At 04:12 AM 6/5/2013 Wednesday, Phil Mayers remarked:
On 03/06/13 21:44, Tim Stevenson wrote:
At 01:08 PM 6/3/2013 Monday, Phil Mayers clamored:
How can I accomplish the equivalent of the "boundary" on NX-OS 5.2 for
N7k, given it lacks the command? Does one just use a normal ACL, and
if so, are there any caveats to doing so e.g. does "boundary" do
*other* things that a plain ACL would miss?
In n7k, you must use a combination of control plane & data plane
filtering to get the equivalent functionality of multicast boundary.
For data plane, it's nothing more than ip access-group with matches on
multicast traffic.
Just to say, this does all work, but it takes a
few minutes to kick in - if you add the
data-plane ACL then "clear ip mroute", the
routes just reappear. They die off a few minutes
later - presumably something hardware-related.
This is expected. 'clear ip mroute' on n7k clears
the MRIB & everything 'below' it (down to the
hardware). The MRIB then immediately queries all
its clients for multicast state - ie, PIM, IGMP,
MSDP, which repopulates the MRIB (and thus the h/w).
You can clear the state of each client with
commands like "clear ip pim route", "clear ip igmp route" etc.
Can't say I'm loving the NX-OS CLI paradigm for
this particular feature though - having to merge
the unicast and multicast ACEs is a pain,
As you can imagine, there was considerable debate
about the pros/cons. Main reasons we went this
way vs multicast boundary à la c6k:
- clear separation of control plane vs data plane filtering
- granular per-protocol filtering control
- deterministic behavior across reboots (no order-dependent ACL merge)
absent any templating/"include other ACL" functionality :o(
You might be able to do some stuff with object groups here? Eg:
tstevens-7010-2# sh ip access example
IP access list example
10 permit udp any addrgroup multicast-ranges
20 permit ip any 1.1.1.1/32
30 deny ip any any
tstevens-7010-2# sh object-group multicast-ranges
IPv4 address object-group multicast-ranges
10 239.0.0.0/8
20 225.1.1.0/24
tstevens-7010-2#
Note this is just a config 'convenience', TCAM
consumption is based on the expansion of the ACEs in your object groups.
Hope that helps,
Tim
Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/