Re: Blocking outbound multicast video streams on a Cisco L3 switch

Ali Zaghir · ‎01-17-2024

I am trying to block all outgoing multicast streams on my edge switch nexus 3k. The port is connected to a remote location and is a trunk port. I have devices receiving video streams inside my network through this port and I need to keep it working, while only stopping the devices on the remote-location from taking video streams from my network. I tried to accomplish this using access lists.

1- I created an access list as below:

IP access list remote-location
10 deny ip any 232.10.10.1/32 vlan 835
11 deny ip any 224.52.74.17/32 vlan 835
12 deny ip any 224.2.42.17/32 vlan 835
13 deny ip any 224.2.42.16/32 vlan 835
14 deny ip any 224.2.51.60/32 vlan 835
15 deny udp any 224.91.40.1/32 eq 2001 vlan 835
16 deny udp any 224.91.40.2/32 eq 2003 vlan 835
17 deny udp any 224.91.40.4/32 eq 2007 vlan 835

I applied it in the inward direction on the port as below:

interface Ethernet1/7
description **connected to remote-location**
ip access-group remote-location in
no lldp transmit
no lldp receive
switchport mode trunk
switchport trunk native vlan 835
switchport trunk allowed vlan 835,837
load-interval counter 1 5
load-interval counter 2 5

My interface outgoing traffic rate is not dropping.

input rate 1.68 Gbps, 154.36 Kpps; output rate 1.80 Gbps, 193.82 Kpps <-- expecting to see output rate equals to almost zero

Can anyone please help me to achieve this?

@

Ali Zaghir · ‎01-18-2024

I've got no replies so far but I did some updates which I'll add it here. Hopefully, someone with a higher knowledge of this can assist.

IGMP snooping is enabled on all the switches and the streaming vlans, and the interface vlan 835 is set to PIM passive. I'm using PIM dense mode on the switch connected to the streaming servers. The devices at the remote location are requesting the multicast streams.

Vlan 835:
--------
IGMP snooping : Enabled
CAPWAP enabled : Disabled
IGMPv2 immediate leave : Disabled
Explicit host tracking : Enabled
Multicast router learning mode : pim-dvmrp
CGMP interoperability mode : IGMP_ONLY
Last Member Query Interval : 1000

I've just tried to put the ACL in outward direction and I have added few lines in ACL to match the direction but still whatever I also added a rate limit policy on the interface, the data rate is not dropping. Although I want to keep the input multicast traffic but for the sake of troubleshooting I even tried to set the storm limit to 1% with no avail. Please see all my update config as below:

IP access list remote-location
1 deny ip any 224.0.0.0/4
2 deny ip 224.0.0.0/4 any
3 deny ip 232.0.0.0/4 any
4 deny ip any 232.0.0.0/4
5 deny ip any 10.235.0.254/32
10 deny ip any 232.10.10.1/32 vlan 835
11 deny ip any 224.52.74.17/32 vlan 835
12 deny ip any 224.2.42.17/32 vlan 835
13 deny ip any 224.2.42.16/32 vlan 835
14 deny ip any 224.2.51.60/32 vlan 835
15 deny udp any 224.91.40.1/32 eq 2001 vlan 835
16 deny udp any 224.91.40.2/32 eq 2003 vlan 835
17 deny udp any 224.91.40.4/32 eq 2007 vlan 835
18 deny udp any 224.91.50.3/32 eq 2005 vlan 835
20 deny ip any 224.2.4.1/32 vlan 835
21 deny ip any 224.10.70.15/32 vlan 835
22 deny ip any 224.10.70.1/32 vlan 835
23 deny ip any 224.10.70.2/32 vlan 835
24 deny udp any 224.2.5.20/32 eq 1234 vlan 835
30 deny ip any 224.2.4.3/32 vlan 835
40 deny ip any 224.2.4.4/32 vlan 835
50 deny ip any 224.2.4.5/32 vlan 835
60 deny ip any 228.1.1.1/32 vlan 835

interface Ethernet1/7
description **connected to remote-location**
ip access-group remote-location in
ip access-group remote-location out
no lldp transmit
no lldp receive
switchport mode trunk
switchport trunk native vlan 835
switchport trunk allowed vlan 835,837
storm-control multicast level 1.00
load-interval counter 1 5
load-interval counter 2 5
rate-limit cpu direction output pps 10 action log

# Traffic Rates are still the same:

input rate 1.65 Gbps, 151.90 Kpps; output rate 1.84 Gbps, 197.08 Kpps

balaji.bandi · ‎01-18-2024

Where are you applying this ACL - on nexus switch ? what nexus code running ?

on what basis you have identified the traffic rate is only Multicast ?

did you applied any ACL Logs see is the traffic hitting that ACL ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ali Zaghir · ‎01-19-2024

Where are you applying this ACL - on nexus switch ? what nexus code running ? Nexus 3064PQ, NXOS: version 7.0(3)I4(6)

Please see the output of show version below.

on what basis you have identified the traffic rate is only Multicast ?

For multiple reasons:

1- The company on the remote side is taking streams from us for re-broadcasting. There are only video streaming devices on this vlan for them to capture.

2- The access-list applied is only a deny list of multicast addresses ending with the hidden deny statement for all. So, expecting no other traffic other than the multicast.

did you applied any ACL Logs see is the traffic hitting that ACL ?

Yes, I updated the ACL with the log command and can't see anything hitting the ACL.

IP access list remote-location
1 deny ip any 224.0.0.0/4 log
2 deny ip 224.0.0.0/4 any log
3 deny ip 232.0.0.0/4 any log
4 deny ip any 232.0.0.0/4 log
5 deny ip any 10.235.0.254/32 log
6 deny ip any 232.10.10.1/32 vlan 835 log

no output from " show logging ip access-list cache"

#show logging

Logging console: enabled (Severity: critical)
Logging monitor: enabled (Severity: notifications)
Logging linecard: enabled (Severity: notifications)
Logging timestamp: Seconds
Logging source-interface : disabled
Logging server: disabled
Logging origin_id : disabled
Logging logflash: disabled
Logging logfile: enabled

#show logging ip access-list status
Max flow = 8001
Alert interval = 490
Threshold value = 490

#show version

Software
BIOS: version 4.0.0
NXOS: version 7.0(3)I4(6)
BIOS compile time: 12/05/2016
NXOS image file is: bootflash:///nxos.7.0.3.I4.6_compact_N3064.bin
NXOS compile time: 3/9/2017 22:00:00 [03/10/2017 09:05:18]

Hardware
cisco Nexus3000 C3064PQ Chassis
Intel(R) Celeron(R) CPU P4505 @ 1.87GHz with 3903304 kB of memory.
Processor Board ID FOC17366ZQZ

I am not sure if this helps:

show hardware access-list output entries

slot 1
=======

Flags: F - Fragment entry E - Port Expansion
D - DSCP Expansion M - ACL Expansion
T - Cross Feature Merge Expansion
N - NS Transit B - BCM Expansion C - COPP

VDC-1 CoPP :
====================
no acl related hardware resources found
VDC-1 UF-All Ports in VDC 1 :
====================
no acl related hardware resources found
VDC-1 System-QoS :
====================
no acl related hardware resources found

@balaji.bandi