[c-nsp] Filtering Layer 2 Multicasts on 6509

Devin Kinch devinkinch at gmail.com
Thu Jan 20 19:51:52 EST 2011 

Thank you all for your responses... lots of good answers.  I've tried applying a MAC ACL for the offending Ethertype into a CoPP policy (which is unsupported according to the docs), but it ended up policing all traffic in the VLAN and audio communication was lost.  Must be something to do with how the configuration gets baked into the hardware policers.

Static MAC entires will work, but the application seems to use a large number of them and when coupled with the large number of ports that need to hear the traffic, this makes for a lot of extra configuration.

I think it's time to tell the Vendor that configured the application to do it better.  Or I can terminate the Layer 3 on a separate box.  Either way, the real lesson here is that non-IP multicast is complete offensive in every way.

Thanks,

Devin


On 2011-01-20, at 3:09 PM, Sebastian Wiesinger wrote:

> * Pete Lumbis <alumbis at gmail.com> [2011-01-20 22:26]:
>> Devin,
>> 
>> I did a bunch of testing and checking in the lab and here is the scoop:
>> Any multicast mac that is received on an SVI will be punted. The short
>> reason is because we only look for the "01" in the MAC to indicate
>> that this is multicast then we flood to the VLAN. Unlike a unicast
> 
> Hi Pete,
> 
> I had something like this occur on a Catalyst 4500. It seems that all
> "Link-local" Multicast (224.0.0.0/24) is ALWAYS punted even without an
> SVI (only L2). There is no way to say "This is only a switch, just
> flood it and don't send it to the CPU."
> 
> CoPP doesn't really help because then the packet is dropped and not
> forwarded at all which is a bad thing(tm) for stuff like OSPF, HSRP,
> VRRP, etc.
> 
> I don't know if the platform could support a feature to keep multicast
> from being punted to the CPU but if so I could really use it.
> 
> Regards,
> 
> Sebastian
> 
> -- 
> New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
> Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
>            -- Terry Pratchett, The Fifth Elephant
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list