[All About Switches] The Multicast Traffic Suppression Configuration of a Switch Does Not Take Effect on Downstream Receivers

Latest reply: Mar 9, 2018 00:38:47 1086 1 1 0

Involved Products and Versions

All switches that support Layer 3 multicast

Networking

As shown in Figure 1-1, a user wants to configure ACL 3152 on the upstream SwitchA so that the downstream receivers corresponding to VLAN 152 can access only the multicast traffic allowed in ACL 3152.

Figure 1-1 Networking diagram for the fault that the multicast traffic suppression configuration of a switch does not take effect on downstream receivers

20180308105920928001.png

 

Fault Symptom

The receivers can still receive multicast traffic beyond ACL 3152. The suppression configuration issued by the upstream network on the downstream receivers does not take effect.

Cause Analysis

Check the configuration on SwitchA.

#
acl number 3152
 rule 0 permit ip destination 239.0.101.2 0
 rule 1 permit ip destination 239.0.102.2 0
 rule 2 permit ip destination 239.100.103.8 0
 rule 3 permit ip destination 239.0.103.2 0
 rule 4 permit ip destination 239.100.102.25 0
 rule 5 permit ip destination 239.0.104.2 0
 rule 9998 permit ospf
 rule 9999 permit icmp
 rule 10000 deny ip
#
interface Vlanif152
 ip address 10.101.59.134 255.255.255.252
 pim sm
 pim join-policy 3152

According to the preceding configuration, the pim join-policy command checks only the joined multicast group address segments in the PIM Join packets, but does not check other Layer 3 protocol numbers. In this case, the rule 9998 permit ospf and rule 9999 permit icmp rules are equivalent to the rule permit all rule for the pim join-policy command. As a result, the multicast group to be filtered out matches rule 9998 in priority and is not filtered out. Therefore, the downstream receivers can still receive all multicast traffic.

Troubleshooting Procedure

                          Step 1     Run the pim join-policy command on the corresponding VLANIF interface, and create an ACL that contains only multicast group addresses but no protocol number. In this way, the multicast group address range is limited to solve the problem.

Assume that the new ACL is 3153. The configuration is as follows:

#
acl number 3153       
 rule 0 permit ip destination 239.0.101.2 0
 rule 1 permit ip destination 239.0.102.2 0
 rule 2 permit ip destination 239.100.103.8 0
 rule 3 permit ip destination 239.0.103.2 0
 rule 4 permit ip destination 239.100.102.25 0
 rule 5 permit ip destination 239.0.104.2 0
 rule 10000 deny ip
#
interface Vlanif152
 ip address 10.101.59.134 255.255.255.252
 pim sm
 pim join-policy 3153

----End

  • x
  • convention:

gululu
Admin Created Mar 9, 2018 00:38:47 Helpful(0) Helpful(0)

thanks for your sharing!
  • x
  • convention:

Come on!

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login