Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5047
Views
5
Helpful
5
Replies

blocking multicast inside a vlan

CrackedJack1
Level 1
Level 1

‎12-12-2013 04:30 AM - edited ‎03-07-2019 05:02 PM

Is it possible to block multicast inside a vlan?

I'm trying to create a vlan that doesn't allow multicast between devices within the vlan.

With multicast routing, I think I simply make sure there's no ip pim sparse/dense command in the vlan config and that will prevent any multicast from entering/leavng the vlan which solves half my problem.

For physical devices connected to a port on the vlan in question, I think there's a storm-control and 1 other command will block it all multicast to that port which I believe solves the multicast within the vlan but......

My problem is with virtual machines. While I can put them on the vlan, I don't have the cisco 1000 virtual switch to block each port.

Given that, is there any config which will prevent devices in the same vlan from using multicast without configuring a physical port?

I'm working with 3850 and 4500 switches in this case

Thanks

Labels:
0 Helpful
5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

‎12-12-2013 09:10 AM

Hi,

You can use a VLAN access-list(VACL) to block some traffic inside a VLAN.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

CrackedJack1
Level 1
Level 1
In response to cadet alain

‎12-13-2013 07:05 AM

Are you able to give me an example? I know very little about ACL and my attempts have all failed.

I tried the following

ip access-list standard TEST
deny 224.0.0.0 15.255.255.255
permit any

int vlan 51
ip access-group TEST in
ip access-group TEST out

but it doesn't see to work. I remove the permit any but that doesn't make a different either. Is my ACL wrong?

Thanks

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to CrackedJack1

‎12-13-2013 07:46 AM

Hi,

a multicast address can never be seen as a source address but only as a destination address so  you must use an extended ACL not a standard ACL and put your multicast address as a destination:

access-list 100 permit ip 224.0.0.0  15.255.255.255

vlan access-map block-multicast 10

match ip address100

action drop

vlan access-map block-multicast 20

action forward

vlan-filter block-multicast  vlan-list x  where x is the vlan id

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

CrackedJack1
Level 1
Level 1
In response to cadet alain

‎12-13-2013 10:21 AM

Hi Alain,

Thank you so much! It appears to be working. We'll see what happens in a few days when I reconfigure if it holds but so far so good


These are the final commands which did the trick if anyone else comes across this thread:

access-list 100 permit ip any 224.0.0.0 15.255.255.255
vlan access-map block-multicast 10
match ip address 100
action drop
vlan access-map block-multicast 20
action forward
vlan filter block-multicast vlan-list x (where x is the vlan id)

Using the same idea I was able to block UDP traffic as well in/out/within the vlan as well.

Is there a large performance impact to using these filters? I would be putting them on a 3850 so i would assume i have enough cpu but any guidance is appreciated.

Thanks

0 Helpful

playerplease
Level 1
Level 1
In response to cadet alain

‎05-03-2016 04:22 AM

Hello Alain, aren't we at risk of blocking service messages destined to all host or all routers with this access-list  that cojld interfer with functionning of the network ? Shouldn't we block 225.x.x.x upwards ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card