Re: How to block IGMP Querries on host ports on Nexus 3064

lukasbulka3 · ‎08-07-2017

Hi all,

I'm looking fot an equivalent of 6500 feature called Router Guard for Nexus 3000. This feature drops Pim Hello's and IGMP Querries on ports that should not recieve such packets. The problem is that some devices on our large network sometimes send's IGMP Queries with source address lower than our IGMP Querier (sometimes even from 0.0.0.0). This causes N3K to become a non-querier and since it's also PIM router connected to multicast source, all hosts stops recieving multicast streams. I guess this is related to TCN flooding due to STP topology change. 6500 had this awesome feature called Router Guard wich also prevented other switchports from becoming mrouter ports.

On Nexus 3064 I can't prevent this kind of packets from getting to CPU. Port and Vlan ACL are not working here. COPP feature on N3K is not working here eihter. I can only police class copp-s-igmp to pps 0 but this is blocking also IGMP Reports. Adding new class-maps with ACL's permiting only IGMP-host-query to COPP is not taking any efect on a switch. Is there anything that can be done for better security for N3K L2 multicast?

lukasbulka3 · ‎02-07-2018

With new nxos 7.0.3 the router guard-feature is available on Nexus 3064.

lukasbulka3 · ‎02-14-2018

Unfortunately after few tests it occured that this feature is completely broken. It does not work with igmp snooping. Switch does not forward reports on mrouter port. When igm snooping is disabled multicast works.