Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
4
Helpful
5
Replies

dropping incoming ip multicast packets in accessports possible?

thorsten.steffen
Level 3
Level 3

‎05-26-2009 04:00 AM - edited ‎03-06-2019 05:55 AM

Hi,

I am looking for an easy to implement method to prevent end users from using ip multicast applications. Does anybody know if it's possible to disallow incoming multicast packets on access ports?

Many thanks in advance,

Thorsten Steffen

Labels:
0 Helpful
5 Replies 5

cisco_lad2004
Level 5
Level 5

‎05-26-2009 04:48 AM

Don't enable PIM and if you need to forward Multicast but not receive it use ACL blocking PIM INBOUND but permit IGMP.

You can also block Multicast IP addresses altogether

There are other methods with setting TTL on interfaces.

HTH

Sam

0 Helpful

thorsten.steffen
Level 3
Level 3
In response to cisco_lad2004

‎05-26-2009 06:12 AM

Hi Sam,

could you please tell me in detail the commands which I have to use for your different recommendations?

Thanks,

Thorsten

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to thorsten.steffen

‎05-26-2009 07:48 AM

1-Disabling PIM is straight forward, if it is not unabled on layer 3 interface don't enable it.

do "show ip pim interface" to validate.

2-blocking PIM and permitting the rest :

access-list 101 deny pim any any

access-list 101 permit ip any any

!

under layer interface:

ip access-group 101 in

3-Blocking Multicast addresses (assuming you are not routing between your access and customers)

access-list 102 deny ip any 224.0.0.0 15.255.255.255

access-list 102 permit ip any any

under layer interface:

ip access-group 102 in

You cn also combine 102 & 101 into one ACL as you probably know only one ACL per direction is allowed.

If Multicast is not needed at all, just make sure "ip multicast-routing" is not enabled...if so "no ip multicast-routing". I guess this will be easiest way to make sure no Multicast is handled by your access switch.

HTH

Sam

0 Helpful

thorsten.steffen
Level 3
Level 3
In response to cisco_lad2004

‎06-10-2009 04:32 AM

Hi Sam,

using acl 102 worked fine in a test environment.

Do you know if there is any risk experiencing high cpu load when we activate this acl on all access-ports (2960 with 48 Ports, 3560, ..., 4510R-E with several hundred ports)?

Regards,

Thorsten

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to thorsten.steffen

‎06-10-2009 05:25 AM

not sure about 2960 & 3560...but on 4510R I am using them today , and actually carrying multicast for various IPTV providers with no issues at all...so I think u are prtet safe with E series :-)

Sam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card