cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
4
Replies

SF302 ACLs & Multicast traffic

wakelt1961
Level 1
Level 1

Can I used ACLs to filter out multicast traffic to a specific udp port ?? or, are

ACL's only imposed on unicast traffic ?

I have build an ACL that has two ACE's:

ACE #1: filters out all UDP Multicast to port 1900. This has high priority

ACE #2: allows all traffic to go thru. It has low priority

I still see port 1900 traffic coming thru.

Is it true that "1" is the highest priority, or is that a typo ??

If ACLs can't be used to filter out specific multicast, I will try multicast filtering.

4 Replies 4

Tom Watts
VIP Alumni
VIP Alumni

Hi Walter, can you post an example diagram depicting the source and destination and the exact access list you're using and where is the access list applied?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom;

The setup is simple:

* There are 3 devices connected directly to the switch, interfaces 1,5,6. Each device can source UDP multicast at port 1900

*The ACL and binding picture is attached.

I still see inbound UDP port 1900 traffic when sniffing the device connected to interface #1. The traffic using

port 1900 is UDP multicast. I am also wondering about the priority numbering. Is "1" the highest priority (there

is documentation in the manual that states this.

thanks

Walter

Hi Walter, the rule priority is as such, basically think of it as sequencing. It's like any other normal access list, where you define the order of the rules then there is an implicit deny all at the end of the list (hence the need to permit any any).

So the rule looks okay to me. For practice sake, can you make an access list that blocks all traffic to your port #1 (deny ip any any). Does this stop all ingress traffic?

Second test, can you make an access list that looks like this?

deny udp any any any 1900

deny igmp any any

permit ip any any

Let's see if it does anything for ya

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom;

I did try:

deny udp any any any 1900

deny igmp any any

permit ip any any

No change in results.

I did enter a multicast filter for 239.255.255.250 (which carries the udp port 1900 traffic) and that seemed to do

the trick from a blocking/drop perspective. However, when I "removed" the mcast filter via the GUI, it was still blocked.

I needed to factory default to take away the filter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X