ACLs and HSRP, BGP, OSPF, VRRP, GLBP…
Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.
- BGP : Runs on TCP/179 between the neighbors
access-list 101 permit tcp any host 192.168.0.1 eq 179
- EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.10
access-list 101 permit eigrp any host 224.0.0.10
- OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.5; also talks to 224.0.0.6 for DR/BDR routers
access-list 101 permit ospf any host 224.0.0.5
access-list 101 permit ospf any host 224.0.0.6
- HSRP : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.2. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?
access-list 101 permit udp any host 224.0.0.2 eq 1985
- HSRP version 2 : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.102.
access-list 101 permit udp any host 224.0.0.2 eq 1985
- RIP : Runs on UDP/520 from the source interface IP to the multicast address of 224.0.0.9
access-list 101 permit udp any host 224.0.0.9 eq 520
- VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.18
access-list 101 permit 112 any host 224.0.0.18
- VRRP-E : This is a Foundary thing according to readers, and runs on UDP/8888 from the source interface IP to the multicast address of 224.0.0.2
access-list 101 permit 112 any host 224.0.0.2 eq 8888
- GLBP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.102
access-list 101 permit udp any host 224.0.0.102
- DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).
access-list 101 permit udp any host 255.255.255.255 eq 67
If anyone else has one to add, do so in the comments.
- Generating Network Diagrams from Netbox with Pynetbox - August 23, 2023
- Out-of-band Management – Useful Beyond Catastrophe - July 13, 2023
- Overlay Management - July 12, 2023
Just found your blog and am enjoying your posts.
Q. HSRP does not work when an Access Control List (ACL) is applied. How can I permit HSRP through an ACL?
A. HSRP hello packets are sent to multicast address 224.0.0.2 with UDP port 1985. Whenever an ACL is applied to an HSRP interface, ensure that packets destined to 224.0.0.2 on UDP port 1985 are permitted.
Thanks for the comment, True.
I thought I had seen the UDP/1985 thing somewhere and had it in my notes, but I couldn’t find it again after 20 seconds of looking. đŸ™‚
Great list! Just a tiny typo in the OSPF ACL (eigrp instead of ospf).
You could also add RIP, which multicasts to 224.0.0.9 on UDP/520.
Typo corrected (dang cut/paste). Also added RIP. Thanks, stretch!
It looks like the cut and paste got you again on the multicast address for RIPv2. đŸ™‚
Nice list by the way.
Nice list!!! This will definitely come in as a handy reference in the future when I need to pull it quick!
Some day, I’ll pay attention enough to see these typos. đŸ™‚ Thanks, True.
And thanks, Clint. I hope the list is helpful.
Hi Aaron,
nice list. I would suggest to also add 224.0.0.6 for DR/BDR OSPF routers.
Thanks, Sebastian. Done!
Hey Aaron,
Great post!! After dealing with some problems with HSRP and ACL’s, I started searching for all the different multicast addresses, ports and associated protocols and I found your post.
Again GREAT, thanks for it!!!!
I’m glad you found it useful, RenĂ©. Thanks for stopping by.
[…] at the Internet I found a nice article on Aaron’s Worthless Words blog about multicast addresses, port numbers and associated […]
As an added data point, foundry networks offers vrrp-e on their platforms but under the hood it is more like hsrp in that it uses the all-routers mcast address (224.0.0.2) rather than the vrrp address of 224.0.018
The source and destination for vrrp-e should be UDP port 8888 and the destination MAC should be 01-00-5E-00-00-02
“permit ip any host 224.0.0.2” is an easy way to allow vrrp-e within a foundry ACL (not necessarily secure with the “any” in there, but good to make it work in a pinch.
[…] 2008 in Tech Always being on the lookout for good, well put together information, I came across this network oriented technical blog, and it was a pretty helpful find, containing many of the ACLs and details for HSRP, BGP, OSPF, […]
HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the multicast address of 224.0.0.2, which is used by version 1. HSRP version 2 continues to use UDP port 1985.
Thanks, Nick and Brian. Added.
Looks like you put in the HSRP v2 ACL however you re-entered the v1 IP address (224.0.0.2) rather than the new v2 address (224.0.0.102)…
This post is gold. Having issues with HSRP on VLANS with an ACL applied. Saved the day and great knowledge for further use.
Great Article.
i could able to solve the HSRP issue.. after permitting udp port 1985.
I may be mistaken, but I believe for BGP the two peers act in a server/client fashion that is determined by the two peers when they form a neighborship. As such, you would also need the second line: access-list 101 permit tcp any eq 179 host 192.168.0.1 to allow the peers to communicate since you would not know which side is the server prior to establishment.
Thank you!!!!