At 04:12 AM 6/5/2013  Wednesday, Phil Mayers remarked:
On 03/06/13 21:44, Tim Stevenson wrote:
At 01:08 PM 6/3/2013  Monday, Phil Mayers clamored:
How can I accomplish the equivalent of the "boundary" on NX-OS 5.2 for
N7k, given it lacks the command? Does one just use a normal ACL, and
if so, are there any caveats to doing so e.g. does "boundary" do
*other* things that a plain ACL would miss?

In n7k, you must use a combination of control plane & data plane
filtering to get the equivalent functionality of multicast boundary.

For data plane, it's nothing more than ip access-group with matches on
multicast traffic.

Just to say, this does all work, but it takes a few minutes to kick in - if you add the data-plane ACL then "clear ip mroute", the routes just reappear. They die off a few minutes later - presumably something hardware-related.

This is expected. 'clear ip mroute' on n7k clears the MRIB & everything 'below' it (down to the hardware). The MRIB then immediately queries all its clients for multicast state - ie, PIM, IGMP, MSDP, which repopulates the MRIB (and thus the h/w).

You can clear the state of each client with commands like "clear ip pim route", "clear ip igmp route" etc.


Can't say I'm loving the NX-OS CLI paradigm for this particular feature though - having to merge the unicast and multicast ACEs is a pain,


As you can imagine, there was considerable debate about the pros/cons. Main reasons we went this way vs multicast boundary à la c6k:

- clear separation of control plane vs data plane filtering
- granular per-protocol filtering control
- deterministic behavior across reboots (no order-dependent ACL merge)


absent any templating/"include other ACL" functionality :o(

You might be able to do some stuff with object groups here? Eg:

tstevens-7010-2# sh ip access example

IP access list example
        10 permit udp any addrgroup multicast-ranges
        20 permit ip any 1.1.1.1/32
        30 deny ip any any
tstevens-7010-2# sh object-group multicast-ranges

IPv4 address object-group multicast-ranges
        10 239.0.0.0/8
        20 225.1.1.0/24
tstevens-7010-2#

Note this is just a config 'convenience', TCAM consumption is based on the expansion of the ACEs in your object groups.


Hope that helps,
Tim





Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to