This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to block all multicast traffic on port?

How to block all multicast traffic on port?

eyeV
New Contributor III

‎06-02-2015 08:30 AM

Hi everybody!
My question is Which is most efficient way to block all ingress multicast traffic on port?
0 Kudos
8 REPLIES 8

OscarK
Extreme Employee

‎06-02-2015 08:36 AM

The simpliest method would be creating an ACL.

Apply the following ACL on the ports or vlans.

entry BlkMcast {
if {
destination-address 224.0.0.0/4;
}
then {
deny;
count BlockedMcast;
}
}

This will block also 244.0.0.x multicasts, if you have OSPF or any other routing protocol running you might need to permit that before this block statement.
0 Kudos

OscarK
Extreme Employee
In response to OscarK

‎06-02-2015 08:36 AM

No, even if the switch is L2 you can block on destination-address.
0 Kudos

Paul_Thornton
New Contributor III
In response to OscarK

‎06-02-2015 08:36 AM

If the switch is L2 only, or you need to block multicast within the VLAN then a mac address filter for the multicast bit in the MAC address would be needed (or, more simply, block any MAC address starting 01 - which has the useful side effect of not blocking broadcast traffic too).

So an acl that looked like this might be better:

entry BlockL2Mcast {
if {
ethernet-destination-address 01:00:00:00:00:00 mask ff:00:00:00:00:00;
}
then {
deny;
count BlockedMcast;
}
}

However, as others have said, this will break OSPF, VRRP, HSRP and a lot of IPv6. You'd be better off not doing this unless there's a very good reason.

Paul.

0 Kudos

eyeV
New Contributor III
In response to OscarK

‎06-02-2015 08:36 AM

Thank you!
0 Kudos
GTM-P2G8KFN