Hi ACI professionals,

I want to implement ACI L3 Multicast using ASM with a static fabric RP.

So the configuration is quite simple

- Enable PIM in the VRF

- Setting a static Fabric RP with a route-map (Route-map permits for example 239.255.0.0/24)

==> This works like a charm. Any source IPv4 address in the VRF may send Multicast data to all groups within the range 239.255.0.0/24 (that is, that only traffic to groups within this range are sent to the RP).

I want to control, which sources are allowed to send to which group (like a PIM accept-register ACL on IOS or NX-OS switches). So the most obvious approach would be to alter the Fabric RP route-map and include the sources there as well.

So the route-map looks like:

- Order 1: Source IP 192.168.1.1/32 ; Group IP: 239.255.0.1/32 ; Action: Permit

=> So only the source IP 192.168.1.1 is allowed to send traffic to 239.255.0.1. However, any source may sent traffic to the group. Other groups are not allowed.

I checked this on a leaf switch, using old fashioned CLI commands

leaf101# show ip pim rp vrf tenant1:vrf1

PIM RP Status Information for VRF:"tenant1:vrf1"
BSR: Not Operational
Auto-RP: Not Operational

RP: 10.1.2.3, uptime: 02:28:26, expires: never, FabricRP
  priority: 0, RP-source:  (local), group-map: mcast_rprange_tenant1:vrf1_10.1.2.3, group ranges:
    239.255.0.1/32
Fabric RP members: 10.1.10.254 10.1.10.255

=> So the RP 10.1.2.3 is used for the group 239.255.0.1

Let's check the group-map (route-map)

leaf101# show route-map mcast_rprange_tenant1:vrf1_10.1.2.3
route-map mcast_rprange_tenant1:vrf1_10.1.2.3, permit, sequence 1
  Match clauses:
    ip multicast: source 192.168.1.1/32 group 239.255.0.1/32
  Set clauses:

So the match clause explicitely states, that only the source 192.168.1.1/32 and group 239.255.0.1/32 matches.

Obviously the "source" match condition is not evaluated in the Fabric RP configuration.

Question: Is this a bug? Is there another way to achive this? Unfortunately the documentation is very poor here.