Blocking outbound multicast video streams on a Cisco L3 switch

[Gunter]

I am trying to block all outgoing multicast streams on my edge switch nexus 3k. The port is connected to a remote location and is a trunk port. I have devices receiving video streams inside my network through this port and I need to keep it working, while only stopping the devices on the remote-location from taking video streams from my network. I tried to accomplish this using access lists.

1- I created an access list as below:

IP access list remote-location
10 deny ip any 232.10.10.1/32 vlan 835
11 deny ip any 224.52.74.17/32 vlan 835
12 deny ip any 224.2.42.17/32 vlan 835
13 deny ip any 224.2.42.16/32 vlan 835
14 deny ip any 224.2.51.60/32 vlan 835
15 deny udp any 224.91.40.1/32 eq 2001 vlan 835
16 deny udp any 224.91.40.2/32 eq 2003 vlan 835
17 deny udp any 224.91.40.4/32 eq 2007 vlan 835

I applied it in the inward direction on the port as below:

interface Ethernet1/7
description **connected to remote-location**
ip access-group remote-location in
no lldp transmit
no lldp receive
switchport mode trunk
switchport trunk native vlan 835
switchport trunk allowed vlan 835,837
load-interval counter 1 5
load-interval counter 2 5
 

My interface outgoing traffic rate is not dropping.

input rate 1.68 Gbps, 154.36 Kpps; output rate 1.80 Gbps, 193.82 Kpps  <-- expecting to see output rate equals to almost zero

 

Can anyone please help me to achieve this?

[icecream-guy]

this may be problem:

here
I applied it in the inward direction on the port as below:

and here
My interface outgoing traffic rate is not dropping.



seems your ACL in blocking inbound but allowing outbound...  I'd recheck that.

[Gunter]

Because the source is Any and the destination is the multicast IP that the user on the remote location is accessing to get the stream, which is outgoing traffic on the port. Also;

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/93x/b-cisco-nexus-3000-nx-os-security-configuration-guide-93x/b-cisco-nexus-3000-nx-os-security-configuration-guide-93x_chapter_01000.html#task_1274985
quote:
Applying an IP ACL as a Port ACL
Applies an IPv4 ACL to the interface or PortChannel. Only inbound filtering is supported with port ACLs


So even though it lets you apply " ip access-group roystream out" it's going to do nothing.

[deanwebb]

An inward ACL, though, won't do anything for outbound traffic. But that's not your requirement: you're asking to stop inbound multicast traffic on that port. Outbound traffic on that port is not impacted, nor is it in the problem statement.

[Gunter]

I was expecting that the listner hosts would be blocked in the inward direction when hitting the rule 

"1 deny ip any 224.0.0.0/4 log"

The listener hosts on remote-location are accessing the network through this port to get the streams. So, I thought blocking their request to get the stream would stop the traffic in the outbound direction. But, It appears to me now that the video streams are already flooding in the outward direction on the port before the listener even request it (since using Multicast dense-mode). I will try to apply the ACL in input direction on another port facing the distribution switches and see if it works. Thanks for your thoughts.

[deanwebb]

Listening is a passive activity, it's waiting for the traffic to arrive without soliciting it. So if those videos are coming over, the listeners will listen in.

[Gunter]

Yes, this might be my issue. Since this Nexus model doesn't filter in the outward direction I have to apply the ACL in the other port. Thanks all for your thoughts.