Including denied multicast sessions in the session table 7.6.1
Sessions can be created for denied multicast traffic, enabling subsequent packets to be directly matched and dropped, reducing CPU usage and improving performance.
To configure denied multicast session inclusion:
config system setting
set ses-denied-multicast-traffic {disable | enable}
end
|
Value |
Description |
|---|---|
|
disable |
Do not add denied multicast sessions to the session table (default). |
|
enable |
Include denied multicast sessions in the session table. |
Example
In this example, denied multicast sessions are included in the session table of the VDOM. A deny multicast policy is created and a packet is then sent that hits the policy. Checking the multicast session list shows that a denied multicast session is created.
To configure and test including denied multicast sessions:
-
Enable including denied multicast sessions:
config system setting set ses-denied-multicast-traffic enable end -
Create a deny multicast policy in the multicast policy table:
config firewall multicast-policy edit 1 set name "Deny_Multicast_Policy" set srcintf "port1" set dstintf "port3" set srcaddr "172-16-200-0" set dstaddr "230-0-0-1" set action deny set logtraffic all set auto-asic-offload disable next end -
Send packets to hit the deny multicast policy then check the multicast session list. The second session shown is the denied multicast session:
# diagnose sys mcast-session list session info: id=259 vf=1 proto=17 172.16.200.55.34896->230.0.0.10.7878 used=2 path=1 duration=8 expire=174 indev=9 pkts=4 bytes=2160 state=00000000: session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000 path: log npu-deny policy=2, outdev=11, tos=0xff session info: id=260 vf=1 proto=17 172.16.200.55.33488->230.0.0.1.7878 used=2 path=0 duration=6 expire=177 indev=9 pkts=5 bytes=2700 state=00000200: deny session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000 Total 2 sessions