[c-nsp] Equivalent of "ip multicast boundary" on N7k for blocking data packets?

Tim Stevenson tstevens at cisco.com
Wed Jun 5 09:06:20 EDT 2013 

At 04:12 AM 6/5/2013  Wednesday, Phil Mayers remarked:
>On 03/06/13 21:44, Tim Stevenson wrote:
>>At 01:08 PM 6/3/2013  Monday, Phil Mayers clamored:
>>>How can I accomplish the equivalent of the "boundary" on NX-OS 5.2 for
>>>N7k, given it lacks the command? Does one just use a normal ACL, and
>>>if so, are there any caveats to doing so e.g. does "boundary" do
>>>*other* things that a plain ACL would miss?
>>
>>In n7k, you must use a combination of control plane & data plane
>>filtering to get the equivalent functionality of multicast boundary.
>>
>>For data plane, it's nothing more than ip access-group with matches on
>>multicast traffic.
>
>Just to say, this does all work, but it takes a 
>few minutes to kick in - if you add the 
>data-plane ACL then "clear ip mroute", the 
>routes just reappear. They die off a few minutes 
>later - presumably something hardware-related.

This is expected. 'clear ip mroute' on n7k clears 
the MRIB & everything 'below' it (down to the 
hardware). The MRIB then immediately queries all 
its clients for multicast state - ie, PIM, IGMP, 
MSDP, which repopulates the MRIB (and thus the h/w).

You can clear the state of each client with 
commands like "clear ip pim route", "clear ip igmp route" etc.


>Can't say I'm loving the NX-OS CLI paradigm for 
>this particular feature though - having to merge 
>the unicast and multicast ACEs is a pain,


As you can imagine, there was considerable debate 
about the pros/cons. Main reasons we went this 
way vs multicast boundary à la c6k:

- clear separation of control plane vs data plane filtering
- granular per-protocol filtering control
- deterministic behavior across reboots (no order-dependent ACL merge)


>absent any templating/"include other ACL" functionality :o(

You might be able to do some stuff with object groups here? Eg:

tstevens-7010-2# sh ip access example

IP access list example
         10 permit udp any addrgroup multicast-ranges
         20 permit ip any 1.1.1.1/32
         30 deny ip any any
tstevens-7010-2# sh object-group multicast-ranges

IPv4 address object-group multicast-ranges
         10 239.0.0.0/8
         20 225.1.1.0/24
tstevens-7010-2#

Note this is just a config 'convenience', TCAM 
consumption is based on the expansion of the ACEs in your object groups.


Hope that helps,
Tim





Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list