Broadcast and Multicast packets are transmitted typically at slower data rates that take up more airtime. They are also typically buffered up on the AP for clients that are in a power-save sleep mode, and transmitted only at DTIM (periodic beacon intervals), which can cause issues related to queuing.
While many broadcast and multicast packets are important for normal network operation as well as specific applications on the client (video streaming etc), depending on your network and application others are simply using up airtime that could be put to better use and filtering them using ACLs will help.
Some of the common recommended ACL filters, with descriptions of what they do, are:
WLAN profile ACLs:
| ACL | Description |
|---|---|
| acl permit proto 10 tcp any any any any any | allow all TCP packet in both the direction |
| acl permit proto 11 udp any 67 any any out | allow DHCP offer packet in out direction |
| acl deny proto 12 udp any 137 any any in | deny windows netbios packets in the inbound direction |
| acl deny proto 13 udp any 138 any any in | deny windows netbios packets in the inbound direction |
| acl deny ip 14 any 224.0.0.0/240.0.0.0 in | deny incoming IP multicast packets |
| acl deny proto 15 udp any 68 any 67 out | deny dhcp discover packet going on air |
| acl deny mac 16 any 11:11:11:11:11:11 out | deny cambium inter AP communications packets going on air |
| acl deny mac 17 any ff:ff:ff:ff:ff:ff out | deny L2 broadcast packets going on air |
| acl permit mac 24 any any any | allow all other packets in both the directions |
Ethernet ACLs:
| ACL | Description |
|---|---|
| acl permit proto 10 tcp any any any any any | allow all TCP packet in both the direction |
| acl deny proto 11 udp any 137 any any in | deny windows netbios packets in the inbound direction |
| acl deny proto 12 udp any 138 any any in | deny windows netbios packets in the inbound direction |
| acl deny ip 13 any 224.0.0.0/240.0.0.0 in | deny incoming IP multicast packets |
| acl permit proto 14 udp any 68 any 67 out | deny dhcp discover packet in outbound direction |
| acl permit proto 15 udp any 67 any 68 in | allow DHCP offer packet in inbound direction |
| acl deny ip 16 any 255.255.255.255 in | deny incoming IP multicast packets |
| acl deny mac 17 any 01:80:c2:00:00:00 in | Block 802.1d packets from wired to wireless |
| acl permit mac 24 any any any | allow all other packets in both the directions |
Keep in mind ACLs are ordered by rule number (so looked up in order from 1…256) and once an ACL is defined, unless there is an explicit ‘allow’ all packets will be dropped (hence the ‘permit’ rules 255 and 256 in the list above).