ACL and Multicast


(Shannon W) #1

How to you apply ACLs to deny mulicast traffic? I am currently using extended but believe standard ACLs will work better.


(Lazaros Agapides) #2

Hello Shannon.

If you want to block multicast traffic based on the source multicast address, then yes, standard ACLs will do fine. However, remember that standard ACLs should be placed as close as possible to the source. When that source is a multicast source, it is a little trickier to determine where to place the ACL because there can be multiple sources. If you want to deny multicast traffic to a specific destination, then an extended would be a better solution, and in this case, it should be placed as close to the destination as possible.

Always keep in mind that an ACL that is applied to an interface on a specific router will NEVER filter traffic generated by itself.

I hope this has been helpful!

Laz


(Shannon W) #3

Understood…I guess I was mistaken about ACLs. For some reason I thought standard ACLs should be placed close to the destination and extended should be place close to the source since extended ACLs can filter based on source, destination, and type. What about IGMP filtering? could this work or will this only block join request?


(Lazaros Agapides) #4

Hello Shannon

My sincere apologies!! It is the other way around. Standard should be placed as close as possible to the destination while extended should be placed as close as possible to the source. You are correct.

Sometimes the brain just short circuits… It happens…

As for the IGMP filtering, it will block whatever IP addresses are in the range, whether that is a join request or the actual multicast traffic. Again keep in mind that traffic generated by the router itself will not be filtered by ACLs configured on the same router.

I apologise once again!

I hope this has been helpful.

Laz