[c-nsp] Equivalent of "ip multicast boundary" on N7k for blocking data packets?
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jun 3 17:54:33 EDT 2013
On 03/06/2013 21:44, Tim Stevenson wrote:
> At 01:08 PM 6/3/2013 Monday, Phil Mayers clamored:
>> How can I accomplish the equivalent of the "boundary" on NX-OS 5.2 for
>> N7k, given it lacks the command? Does one just use a normal ACL, and
>> if so, are there any caveats to doing so e.g. does "boundary" do
>> *other* things that a plain ACL would miss?
>
> In n7k, you must use a combination of control plane & data plane
> filtering to get the equivalent functionality of multicast boundary.
>
> For data plane, it's nothing more than ip access-group with matches on
> multicast traffic.
Ok, so just "use ACLs".
Out of curiosity, what was the rationale for merging the unicast and
multicast data-plane filtering? The IOS-style split seems to have some
advantages in terms of manageability, including that you don't need to
write both ingress and egress ACLs. Though I suppose the latter are more
flexible.
>
> For control plane, there is independent filtering control for each
> protocol, ie, PIM, IGMP, MSDP, etc.
Indeed. It's somewhat non-obvious to me at this time how the PIM control
plane filtering interacts with data- and IGMP-driven PIM events on edge
subnets, but I probably need to re-read the docs.
>
> Hope that helps,
Very much so, thanks.
More information about the cisco-nsp
mailing list