Hi ACI professionals,
I want to implement ACI L3 Multicast using ASM with a static fabric RP.
So the configuration is quite simple
- Enable PIM in the VRF
- Setting a static Fabric RP with a route-map (Route-map permits for example 239.255.0.0/24)
==> This works like a charm. Any source IPv4 address in the VRF may send Multicast data to all groups within the range 239.255.0.0/24 (that is, that only traffic to groups within this range are sent to the RP).
I want to control, which sources are allowed to send to which group (like a PIM accept-register ACL on IOS or NX-OS switches). So the most obvious approach would be to alter the Fabric RP route-map and include the sources there as well.
So the route-map looks like:
- Order 1: Source IP 192.168.1.1/32 ; Group IP: 239.255.0.1/32 ; Action: Permit
=> So only the source IP 192.168.1.1 is allowed to send traffic to 239.255.0.1. However, any source may sent traffic to the group. Other groups are not allowed.
I checked this on a leaf switch, using old fashioned CLI commands
leaf101# show ip pim rp vrf tenant1:vrf1
PIM RP Status Information for VRF:"tenant1:vrf1"
BSR: Not Operational
Auto-RP: Not Operational
RP: 10.1.2.3, uptime: 02:28:26, expires: never, FabricRP
priority: 0, RP-source: (local), group-map: mcast_rprange_tenant1:vrf1_10.1.2.3, group ranges:
239.255.0.1/32
Fabric RP members: 10.1.10.254 10.1.10.255
=> So the RP 10.1.2.3 is used for the group 239.255.0.1
Let's check the group-map (route-map)
leaf101# show route-map mcast_rprange_tenant1:vrf1_10.1.2.3
route-map mcast_rprange_tenant1:vrf1_10.1.2.3, permit, sequence 1
Match clauses:
ip multicast: source 192.168.1.1/32 group 239.255.0.1/32
Set clauses:
So the match clause explicitely states, that only the source 192.168.1.1/32 and group 239.255.0.1/32 matches.
Obviously the "source" match condition is not evaluated in the Fabric RP configuration.
Question: Is this a bug? Is there another way to achive this? Unfortunately the documentation is very poor here.