RE: ip pim rp-accept <rp-address> [acl#] command

From: Scott Morris (swm@emanon.com)
Date: Sun Aug 08 2004 - 11:34:36 GMT-3

It was a change from 12.1 to 12.2 with the behavior noted in the "ip pim
rp-addres". You used to not need to have this command on the RP itself due
to the behavior that youhave outlined below. However, in 12.2, you need to
let the RP know specifically that it is the RP.

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIP, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
 
 

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Sunday, August 08, 2004 6:50 AM
To: swm@emanon.com; 'john matijevic'; 'Group Study'
Subject: Re: ip pim rp-accept <rp-address> [acl#] command

Used to be true???

What happened that makes this not true?

----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'john matijevic'"
<matijevi@bellsouth.net>; "'Group Study'" <ccielab@groupstudy.com>
Sent: Sunday, August 08, 2004 12:10 AM
Subject: RE: ip pim rp-accept <rp-address> [acl#] command

> Mmmmm.... Well...
>
> My first inclination (again off-the-cuff and not labbed) would be that
this
> used to be true. Back when we could stick things like the "ip pim
> rp-address" command on any router except the RP and the RP would figure it
> out. Now-days though, that's not the case. So what they may answer is
that
> the magic of saying "hey, I'm the RP" went away so this is no longer a
> condition.
>
> So by the description of the command, the usage would be to make sure that
> IT doesn't become an RP rather than worrying about other devices becoming
> that. And I don't believe that is a problem any longer. Doesn't mean I'm
> 100% right though, so labbing it up will be the best way to figure that
out.
>
> And the command I was referring to was not the SEND-rp-announce command
> (which is as you describe it) but one more geared towards listeners....
>
> For the example you have though, the command seems to handle problems of
> that nature. Will be intersting to see what your lab attempt shows!
>
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuratio
> n_guide_chapter09186a00800d6b79.html#4898
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
> JNCIP, et al.
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> swm@emanon.com/smorris@ipexpert.net
> http://www.ipexpert.net
>
>
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Saturday, August 07, 2004 11:45 PM
> To: swm@emanon.com; 'john matijevic'; 'Group Study'
> Subject: Re: ip pim rp-accept <rp-address> [acl#] command
>
> Here's the source. this is from page 38 of module 6 of the Multicast
> training slides which I found somewhere on cco.
>
>
> Controlling RP Acceptance
>
> . What really determines if a router is the RP
>
> - Any Any router will assume the duties of the RP if:
>
> . It receives a (*,G) Join that contains an RP address that is
>
> the IP address of one of its interfaces AND
>
> . The interface is multicast enabled AND
>
> . The RP address matches the RP in the Group-to-RP
>
> mapping cache OR
>
> . There is no entry in the Group-to-RP mapping cache.
>
> - Misconfigured routers could create multiple RPs in the
>
> network
>
> . Each sends a (*,G) Join with a different RP address
>
> . Each (*,G) Join results in another RP for the same group
>
> - The 'Accept-RP' command provides additional control
>
> (insurance?) to prevent this.
>
> . By default, a router operates as an RP for a group if:
>
> - It receives a (*, G) Join containing one of its addresses as the RP or
>
> - It receives a (S, G) Register message.
>
> . Basic sanity check
>
> - Routers will perform a rudimentary sanity check to see if it actually
> should be the
>
> RP for group "G" by searching the Group-to-RP mapping cache for an entry
for
>
> group "G". If an entry is found and the RP for the group is not this
router,
> then
>
> the router will discard the (*, G) Join or (S,G) Register and will not
> become the
>
> RP. Otherwise, it will assume that it is the RP for group "G" and assume
> duties
>
> of the RP.
>
> . Extended sanity checking
>
> - In order to provide additional control and sanity checking over which
> router
>
> should be accepted as the RP, the IOS command 'ip pim accept-rp' was
>
> created.
>
>
>
> *************************************************************
>
>
> As you can see, it seems to imply that any router could become a rp under
> certain very specific conditions. I agree that given the conditions
