Multicast MSDP SA (Source Active) Filtering

This topic is to discuss the following lesson:

Hi Rene,

I think this topics should be also put in CCIE R/S since its on CCIE blue printer, not only under written…just a suggestion

Hello Samer

Thanks for the suggestion! @ReneMolenaar will take a look and when he gets a chance.

Thanks again!


Hi Rene
I really confuse about this, since R1 connected to R2 via internet, so MSDP can establish peering through global network which not enable multicast routing like internet ? and can we send multicast traffic from one site to one site through internet without using VPN ?
Thank you

Hello Heng

The important thing to note here is that multicast mechanisms are not being employed over the Internet itself. MSDP allows for two edge routers to share multicast information such that multicast traffic can be sent between them. Such multicast traffic is sent using PIM Sparse Mode, which means that multicast traffic traversing the internet is sent to the RP that is at the edge of the other autonomous system and is being used as the specific “next hop” of the multicast traffic. Remember, the RP knows about all the sources and receivers for any particular multicast group.

Note that no intervening routers on the Internet are employing multicast mechanisms.

More about MSDP can be found here:

I hope this has been helpful!


Hello René,

Great work, thank you.
I had a problem with your ACL that match also the source address deny ip any, with this entry the filter will not work because the source is using segment. could you confirm that please ?

Hello Zouhair

You don’t necessarily have to choose to filter all private addresses, you can filter only some, whichever ones you choose. Typically MSDP is used on a network where you have multiple LANs connected to each other through private WANs. It is over that private WAN that you would want to filter out some addresses, possibly the ones that you wouldn’t want to send over the WAN for purposes of saving bandwidth.

So although the example uses the private address space, it would not necessarily be so in a production network.

I hope this has been helpful!