.240 0.0.0.15 range netbios-ns  netbios-ssn
 permit tcp any <internal>33.240 0.0.0.15 eq microsoft-ds
 remark deny traffic with microsoft windows networking source or destination ports
 deny tcp any any eq loc-srv
 deny udp any any eq loc-srv
 deny tcp any any range 137  netbios-ssn
 deny udp any any range netbios-ns  netbios-ssn
 deny tcp any any eq microsoft-ds
 remark prioritize traffic from NSF TV station
 permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
 permit ip any any drop-precedence-force 1 priority-force 1
!

And here's output from the show access-list accounting command after being applied for several minutes:
   27: permit ip host 192.12.209.53 any drop-precedence-force 1 priority-force 4
       Hit count: (1 sec)                    0   (1 min)                    0
                  (5 min)                    0   (accum)                    0

There's no other allow ACL lines with matches but I'm receiving roughly 30-40 packets per second from the stream.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20130918/0bb81970/attachment.html>

More information about the foundry-nsp mailing list