Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2510
Views
0
Helpful
5
Replies

Multicast group blocking for sources

Go to solution
Julio Garcia
Level 1
Level 1

‎09-06-2010 04:03 AM - edited ‎03-06-2019 12:50 PM

Hi all,

need some help with something.

to block hosts joining multicast groups, there are a quite a lot of options, igmp filter profiles, igmp access groups etc.

But i was wondering if there is something of similar nature for sources, i dont mean source specific multicast, there is one source that is sending traffic for a lot of multicast groups, eg , 239.10.20.30, 239.10.20.31, 239.10.20.32 , the source is 10.40.10.10

what is the best way to configure so that a router will only allow through certain groups , such that when i do a  ... #sh ip mroute ,  i dont see all the other groups , i only want 239.10.20.30 allowed through that sparse mode interface.

Many thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Lei Tian
Cisco Employee
Cisco Employee
In response to Julio Garcia

‎09-07-2010 11:55 AM

Hi Rob,

Are you sure the ACL causes the cpu spike? There are other reasons can cause cpu high because packets been process switched. For example, if the FHR is not same as RP, it will send out join to the RP; that unicast join will be process switched. So, you can exclude the unwanted group from rp-group mapping acl. Another example, if the multicast traffic has ttl=1, it will be process switched as well.

If you use 6500, as long as ACL doesnt exceed the tcam size, cpu will not be used. However, for any packet need to be process switched, it will still be process switched on 6500.

HTH,

Lei Tian

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Lei Tian
Cisco Employee
Cisco Employee

‎09-06-2010 04:19 AM

Hi Rob,

If you are asking on the FHR, you can use multicast boundary (not available on all IOS) or use access-list on interface to block. If you are asking on other routers, remove the unwanted groups from RP to group mapping acl to make those group fall back to dense mode, and a sparse only interface won't propagate multicast group in dense mode.

Regards,

Lei Tian

0 Helpful

Go to solution
Julio Garcia
Level 1
Level 1
In response to Lei Tian

‎09-07-2010 04:37 AM

Hi Lei,

Acl is not very efficient here ,

say for example i have a multicast source ip on subnet 10.40.40.10 as an  example , and it is sending multicast traffic for 10 separate groups 239.10.10.10 .... 239.10.10.20

on the ip interface on router i would have a huge amount of traffic coming in that would need acl processing, 10 groups worth of multicast traffic even if router interface is running sparse mode.

I heard of protocol that can work in conjunction with igmp to stop this , rgmp? im not sure , anyone have any practical examples and/or configurations of how this would be done  in the following senario ...

Multicast Source --- Igmp enabled switch --- Router

where source ip = 10.40.40.10 , router = 10.40.40.250 , and vlan on switch = 500

Many thanks

0 Helpful

Go to solution
Lei Tian
Cisco Employee
Cisco Employee
In response to Julio Garcia

‎09-07-2010 07:30 AM

Hi Rob,

If the FHR is catalyst switch, then the ACL is processed in hardware. As long as it doesn't exceed the TCAM size, there will be no problem. The interface mode, sparse or dense doesn't control what multicast traffic can be received on the interface. It only controls what multicast traffic can be sent out from the interface.

I am not aware of the feature you were asking for, hope somebody can chips in.

Regards,

Lei Tian

0 Helpful

Go to solution
Julio Garcia
Level 1
Level 1
In response to Lei Tian

‎09-07-2010 10:10 AM

hi Lei,

FHR is  a router , 3825

cpu struggles a lot , IP input is about 140megs, most of which is dropped by acl to allow the 6 megs of useful group traffic i need.

So if i used a catalyst switch, the acl will be compiled in tcam and i wont get any performance degradation? eg , a 650x series. Not sure if its the acl processing or the actual amount of traffic that is causing the problem, i think most probably the amount.

0 Helpful

Go to solution
Lei Tian
Cisco Employee
Cisco Employee
In response to Julio Garcia

‎09-07-2010 11:55 AM

Hi Rob,

Are you sure the ACL causes the cpu spike? There are other reasons can cause cpu high because packets been process switched. For example, if the FHR is not same as RP, it will send out join to the RP; that unicast join will be process switched. So, you can exclude the unwanted group from rp-group mapping acl. Another example, if the multicast traffic has ttl=1, it will be process switched as well.

If you use 6500, as long as ACL doesnt exceed the tcam size, cpu will not be used. However, for any packet need to be process switched, it will still be process switched on 6500.

HTH,

Lei Tian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card