Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dropping incoming ip multicast packets in accessports possible?

Hi,

I am looking for an easy to implement method to prevent end users from using ip multicast applications. Does anybody know if it's possible to disallow incoming multicast packets on access ports?

Many thanks in advance,

Thorsten Steffen

5 REPLIES

Re: dropping incoming ip multicast packets in accessports possib

Don't enable PIM and if you need to forward Multicast but not receive it use ACL blocking PIM INBOUND but permit IGMP.

You can also block Multicast IP addresses altogether

There are other methods with setting TTL on interfaces.

HTH

Sam

New Member

Re: dropping incoming ip multicast packets in accessports possib

Hi Sam,

could you please tell me in detail the commands which I have to use for your different recommendations?

Thanks,

Thorsten

Re: dropping incoming ip multicast packets in accessports possib

1-Disabling PIM is straight forward, if it is not unabled on layer 3 interface don't enable it.

do "show ip pim interface" to validate.

2-blocking PIM and permitting the rest :

access-list 101 deny pim any any

access-list 101 permit ip any any

!

under layer interface:

ip access-group 101 in

3-Blocking Multicast addresses (assuming you are not routing between your access and customers)

access-list 102 deny ip any 224.0.0.0 15.255.255.255

access-list 102 permit ip any any

under layer interface:

ip access-group 102 in

You cn also combine 102 & 101 into one ACL as you probably know only one ACL per direction is allowed.

If Multicast is not needed at all, just make sure "ip multicast-routing" is not enabled...if so "no ip multicast-routing". I guess this will be easiest way to make sure no Multicast is handled by your access switch.

HTH

Sam

New Member

Re: dropping incoming ip multicast packets in accessports possib

Hi Sam,

using acl 102 worked fine in a test environment.

Do you know if there is any risk experiencing high cpu load when we activate this acl on all access-ports (2960 with 48 Ports, 3560, ..., 4510R-E with several hundred ports)?

Regards,

Thorsten

Re: dropping incoming ip multicast packets in accessports possib

not sure about 2960 & 3560...but on 4510R I am using them today , and actually carrying multicast for various IPTV providers with no issues at all...so I think u are prtet safe with E series :-)

Sam

142
Views
4
Helpful
5
Replies