Installation best practice: use ACLs to filter unneeded multicast and broadcast

Broadcast and Multicast packets are transmitted typically at slower data rates that take up more airtime. They are also typically buffered up on the AP for clients that are in a power-save sleep mode, and transmitted only at DTIM (periodic beacon intervals), which can cause issues related to queuing.


While many broadcast and multicast packets are important for normal network operation as well as specific applications on the client (video streaming etc), depending on your network and application others are simply using up airtime that could be put to better use and filtering them using ACLs will help.

Some of the common recommended ACL filters, with descriptions of what they do, are:

WLAN profile ACLs,

acl permit proto 10 tcp any any any any any         allow all TCP packet in both the direction

acl permit proto 11 udp any 67 any any out          allow DHCP offer packet in out direction

acl deny proto 12 udp any 137 any any in    deny windows netbios packets in the inbound direction

acl deny proto 13 udp any 138 any any in    deny windows netbios packets in the inbound direction

acl deny ip 14 any 224.0.0.0/240.0.0.0 in              deny incoming IP multicast packets

acl deny proto 15 udp any 68 any 67 out               deny dhcp discover packet going on air

acl deny mac 16 any 11:11:11:11:11:11 out           deny cambium inter AP communications packets going on air          

acl deny mac 17 any ff:ff:ff:ff:ff:ff out                    deny L2 broadcast packets going on air

acl permit mac 24 any any any                            allow all other packets in both the directions

Ethernet ACLs,

acl permit proto 10 tcp any any any any any                               allow all TCP packet in both the direction

acl deny proto 11 udp any 137 any any in                    deny windows netbios packets in the inbound direction

acl deny proto 12 udp any 138 any any in                    deny windows netbios packets in the inbound direction

acl deny ip 13 any 224.0.0.0/240.0.0.0 in                    deny incoming IP multicast packets

acl permit proto 14 udp any 68 any 67 out                                 deny dhcp discover packet in outbound direction

acl permit proto 15 udp any 67 any 68 in                                     allow DHCP offer packet in inbound direction

acl deny ip 16 any 255.255.255.255 in                                          deny incoming IP multicast packets              

acl deny mac 17 any 01:80:c2:00:00:00 in                                   Block 802.1d packets from wired to wireless

acl permit mac 24 any any any                                       allow all other packets in both the directions


Keep in mind ACLs are ordered by rule number (so looked up in order from 1..256) and once an ACL is defined, unless there is an explicit 'allow' all packets will be dropped (hence the 'permit' rules 255 and 256 in the list above).

 

3 Likes