[c-nsp] Multicast group filtering

Alexander Clouter alex at digriz.org.uk
Wed Apr 7 06:10:31 EDT 2010 

ML <ml at kenweb.org> wrote:
>
> On a typical day my network can have ~500Mbps of multicast traffic
> flowing across a GigE cross country long haul circuit.  I wanted some
> redundancy and I am only able to afford another 100M circuit for backup.
> 
> When our primary circuit goes down I can afford to live without some of
> the multicast groups I normally carry.  My Google-fu has turned up:
> "ip multicast boundary" and a standard ACL to deny certain groups from
> crossing a specific interface.
>
'ip multicast boundary' is useful only to stop *equally* all traffic 
groups from leaving your administrative domain.  To effectively use this 
you would need to play with the TTL of your multicast sources, and that 
can get messy.

You can just apply a bog standard outbound (if your kit supports that) 
ACL to both ends of your 100Mbps link that looks like:
----
ip access-list extended mcast-basic
  10 permit ip any 224.0.0.0 0.0.1.255
  20 deny ip any any
----

The alternative is to be clever (read harder) with your rp's and using:
----
ip pim rp-address <rp-ip> <acl>
ip pim accept-rp <rp-ip> <acl>
----

Another approach would be to do QoS (rate-limiting the multicast ranges 
you do not want) on the uplink.

> What effect will this have on the CPU for routers that can't build SPF
> trees for the groups I deny?  I've seen my router CPUs spike to 99% when
> the RP is unreachable.
> 
I think you need to look at something like:
----
mls rate-limit multicast ipv4 non-rpf 100 10
mls rate-limit multicast ipv4 partial 250 100
----

The reason is that *all* your multicast packets get punted up to the CPU 
that takes a bit of time to then realise that as it is multicast 
traffic, you cannot send an ICMP reply...it then gets dropped.  Adding 
these lines rate limits the number of homeless multicast packets that 
get shovelled up to the CPU.

The main time that we saw this was on our backup router when someone 
fired up Norton Ghost :-/

Cheers

-- 
Alexander Clouter
.sigmonster says: Drinking is not a spectator sport.
                  		-- Jim Brosnan

More information about the cisco-nsp mailing list