Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Block unicast on layer-3 port

Hi,

A multicast server is connecting to a layer-3 port with multicast int ip addresses on the switch end and server end.

i'm looking to block all (except the must haves!) UNICAST traffic and allow only multicast.

What ACL commands would be needed.

this infact would be a replica of layer-2 "switchport block unicast" command as a layer-3 "acl xxxx" command.

please suggest ways.

Sri

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Block unicast on layer-3 port

Hi Sri,

You need to allown traffic coming from the source of the Multicast in your ACL as well, so it should look like this:

access-list 10 permit (Multicast source) any

access-list 10 deny 0.0.0.0 223.255.255.255

access-list 10 permit any

HTH

Mohamed

3 REPLIES

Re: Block unicast on layer-3 port

Hi,

This command is a layer-2 command , its intended to block all Unknown unicast frames recieved by a Switch port, its usually used in conjunction with (Switch port protected) command.

If you want to block ALL unicast packet and allow only multicast on a a layer-3 interface, your ACL should look like this:

access-list 10 deny 0.0.0.0 223.255.255.255

access-list 10 permit any.

The above ACL would block all unicast message and allow only multicast  subnet range. However as I said, the command you specified is used to block all UNKNOWN unicast frames and not all unicast frames.

HTH

Mohamed

New Member

Re: Block unicast on layer-3 port

Thanks Mohamed.

Noticed your comment about layer-2 command only applicable for unknowns.

Thanks for the guidance on layer-3 command. I'm going to use this (will take time) and get back to you with results.

(One more question: isn't any of the unicast traffic is a must have to have this layer-3 link working?)

Sri

Re: Block unicast on layer-3 port

Hi Sri,

You need to allown traffic coming from the source of the Multicast in your ACL as well, so it should look like this:

access-list 10 permit (Multicast source) any

access-list 10 deny 0.0.0.0 223.255.255.255

access-list 10 permit any

HTH

Mohamed

274
Views
0
Helpful
3
Replies
CreatePlease to create content