01-05-2010 07:19 AM - edited 03-06-2019 09:09 AM
We have a switch with two Vlans configured, Vlan 210 and 61.
We have a server on Vlan 210 (172.20.210.150 port gi2/21) which transmits multicast traffic throughout this switch and beyond onto our network.
We would like to prevent the multicast traffic originating from the server 172.20.210.150 (gi2/21) from reaching a WAN router on Vlan 61 (172.20.61.50 port gi2/23).
The multicast traffic from 172.20.210.150 must be filtered before it reaches the port on the switch (gi2/23) where the WAN router is patched too.
All other traffic, including multicast from a different source, must be allowed to pass through to the WAN router and therefore over our WAN infrastructure.
Many other servers are using the 210 Vlan but the WAN router is isolated on it’s own in vlan 61.
Please can someone advise if this can be done and the ACL config required. I assume as we require the multicast traffic to be filtered before it reaches the WAN router interface we’d apply the access-list group to the VLAN rather than the port interface?
01-05-2010 07:24 AM
dgould151 wrote:
We have a switch with two Vlans configured, Vlan 210 and 61.
We have a server on Vlan 210 (172.20.210.150 port gi2/21) which transmits multicast traffic throughout this switch and beyond onto our network.
We would like to prevent the multicast traffic originating from the server 172.20.210.150 (gi2/21) from reaching a WAN router on Vlan 61 (172.20.61.50 port gi2/23).
The multicast traffic from 172.20.210.150 must be filtered before it reaches the port on the switch (gi2/23) where the WAN router is patched too.
All other traffic, including multicast from a different source, must be allowed to pass through to the WAN router and therefore over our WAN infrastructure.
Many other servers are using the 210 Vlan but the WAN router is isolated on it’s own in vlan 61.
Please can someone advise if this can be done and the ACL config required. I assume as we require the multicast traffic to be filtered before it reaches the WAN router interface we’d apply the access-list group to the VLAN rather than the port interface?
So do you have other multicast sources in vlan 210 other than 172.20.210.150 ?
You are right, you would apply it to the vlan 210 interface but if that is the only source just turn off multicast-routing.
Jon
01-05-2010 07:36 AM
Yes there are other multicast sources in Vlan 210.
Basically the server 172.20.210.150 is a desktop t.v application which is transmitting mpeg2 streams. Each channel is 900k + and allowing this through is killing the WAN link to our remote sites. It is ok on the LAN as we run 10gb to the edge (in most cases).
We have another server with a different source address (on Vlan 210) which we are able to reduce the stream for each channel down to 250k (or lower quality depending) which we plan to allow over the WAN.
I had something like this in mind but couldn't decide which Vlan to apply it to and whether it's in or out
Ip access-list extended hdtv
Deny ip host 172.20.210.150
Permit ip any any
Interface vlan 61
Ip access-group hdtv in
01-05-2010 07:41 AM
dgould151 wrote:
Yes there are other multicast sources in Vlan 210.
Basically the server 172.20.210.150 is a desktop t.v application which is transmitting mpeg2 streams. Each channel is 900k + and allowing this through is killing the WAN link to our remote sites. It is ok on the LAN as we run 10gb to the edge (in most cases).
We have another server with a different source address (on Vlan 210) which we are able to reduce the stream for each channel down to 250k (or lower quality depending) which we plan to allow over the WAN.
I had something like this in mind but couldn't decide which Vlan to apply it to and whether it's in or out
Ip access-list extended hdtv
Deny ip host 172.20.210.150
Permit ip any any
Interface vlan 61
Ip access-group hdtv in
You would apply it inbound to vlan 210 but you would need to change the line
Deny ip host 172.20.210.150
to
deny ip host 172.20.210.150 any
but that would stop all traffic from this server leaving vlan 210 which is probably not what you want ?
If not then simply specify the multicast group eg.
deny udp host 172.20.210.150 host 229.10.10.10
Jon
01-05-2010 07:49 AM
The multicast streams from the server are in the range 226.10.x.x.
This range must be allowed thoughout our network with only one LAN port not being allowed to see this range (i.e WAN router)
Wouldn't 'deny udp host 172.20.210.150 host 226.10.x.x' block the mulitcast from the whole network?
01-05-2010 07:52 AM
dgould151 wrote:
The multicast streams from the server are in the range 226.10.x.x.
This range must be allowed thoughout our network with only one LAN port not being allowed to see this range (i.e WAN router)
Wouldn't 'deny udp host 172.20.210.150 host 226.10.x.x' block the mulitcast from the whole network?
Ahh, sorry, didn't understand exactly what you were trying to do.
So you need to apply it outbound on vlan 61 interface.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide