[c-nsp] Equivalent of "ip multicast boundary" on N7k for blocking data packets?
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jun 3 16:08:21 EDT 2013
On our 6500s, we have a standard multicast config inspired by the Cymru
secure IOS template:
http://www.cymru.com/Documents/secure-ios-template.html
...in our case, looking broadly like this:
ip access-list standard MULTICAST-in
deny 224.0.1.60
deny 224.77.0.0 0.0.255.255
deny 226.77.0.0 0.0.255.255
permit 239.192.0.0 0.3.255.255
deny 239.0.0.0 0.255.255.255
permit 224.0.0.0 15.255.255.255
int VlanXX
description subnet facing some clients
...
ip pim sparse-mode
ip multicast boundary MULTICAST-in
ip igmp access-group MULTICAST-in
The two multicast/ACL commands accomplish two different things - the
boundary prevents clients sending to that group, the igmp join prevents
clients asking to receive from that group. This lets us block some
common junk - such as Symantec Ghost (sessions trample on each other)
and groups from 239/8 but not 239.192/14 - that in the past have caused
masses of multicast routing entries to no real purpose.
How can I accomplish the equivalent of the "boundary" on NX-OS 5.2 for
N7k, given it lacks the command? Does one just use a normal ACL, and if
so, are there any caveats to doing so e.g. does "boundary" do *other*
things that a plain ACL would miss?
It's important to note that the "boundary" translates into TCAM entries
on 6500s i.e. it really does stop traffic forwarding, and this has
proven important to us in the past:
#sh tcam interface vlxx acl in ip
* Global Defaults not shared
Entries from Bank 0
permit ip any any
Entries from Bank 1
permit ip any 239.192.0.0 0.3.255.255
deny ip any 224.77.0.0 0.0.255.255
deny ip any 226.77.0.0 0.0.255.255
deny ip any host 224.0.1.60
deny ip any 239.0.0.0 0.255.255.255
permit ip any any
More information about the cisco-nsp
mailing list