How to block all multicast traffic on port?


Userlevel 3
Hi everybody!
My question is Which is most efficient way to block all ingress multicast traffic on port?

9 replies

Userlevel 6
The simpliest method would be creating an ACL.

Apply the following ACL on the ports or vlans.

entry BlkMcast {
if {
destination-address 224.0.0.0/4;
}
then {
deny;
count BlockedMcast;
}
}

This will block also 244.0.0.x multicasts, if you have OSPF or any other routing protocol running you might need to permit that before this block statement.
Userlevel 3
OscarK wrote:

The simpliest method would be creating an ACL.

Apply the following ACL on the ports or vlans.

entry BlkMcast {
if {
destination-address 224.0.0.0/4;
}
then {
deny;
count BlockedMcast;
}
}

This will block also 244.0.0.x multicasts, if you have OSPF or any other routing protocol running you might need to permit that before this block statement.

Thank you!
Userlevel 3
OscarK wrote:

The simpliest method would be creating an ACL.

Apply the following ACL on the ports or vlans.

entry BlkMcast {
if {
destination-address 224.0.0.0/4;
}
then {
deny;
count BlockedMcast;
}
}

This will block also 244.0.0.x multicasts, if you have OSPF or any other routing protocol running you might need to permit that before this block statement.

If the switch is L2 only, or you need to block multicast within the VLAN then a mac address filter for the multicast bit in the MAC address would be needed (or, more simply, block any MAC address starting 01 - which has the useful side effect of not blocking broadcast traffic too).

So an acl that looked like this might be better:

entry BlockL2Mcast {
if {
ethernet-destination-address 01:00:00:00:00:00 mask ff:00:00:00:00:00;
}
then {
deny;
count BlockedMcast;
}
}

However, as others have said, this will break OSPF, VRRP, HSRP and a lot of IPv6. You'd be better off not doing this unless there's a very good reason.

Paul.
Userlevel 6
OscarK wrote:

The simpliest method would be creating an ACL.

Apply the following ACL on the ports or vlans.

entry BlkMcast {
if {
destination-address 224.0.0.0/4;
}
then {
deny;
count BlockedMcast;
}
}

This will block also 244.0.0.x multicasts, if you have OSPF or any other routing protocol running you might need to permit that before this block statement.

No, even if the switch is L2 you can block on destination-address.
Userlevel 3
OscarK wrote:

The simpliest method would be creating an ACL.

Apply the following ACL on the ports or vlans.

entry BlkMcast {
if {
destination-address 224.0.0.0/4;
}
then {
deny;
count BlockedMcast;
}
}

This will block also 244.0.0.x multicasts, if you have OSPF or any other routing protocol running you might need to permit that before this block statement.

Yes. That's exactly what I need.
Userlevel 5
You could create a Policy that tells the port to drop Multicast traffic, but why would you want to? A lot of essential network services, Routing Protocols (OSPF, RIP, etc), network services like DHCP, IGMP, VRRP, Link-local name resolution, video and audio conferencing rely on Multicast traffic to efficiently get packets around your network. And if configured rightly, Multicast traffic can potentially only account for a fraction of network traffic
Userlevel 3
Kawawa wrote:

You could create a Policy that tells the port to drop Multicast traffic, but why would you want to? A lot of essential network services, Routing Protocols (OSPF, RIP, etc), network services like DHCP, IGMP, VRRP, Link-local name resolution, video and audio conferencing rely on Multicast traffic to efficiently get packets around your network. And if configured rightly, Multicast traffic can potentially only account for a fraction of network traffic

We decided to do it because we find strange multicast activity in our network. We are going to block all multicast traffic from particular segments for diagnostic.
Userlevel 4
Is it duplicate thread?

https://community.extremenetworks.com/extreme/topics/how_to_block_multicast_traffic_in_specific_vlan
Userlevel 3
Not exactly. It was about a specific vlan.

I'm thinking it might be a better way to block multicast traffic on port with the help of disable multicast flooding, ingress rate-limiting or something like that.

Reply