Access Control to block multicast traffic

dgould151 · ‎01-05-2010

We have a switch with two Vlans configured, Vlan 210 and 61.

We have a server on Vlan 210 (172.20.210.150 port gi2/21) which transmits multicast traffic throughout this switch and beyond onto our network.

We would like to prevent the multicast traffic originating from the server 172.20.210.150 (gi2/21) from reaching a WAN router on Vlan 61 (172.20.61.50 port gi2/23).

The multicast traffic from 172.20.210.150 must be filtered before it reaches the port on the switch (gi2/23) where the WAN router is patched too.

All other traffic, including multicast from a different source, must be allowed to pass through to the WAN router and therefore over our WAN infrastructure.

Many other servers are using the 210 Vlan but the WAN router is isolated on it’s own in vlan 61.

Please can someone advise if this can be done and the ACL config required. I assume as we require the multicast traffic to be filtered before it reaches the WAN router interface we’d apply the access-list group to the VLAN rather than the port interface?

Jon Marshall · ‎01-05-2010

dgould151 wrote:

We have a switch with two Vlans configured, Vlan 210 and 61.

We have a server on Vlan 210 (172.20.210.150 port gi2/21) which transmits multicast traffic throughout this switch and beyond onto our network.

We would like to prevent the multicast traffic originating from the server 172.20.210.150 (gi2/21) from reaching a WAN router on Vlan 61 (172.20.61.50 port gi2/23).

The multicast traffic from 172.20.210.150 must be filtered before it reaches the port on the switch (gi2/23) where the WAN router is patched too.

All other traffic, including multicast from a different source, must be allowed to pass through to the WAN router and therefore over our WAN infrastructure.

Many other servers are using the 210 Vlan but the WAN router is isolated on it’s own in vlan 61.

Please can someone advise if this can be done and the ACL config required. I assume as we require the multicast traffic to be filtered before it reaches the WAN router interface we’d apply the access-list group to the VLAN rather than the port interface?

So do you have other multicast sources in vlan 210 other than 172.20.210.150 ?

You are right, you would apply it to the vlan 210 interface but if that is the only source just turn off multicast-routing.

Jon

dgould151 · ‎01-05-2010

Yes there are other multicast sources in Vlan 210.

Basically the server 172.20.210.150 is a desktop t.v application which is transmitting mpeg2 streams. Each channel is 900k + and allowing this through is killing the WAN link to our remote sites. It is ok on the LAN as we run 10gb to the edge (in most cases).

We have another server with a different source address (on Vlan 210) which we are able to reduce the stream for each channel down to 250k (or lower quality depending) which we plan to allow over the WAN.

I had something like this in mind but couldn't decide which Vlan to apply it to and whether it's in or out

Ip access-list extended hdtv

Deny ip host 172.20.210.150

Permit ip any any

Interface vlan 61

Ip access-group hdtv in

Jon Marshall · ‎01-05-2010

dgould151 wrote:

Yes there are other multicast sources in Vlan 210.

Basically the server 172.20.210.150 is a desktop t.v application which is transmitting mpeg2 streams. Each channel is 900k + and allowing this through is killing the WAN link to our remote sites. It is ok on the LAN as we run 10gb to the edge (in most cases).

We have another server with a different source address (on Vlan 210) which we are able to reduce the stream for each channel down to 250k (or lower quality depending) which we plan to allow over the WAN.

I had something like this in mind but couldn't decide which Vlan to apply it to and whether it's in or out

Ip access-list extended hdtv

Deny ip host 172.20.210.150

Permit ip any any

Interface vlan 61

Ip access-group hdtv in

You would apply it inbound to vlan 210 but you would need to change the line

Deny ip host 172.20.210.150

to

deny ip host 172.20.210.150 any

but that would stop all traffic from this server leaving vlan 210 which is probably not what you want ?

If not then simply specify the multicast group eg.

deny udp host 172.20.210.150 host 229.10.10.10

Jon

dgould151 · ‎01-05-2010

The multicast streams from the server are in the range 226.10.x.x.

This range must be allowed thoughout our network with only one LAN port not being allowed to see this range (i.e WAN router)

Wouldn't 'deny udp host 172.20.210.150 host 226.10.x.x' block the mulitcast from the whole network?

Jon Marshall · ‎01-05-2010

dgould151 wrote:

The multicast streams from the server are in the range 226.10.x.x.

This range must be allowed thoughout our network with only one LAN port not being allowed to see this range (i.e WAN router)

Wouldn't 'deny udp host 172.20.210.150 host 226.10.x.x' block the mulitcast from the whole network?

Ahh, sorry, didn't understand exactly what you were trying to do.

So you need to apply it outbound on vlan 61 interface.

Jon