dropping incoming ip multicast packets in accessports possible?

Unanswered Question
May 26th, 2009
User Badges:

Hi,

I am looking for an easy to implement method to prevent end users from using ip multicast applications. Does anybody know if it's possible to disallow incoming multicast packets on access ports?


Many thanks in advance,

Thorsten Steffen

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
cisco_lad2004 Tue, 05/26/2009 - 04:48
User Badges:
  • Gold, 750 points or more

Don't enable PIM and if you need to forward Multicast but not receive it use ACL blocking PIM INBOUND but permit IGMP.


You can also block Multicast IP addresses altogether


There are other methods with setting TTL on interfaces.


HTH


Sam


thorsten.steffen Tue, 05/26/2009 - 06:12
User Badges:

Hi Sam,

could you please tell me in detail the commands which I have to use for your different recommendations?


Thanks,

Thorsten

cisco_lad2004 Tue, 05/26/2009 - 07:48
User Badges:
  • Gold, 750 points or more

1-Disabling PIM is straight forward, if it is not unabled on layer 3 interface don't enable it.


do "show ip pim interface" to validate.


2-blocking PIM and permitting the rest :


access-list 101 deny pim any any

access-list 101 permit ip any any

!

under layer interface:

ip access-group 101 in


3-Blocking Multicast addresses (assuming you are not routing between your access and customers)

access-list 102 deny ip any 224.0.0.0 15.255.255.255

access-list 102 permit ip any any


under layer interface:

ip access-group 102 in


You cn also combine 102 & 101 into one ACL as you probably know only one ACL per direction is allowed.


If Multicast is not needed at all, just make sure "ip multicast-routing" is not enabled...if so "no ip multicast-routing". I guess this will be easiest way to make sure no Multicast is handled by your access switch.


HTH


Sam


thorsten.steffen Wed, 06/10/2009 - 04:32
User Badges:

Hi Sam,

using acl 102 worked fine in a test environment.

Do you know if there is any risk experiencing high cpu load when we activate this acl on all access-ports (2960 with 48 Ports, 3560, ..., 4510R-E with several hundred ports)?


Regards,

Thorsten

cisco_lad2004 Wed, 06/10/2009 - 05:25
User Badges:
  • Gold, 750 points or more

not sure about 2960 & 3560...but on 4510R I am using them today , and actually carrying multicast for various IPTV providers with no issues at all...so I think u are prtet safe with E series :-)


Sam

Actions

This Discussion