ACLs Applied to a Multicast Policy

Matching Principle of ACLs Applied to a Multicast Policy

When an ACL is applied to a multicast policy:

  • If a multicast route matches the permit rule, the action defined in the multicast policy is executed.
  • If a multicast route matches the deny rule, the action defined in the multicast policy is not executed.
  • If a multicast route does not match any rule, or the ACL does not exist, or there is no rule in the ACL, the multicast route is denied in most multicast policies. For detailed information, see Table 1.
Table 1 Default matching result of unmatched routes in a multicast policy

Multicast Policy

ACL Matching Result

Processing Result of Policy

static-rp group-policy

c-rp group-policy

No rule in the ACL is matched.

The default action is permit (the RP provides services for the multicast group).

The ACL does not exist.

The default action is permit (the RP provides services for all the multicast groups 224.0.0.0/4).

There is no rule in the ACL.

Multicast boundary policy

No rule in the ACL is matched.

The default action is deny (the multicast group address is not in the multicast boundary range).

The ACL does not exist or there is no rule in the ACL.

The default action is permit (all groups are in the multicast boundary range).

Other multicast policies

No rule in the ACL is matched.

The default action is deny (the action in the policy is not performed).

The ACL does not exist.

There is no rule in the ACL.

ACL Filter Options Supported by a Multicast Policy

When an ACL is applied to a multicast policy:

  • A basic ACL can be used to specify the range of source addresses (unicast addresses) or the range of multicast group addresses for multicast data packets and multicast protocol packets. A basic ACL applied to a multicast policy supports only the source and time-range parameters.
  • An advanced ACL applied to a multicast policy supports only two or three parameters:
    • Most multicast policies support only source, destination, and time-range.
    • A few multicast policies support only source and time-range.
    • Other multicast policies support only destination and time-range.

Named ACLs applied to multicast policies must be advanced ACLs. Otherwise, the ACLs do not take effect.

ACL Filter Options Not Supported by a Multicast Policy

A basic ACL applied to a multicast policy supports only the source and time-range parameters, and does not support other parameters, such as a destination IP address, VPN instance, and packet length.

An advanced ACL applied to a multicast policy supports only the source, destination, and time-range parameters, and does not support other parameters, such as a VPN instance and packet length.

If the unsupported parameters are applied to an ACL applied to a multicast policy, their matching result is permit by default.

Example 1

In the following configuration, multicast FRR is enabled for all multicast entries.

<HUAWEI> system-view
[~HUAWEI] acl name frracl
[*HUAWEI-acl4-advance-frracl] rule permit ip source 10.0.0.1 0 destination 226.0.0.1 0
[*HUAWEI-acl4-advance-frracl] rule permit ip packet-length eq 65535
[*HUAWEI-acl4-advance-frracl] commit
[~HUAWEI-acl4-advance-frracl] quit
[~HUAWEI] multicast routing-enable
[~HUAWEI] pim
[*HUAWEI-pim] rpf-frr policy acl-name frracl
Parent Topic: Application Scenarios for ACLs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >