OSPF and ACLs on HPE/Aruba 5400-series devices
05-17-2019 01:57 PM
I've noticed interesting behavior when it comes to OSPF multicast traffic and ACLs on the 5400-series devices. It appears that you cannot block OSPF LSUs to 184.108.40.206 and 220.127.116.11 using either inbound or outbound ACLs on VLAN interfaces. I've tried many variations of my test ACLs (deny ip/deny udp/deny ospf...) as well as straight up denying all traffic and OSPF traffic continues to flow through the VLAN interfaces in question.
However, if you apply the same ACL inbound to an uplink port that has an OSPF neighbor on the other end, the traffic is blocked. I haven't been able to find any documention where this is behavior is stated. I have other L2/L3 devices where applying the deny to the VLAN interface immedately blocks OSPF LSUs.
Now, in the end, I don't actually want to block OSPF traffic. But I found this behavior to be interesting and a little unexpected. Does anyone know of other types of traffic that is ignored by ACLs placed on VLAN interfaces? Thanks.