ACLs and HSRP, BGP, OSPF, VRRP, GLBP…

Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.

  • BGP : Runs on TCP/179 between the neighbors

access-list 101 permit tcp any host 192.168.0.1 eq 179

  • EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.10

access-list 101 permit eigrp any host 224.0.0.10

  • OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.5; also talks to 224.0.0.6 for DR/BDR routers

access-list 101 permit ospf any host 224.0.0.5
access-list 101 permit ospf any host 224.0.0.6

  • HSRP : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.2. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?

access-list 101 permit udp any host 224.0.0.2 eq 1985

  • HSRP version 2 : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.102.

access-list 101 permit udp any host 224.0.0.2 eq 1985

  • RIP : Runs on UDP/520 from the source interface IP to the multicast address of 224.0.0.9

access-list 101 permit udp any host 224.0.0.9 eq 520

  • VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.18

access-list 101 permit 112 any host 224.0.0.18

  • VRRP-E : This is a Foundary thing according to readers, and runs on UDP/8888 from the source interface IP to the multicast address of 224.0.0.2

access-list 101 permit 112 any host 224.0.0.2 eq 8888

  • GLBP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.102

access-list 101 permit udp any host 224.0.0.102

  • DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).

access-list 101 permit udp any host 255.255.255.255 eq 67
If anyone else has one to add, do so in the comments.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages.

More Posts

Follow Me:
Twitter

20 comments for “ACLs and HSRP, BGP, OSPF, VRRP, GLBP…

  1. True
    June 12, 2008 at 8:28 am

    Just found your blog and am enjoying your posts.

    Q. HSRP does not work when an Access Control List (ACL) is applied. How can I permit HSRP through an ACL?

    A. HSRP hello packets are sent to multicast address 224.0.0.2 with UDP port 1985. Whenever an ACL is applied to an HSRP interface, ensure that packets destined to 224.0.0.2 on UDP port 1985 are permitted.

  2. June 12, 2008 at 10:53 am

    Thanks for the comment, True.

    I thought I had seen the UDP/1985 thing somewhere and had it in my notes, but I couldn’t find it again after 20 seconds of looking. 🙂

  3. June 12, 2008 at 8:28 pm

    Great list! Just a tiny typo in the OSPF ACL (eigrp instead of ospf).

    You could also add RIP, which multicasts to 224.0.0.9 on UDP/520.

  4. June 12, 2008 at 8:42 pm

    Typo corrected (dang cut/paste). Also added RIP. Thanks, stretch!

  5. True
    June 12, 2008 at 10:07 pm

    It looks like the cut and paste got you again on the multicast address for RIPv2. 🙂

    Nice list by the way.

  6. Clint Young
    June 12, 2008 at 10:39 pm

    Nice list!!! This will definitely come in as a handy reference in the future when I need to pull it quick!

  7. June 13, 2008 at 6:52 am

    Some day, I’ll pay attention enough to see these typos. 🙂 Thanks, True.

    And thanks, Clint. I hope the list is helpful.

  8. Sebastian Graf
    July 4, 2008 at 2:01 am

    Hi Aaron,

    nice list. I would suggest to also add 224.0.0.6 for DR/BDR OSPF routers.

  9. July 4, 2008 at 4:09 pm

    Thanks, Sebastian. Done!

  10. October 2, 2008 at 6:35 am

    Hey Aaron,

    Great post!! After dealing with some problems with HSRP and ACL’s, I started searching for all the different multicast addresses, ports and associated protocols and I found your post.

    Again GREAT, thanks for it!!!!

  11. October 3, 2008 at 12:56 pm

    I’m glad you found it useful, René. Thanks for stopping by.

  12. November 26, 2008 at 2:13 pm

    As an added data point, foundry networks offers vrrp-e on their platforms but under the hood it is more like hsrp in that it uses the all-routers mcast address (224.0.0.2) rather than the vrrp address of 224.0.018
    The source and destination for vrrp-e should be UDP port 8888 and the destination MAC should be 01-00-5E-00-00-02
    “permit ip any host 224.0.0.2” is an easy way to allow vrrp-e within a foundry ACL (not necessarily secure with the “any” in there, but good to make it work in a pinch.

  13. Brian
    May 19, 2009 at 12:21 pm

    HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the multicast address of 224.0.0.2, which is used by version 1. HSRP version 2 continues to use UDP port 1985.

  14. May 20, 2009 at 8:21 am

    Thanks, Nick and Brian. Added.

  15. shady
    November 22, 2010 at 5:46 pm

    This post is gold. Having issues with HSRP on VLANS with an ACL applied. Saved the day and great knowledge for further use.

  16. Kumara
    September 25, 2012 at 7:57 am

    Great Article.
    i could able to solve the HSRP issue.. after permitting udp port 1985.

  17. Jeremy
    September 30, 2012 at 9:20 pm

    I may be mistaken, but I believe for BGP the two peers act in a server/client fashion that is determined by the two peers when they form a neighborship. As such, you would also need the second line: access-list 101 permit tcp any eq 179 host 192.168.0.1 to allow the peers to communicate since you would not know which side is the server prior to establishment.

  18. Alexandria Horne
    November 20, 2014 at 7:32 pm

    Thank you!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *