boundary command to configure an administratively
scoped (user-defined) boundary on an interface in order to filter source
traffic coming into the interface and prevent mroute states from being created
on the interface.
An IP multicast
boundary enables reuse of the same multicast group address in different
A standard ACL is
used with the
boundary command to define the group address range
to be permitted or denied on an interface. An extended ACL is used with the
boundary to define (S, G) traffic to be permitted
or denied on an interface. Extended ACLs can also be used to define the (*, G)
state to be permitted or denied on an interface, by specifying
0.0.0.0 for the source address in the permit
statements that compose the extended ACL.
configure IP multicast boundaries for (S, G) traffic in an Any Source Multicast
(ASM) network environment-to ensure that the IP multicast boundaries function
properly-you must configure an extended ACL on routers along the rendezvous
point tree (RPT) that permits:
traffic by specifying the source and group address range in permit statements.
traffic by specifying
0.0.0.0 for the source address followed by the
group address or group address range in permit statements.
destined to the rendezvous point (RP) by including permit statements for (RP,
G), where the IP address of the RP is specified for the source followed by the
group address or group address range.
The IP multicast boundary
guideline for ASM applies only to the routers on the RPT from the last-hop
router to the RP. For routers on the RP-to-source branch, you need to define
only the (S, G) traffic in the extended ACL (by specifying the source and group
address range in permit statements).
configure IP multicast boundaries for (S, G) traffic in a Source Specific
Multicast (SSM) network environment, you need to define only the (S, G) traffic
to be permitted or denied on an interface in the extended ACL.
IP multicast boundaries
filter data and control plane traffic including IGMP, PIM Join and Prune, and
Auto-RP messages. The following messages are not filtered by IP multicast
messages are sent using multicast and not filtered.
PIM Hellos for
neighbor-ship to 126.96.36.199 are not filtered.
messages are not affected and PIM hellos on the local segment are not filtered.
To disallow PIM adjacency formation on each link, use the
neighbor-filter command in the interface or virtual network
interface configuration mode.
If you configure
keyword, the user-defined boundary also examines Auto-RP discovery and
announcement messages and removes any Auto-RP group range announcements from
the Auto-RP packets that are denied by the boundary ACL. An Auto-RP group range
announcement is permitted and passed by the boundary only if all addresses in
the Auto-RP group range are permitted by the boundary ACL. If any address is
not permitted, the entire group range is filtered and removed from the Auto-RP
message before the Auto-RP message is forwarded.
cannot be used with the
keyword because Auto-RP announcements do not contain source addresses.
In Cisco IOS
software releases that do not support the
the IP multicast boundary both filters source traffic coming into the interface
and prevents mroute states from being created on the interface.
In Cisco IOS
releases that support the
these keywords are used as follows:
in keyword is
used to filter source traffic coming into the interface.
is used to prevent mroute states from being created on an interface; that is,
it will prevent IGMP reports and PIM joins from creating mroutes states for
groups and channels denied by the boundary ACL, and the interface will not be
included in the outgoing interface list (OIL).
direction is not specified with the
boundary command, the IP multicast boundary both
filters source traffic coming into the interface and prevents mroute states
from being created on the interface.
In addition, the
following rules govern the use of the
keywords with the
support standard or extended ACLs for (S, G) filtering.
support standard or extended ACLs for SSM filtering.
can be configured on an interface.
ACLs are permitted with the use of the
In Cisco 7600
A deny any
statement at the end of the boundary ACL will cause all multicast boundaries
including the link local address in the range (188.8.131.52 - 184.108.40.206) to be
dropped in the hardware.
When the ip
access-list [filter-autorp] command is configured with an empty ACL,
it interferes in the proper functioning of Auto-RP in the hardware. Hence, it
is important to specify the address you want to allow or deny in the
In Cisco IOS XE
Release 3.2S and later releases, the
argument and keyword are no longer required with the
no form of
In Cisco IOS XE
Release 3.1S and earlier releases, the
boundary command must be configured with the ACL
keyword to remove the boundary ACL configuration.
A maximum of three
instances of an
boundary command is allowed on an interface: one
instance of the command with the
one instance of the command with the
and one instance of the command with or without the
source command to block all incoming multicast
traffic on an interface. However, this command allows the multicast traffic to
flow out the interface and allows any reserved multicast packets to flow in the
interface. This command is primarily used at first-hop routers to prevent local
hosts from functioning as multicast sources.
example shows how to set up an IP multicast boundary for all user-defined IPv4
multicast addresses by denying the entire user-defined IPv4 multicast address
space (220.127.116.11/8). All other Class D addresses are permitted (18.104.22.168/4).
access-list 1 deny 22.214.171.124 0.255.255.255
access-list 1 permit 126.96.36.199 188.8.131.52
interface ethernet 0
ip multicast boundary 1
example shows how to set up an IP multicast boundary in an SSM network
environment. In this example, the IP multicast boundary is configured to permit
mroute states for (172.16.2.201, 184.108.40.206) and (172.16.2.202, 220.127.116.11). All
other (S, G) traffic is implicitly denied.
ip access-list extended acc_grp1
permit ip host 172.16.2.201 host 18.104.22.168
permit ip host 172.16.2.202 host 22.214.171.124
interface ethernet 2/3
ip multicast boundary acc_grp1 out
example shows how to configure an IP multicast boundary in an ASM network
environment. In this example, the IP multicast boundary configuration on the
last-hop router is shown. The topology for this example is not illustrated;
however, assume that the IP address of the RP in this scenario is 10.1.255.104.
The IP multicast boundary is configured to filter outgoing IP multicast traffic
on Fast Ethernet interface 0/0. The boundary ACL used for the IP multicast
boundary in this scenario contains three permit statements:
permit statement specifies the (S, G) traffic to be permitted.
permit statement specifies the (RP, G) traffic to be permitted.
permit statement specifies the (*, G) traffic to be permitted.
outgoing multicast traffic on this interface is implicitly denied.
ip access-list extended bndry-asm-3
permit ip host 10.1.248.120 126.96.36.199 0.0.255.255
permit ip host 10.1.255.104 188.8.131.52 0.0.255.255
permit ip host 0.0.0.0 184.108.40.206 0.0.255.255
ip multicast boundary bndry-asm-3 out
example shows how to block the source of all incoming multicast traffic on the
Device# configure terminal
Device(config)# int GigabitEthernet0/0/0
Device(config-if)# ip multicast boundary block source