[All About Switches] The Multicast Traffic Suppression Configuration of a Switch Does Not Take Effect on Downstream Receivers

Involved Products and Versions

All switches that support Layer 3 multicast

Networking

As shown in Figure 1-1, a user wants to configure ACL 3152 on the upstream SwitchA so that the downstream receivers corresponding to VLAN 152 can access only the multicast traffic allowed in ACL 3152.

Figure 1-1 Networking diagram for the fault that the multicast traffic suppression configuration of a switch does not take effect on downstream receivers

Fault Symptom

The receivers can still receive multicast traffic beyond ACL 3152. The suppression configuration issued by the upstream network on the downstream receivers does not take effect.

Cause Analysis

Check the configuration on SwitchA.

#
acl number 3152
 rule 0 permit ip destination 239.0.101.2 0
 rule 1 permit ip destination 239.0.102.2 0
 rule 2 permit ip destination 239.100.103.8 0
 rule 3 permit ip destination 239.0.103.2 0
 rule 4 permit ip destination 239.100.102.25 0
 rule 5 permit ip destination 239.0.104.2 0
 rule 9998 permit ospf
 rule 9999 permit icmp
 rule 10000 deny ip
#
interface Vlanif152
 ip address 10.101.59.134 255.255.255.252
 pim sm
 pim join-policy 3152

According to the preceding configuration, the pim join-policy command checks only the joined multicast group address segments in the PIM Join packets, but does not check other Layer 3 protocol numbers. In this case, the rule 9998 permit ospf and rule 9999 permit icmp rules are equivalent to the rule permit all rule for the pim join-policy command. As a result, the multicast group to be filtered out matches rule 9998 in priority and is not filtered out. Therefore, the downstream receivers can still receive all multicast traffic.

Troubleshooting Procedure

                          Step 1     Run the pim join-policy command on the corresponding VLANIF interface, and create an ACL that contains only multicast group addresses but no protocol number. In this way, the multicast group address range is limited to solve the problem.

Assume that the new ACL is 3153. The configuration is as follows:

#
acl number 3153       
 rule 0 permit ip destination 239.0.101.2 0
 rule 1 permit ip destination 239.0.102.2 0
 rule 2 permit ip destination 239.100.103.8 0
 rule 3 permit ip destination 239.0.103.2 0
 rule 4 permit ip destination 239.100.102.25 0
 rule 5 permit ip destination 239.0.104.2 0
 rule 10000 deny ip
#
interface Vlanif152
 ip address 10.101.59.134 255.255.255.252
 pim sm
 pim join-policy 3153

----End