Restrict egress multicast traffic at an interface port

mak2020 · ‎03-21-2024

Hello, I have two Cisco Nexus N9K-C9336C-FX2 9300 Series switches. They are connected using trunk ports on both switches (A and B). Switch A is sending traffic on a single VLAN with two multicast subnets; I cannot change that configuration. On Switch B, I want to allow only a single multicast subnet of that VLAN to be made available to a third party switch on interface 1/25, and the other multicast subnet of that VLAN to be made available to yet another switch from interface 1/26.

I’ve tried creating ACLs (both port and VACLs), but they only allow me to apply them to Ingress traffic (which affects the entire VLAN). If I attempt to apply an ACL as “out” (egress traffic), I get a notification that I cannot do that on my port.

Any examples you could provide would be appreciated.

marce1000 · ‎03-21-2024

- Ref : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01001.html
>...
>Egress router ACLs are not supported on Cisco Nexus 9300 Series switch uplink ports.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

David Ruess · ‎03-21-2024

Hello,

You can try creating an ACL permitting/denying the Multicast streams you want. Then you might be able to apply a multicast boundary on the interface in the OUT direction.

ip access-list standard 1

permit 235.1.1.1

interface G1/25

ip multicast boundary 1 out

-David

mak2020 · ‎03-21-2024

Thanks for the suggestion, but unfortunately my switch does not support those commands.