cgmp issue

Unanswered Question
Nov 22nd, 2008

mac access-list extended CGMP

deny any host 0100.0cdd.dddd

int gig1/1

mac access-group CGMP in

mac access-group CGMP out

int gig1/2

mac access-group CGMP in

mac access-group CGMP out

-what are the above commands trying to do

-what is this mac address 0100.0cdd.dddd

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Sat, 11/22/2008 - 10:10

Hello Celso,

this configuration tries to make the switch to not receive CGMP messages over the ports by using a MAC address ACL:

In fact, MAC address 0100.0cdd.dddd is the well-known destination address of CGMP messages.

But another line to permit all other traffic should be needed otherwise everything is denied by implicit deny any any

The same is applied outbound.

I think you cannot use the ports without removing these ACLs before.

Hope to help


cfajardo1_2 Sat, 11/22/2008 - 10:40

thanks for the quick answer. I could have been in trouble if you havent pointed out that implicit deny.

Giusepe could you please elaborate more on the mac address please..

Giuseppe Larosa Sat, 11/22/2008 - 12:42

hello Celso,

CGMP frames are sent only by router on CGMP enabled LAN interface(s) to all the possible listener switches: so the destination of these frames is a multicast reserved address:

You can see this because first octet is 01

MAC address 0100.0cdd.dddd. CGMP-enabled switches listen for this address.

This MAC address has been registred by Cisco, you can recognize this kind of addresses of the OUI 00.0c (c=Cisco simple).

The same happens for other L2 protocols like CDP, DTP, VTP but different MAC addresses are usually used and also by RPVSTP+ over 802.1Q trunks (to tunnel BPDUs via other vendor devices).

The CGMP frame has several fields that are used to signal all the multicast related activity events like a new receiver join.

CGMP is layer 2 oriented so the router says for multicast address


there is a join / leave of the following host mac address

pc mac address.

The CGMP switches use this info to update the L2 replication tree of each multicast group active on the vlan so that it performs a forwarding optimization.

the ACL tries to avoid the device to listen to CGMP messages and also to avoid it to send them (if a switch it shouldn't send them).

Usually ACLs have an implicit deny any at the end so I would expect the same behaviour here but I may be wrong.

Hope to help



This Discussion