12-12-2013 04:30 AM - edited 03-07-2019 05:02 PM
Is it possible to block multicast inside a vlan?
I'm trying to create a vlan that doesn't allow multicast between devices within the vlan.
With multicast routing, I think I simply make sure there's no ip pim sparse/dense command in the vlan config and that will prevent any multicast from entering/leavng the vlan which solves half my problem.
For physical devices connected to a port on the vlan in question, I think there's a storm-control and 1 other command will block it all multicast to that port which I believe solves the multicast within the vlan but......
My problem is with virtual machines. While I can put them on the vlan, I don't have the cisco 1000 virtual switch to block each port.
Given that, is there any config which will prevent devices in the same vlan from using multicast without configuring a physical port?
I'm working with 3850 and 4500 switches in this case
Thanks
12-12-2013 09:10 AM
Hi,
You can use a VLAN access-list(VACL) to block some traffic inside a VLAN.
Regards
Alain
Don't forget to rate helpful posts.
12-13-2013 07:05 AM
Are you able to give me an example? I know very little about ACL and my attempts have all failed.
I tried the following
ip access-list standard TEST
deny 224.0.0.0 15.255.255.255
permit any
int vlan 51
ip access-group TEST in
ip access-group TEST out
but it doesn't see to work. I remove the permit any but that doesn't make a different either. Is my ACL wrong?
Thanks
12-13-2013 07:46 AM
Hi,
a multicast address can never be seen as a source address but only as a destination address so you must use an extended ACL not a standard ACL and put your multicast address as a destination:
access-list 100 permit ip 224.0.0.0 15.255.255.255
vlan access-map block-multicast 10
match ip address100
action drop
vlan access-map block-multicast 20
action forward
vlan-filter block-multicast vlan-list x where x is the vlan id
Regards
Alain
Don't forget to rate helpful posts.
12-13-2013 10:21 AM
Hi Alain,
Thank you so much! It appears to be working. We'll see what happens in a few days when I reconfigure if it holds but so far so good
These are the final commands which did the trick if anyone else comes across this thread:
access-list 100 permit ip any 224.0.0.0 15.255.255.255
vlan access-map block-multicast 10
match ip address 100
action drop
vlan access-map block-multicast 20
action forward
vlan filter block-multicast vlan-list x (where x is the vlan id)
Using the same idea I was able to block UDP traffic as well in/out/within the vlan as well.
Is there a large performance impact to using these filters? I would be putting them on a 3850 so i would assume i have enough cpu but any guidance is appreciated.
Thanks
05-03-2016 04:22 AM
Hello Alain, aren't we at risk of blocking service messages destined to all host or all routers with this access-list that cojld interfer with functionning of the network ? Shouldn't we block 225.x.x.x upwards ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide