cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
665
Views
1
Helpful
4
Replies

Issue with (unregistered) Multicast, VLAN Filtering and Spanning Tree

fhk-cwempe
Level 1
Level 1

Hello,

we recently got a lot of multimedia equipment that uses multicast.
Therefore we hat to configure some multicast related thinks in our network that we did not had before.
We activated igmp snooping on all access switches and igmp snooping querier an a central switch..

Then we learned that we need to configure a vlan filter to allow unregistered multicast traffic.
Our consultant from the multimedia company provided the list of unregistered multicast addresses we needed to allow.

 

 

vlan access-map FilterMulticastMedia 10
 match ip address AllowUnregMulticast
 action forward
vlan access-map FilterMulticastMedia 20
 action drop

vlan filter FilterMulticastMedia vlan-list <our_media_vlan>

ip access-list extended AllowUnregMulticastMedia
 permit igmp any host 224.0.0.230
 permit igmp any host 224.0.0.231
 permit igmp any host 224.0.0.232
 permit igmp any host 224.0.0.233
 permit igmp any host 224.0.0.251
 permit igmp any host 224.0.1.129
 permit igmp any host 224.0.1.130
 permit igmp any host 224.0.1.131
 permit igmp any host 224.0.1.132
 permit igmp any host 224.0.23.175
 permit igmp any host 239.254.3.3
 permit igmp any host 239.255.254.253
 permit igmp any host 239.255.255.250
 permit igmp any host 239.255.255.255

 

 

I configured this on all our access switches.

Everything seemed to work fine for a few days.
But now the Media-VLAN on some access switches stops working.

After some investigation I could correlate the issue the the configured vlan filter.
It looks like the vlan filter is blocking other (all?) traffic from this VLAN on the affected switches.

How can I solve this?
Removing the vlan filter is not an option, because we need these unregistered multicast addresses.
Deactivating multicast in general is not an option either of cause.
Did I something wrong? How can I prevent the vlan filter from affecting other packets (like unicast)?

 

 

related but not important for this issue I guess:

This also results in a spanning tree (RSTP) issue, because the access switch does not receive the BPDU packetes from the distribution switch and therefore decides to become root bridge for this vlan.
The distribution switch receives BPDU packtes form the access switch and detects a conflict, because of an inferior root bridge and blick the port for this vlan.

At first I thought this was my main issue.
I was thinking maybe RTSP is using a multicast address that needs to be allowed.
But the devices cannot even communication between the ports of the same access switch, where spanning tree is not blocking anything.

 

 

 

4 Replies 4

The Vlan filter have action drop in end 

So any traffic not match first vlan filter is drop by second line. 

If you need specific multicast then 

Line 1 forward multicast traffic match your acl

Line 2 drop any other multicast traffic 

Line 3 forward any other traffic 

MHM

fhk-cwempe
Level 1
Level 1

So you propose something like this?

vlan access-map FilterMulticastMedia 10
 match ip address AllowUnregMulticast
 action forward
vlan access-map FilterMulticastMedia 20     <--- This is new
 match ip address AllMulticast                      <--- This is new
 action drop                                                  <--- This is new
vlan access-map FilterMulticastMedia 30
 action forward

vlan filter FilterMulticastMedia vlan-list <our_media_vlan>

ip access-list extended AllowUnregMulticastMedia
 permit igmp any host 224.0.0.230
 [...]
 permit igmp any host 239.255.255.255

ip access-list extended AllMulticast                  <--- This is new
 permit igmp any 224.0.0.0 15.255.255.255     <--- This is new

I was following this guide: https://notes.networklessons.com/igmp-using-vlan-access-maps-to-filter-multicast-traffic
There is no mention of allowing other traffic.
But I now understand that the vlan filter is really filtering all packets. Not just multicast packets.
No idea why it was working for a few days.

Hello @fhk-cwempe ,

yes you should implement the VACL with three blocks in order to allow the desired IPv4 multicast, stop all other multicast but to permit all other traffic including unicast and broadcast.

>> No idea why it was working for a few days

About the example on the networklessons it is a lab with a config focused only on multicast.

Yes, this is strange with your current configuration all unicast traffic should be affected as soon as the VACL was applied to the VLAN.

Hope to help

Giuseppe

 

Yes indeed it filter all traffic bridge or routing via VLAN include multicast.

MHM

Review Cisco Networking for a $25 gift card