> necessary for a MA to become inadvertently a rp, it's somewhat unlikely.
> And, I also agree that the ip pim rp-send-announce-filter is the more
> appropriate command to use on the MA.
>
> Correct me if I'm wrong, but, it seems that these 2 commands aren't
mutually
> exclusive.
>
> The ip pim rp-send-announce-filter command filters only c-rp announcements
> but not joins and is designed to prevent against rogue rp's being
confgured
> in the mcast domain.
>
> The ip pim rp-accept <rp-address> [acl#] command, on the other hand,
works
> differently. It filters joins which can come from anywhere in the mcst
> domain and can go anywhere in a mcast domain if another router is
> misconfigured. Do you agree?
>
> What's missing from the slide is any mention of on which routers this
> command should be configured and I want to confirm what seems to be
implied
> - that this command could be configured on all routers - including the rp
> and MA - in a mcast domain.
>
> For example, imagine that 2 rp are configured for mcast groups
224.0.130.10
> thru 224.0.130.20
>
> Now, suppose the MA receives a join for froup 224.0.10.130 addresses to
one
> of it's pim enabled interfaces. Since the MA doesn't have this mcast
group
> in it's group to rp mapping cache, what does the MA do?
>
> Won't the MA become the rp for that group?
>
> Tim
>
>
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'john matijevic'"
> <matijevi@bellsouth.net>; "'Group Study'" <ccielab@groupstudy.com>
> Sent: Saturday, August 07, 2004 11:07 PM
> Subject: RE: ip pim rp-accept <rp-address> [acl#] command
>
>
> > Right... It's about filtering messages destined to one RP or the other
> (and
> > you can use the auto-rp part to verify with that cache).
> >
> > The mapping agent in and of itself will not become the RP. If it
happens
> to
> > BE an RP, then it is not a MA for itself.
> >
> > It's not so much that you are worrying that devices "accidently" become
> the
> > RP (weird), but more that you make sure you're on the RP's tree.
> >
> > Look at the command section there. It says that the commmand causes the
> > router to only accept (*,G) join messages destined for the specific RP
> > address/groups. That's determining it's action in forwarding join/leave
> > messages throughout a domain, not so much anything about how IT acts,
just
> > how it acts in forwarding.
> >
> > The difference also becomes that you can use this command on the RP
itself
> > and acheieve a different kind of filtering.
> >
> > Now, mind you, I haven't labbed anyhting up striving for the accidental
RP
> > assignment to watch behavior, but I would think that the "ip pim
> > rp-announce-filter" command would be a better fit for what you appear to
> be
> > describing to me.
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP,
> > JNCIP, et al.
> > IPExpert CCIE Program Manager
> > IPExpert Sr. Technical Instructor
> > swm@emanon.com/smorris@ipexpert.net
> > http://www.ipexpert.net
> >
> >
> >
> > -----Original Message-----
> > From: ccie2be [mailto:ccie2be@nyc.rr.com]
> > Sent: Saturday, August 07, 2004 10:53 PM
> > To: swm@emanon.com; 'john matijevic'; 'Group Study'
> > Subject: Re: ip pim rp-accept <rp-address> [acl#] command
> >
> > Hey Scott,
> >
> > I'm not sure we're on the same page.
> >
> > I think of this command as added protection against, for example, a
static
> > rp command being mis-configured. Suppose for example, the ip pim
> rp-address
> > <ip ad> command had the address of the MA entered by mistake.
> >
> > Couldn't, under some circumstances, the MA become the rp for some mcast
> > groups? And, wouldn't the above command prevent that?
> >
> > Also, from a lab point of view, suppose we were instructed to configure
> > Auto-rp. And, suppose we were also told to make sure that no routers
> except
> > those explicitly meant to be rp's ever accidentally became rp's. In this
> > case, wouldn't we use the above command on all routers in the mcast
> domain?
> >
> >
> > ----- Original Message -----
> > From: "Scott Morris" <swm@emanon.com>
> > To: "'john matijevic'" <matijevi@bellsouth.net>; "'ccie2be'"
> > <ccie2be@nyc.rr.com>; "'Group Study'" <ccielab@groupstudy.com>
> > Sent: Saturday, August 07, 2004 10:31 PM
> > Subject: RE: ip pim rp-accept <rp-address> [acl#] command
> >
> >
> > > As an add-on, the candidate-RP or MA portion of the question... If
you
> > are
> > > a mapping agent, you are just forwarding things anyway, so the
rp-accept
> > > command doesn't reference that IP at all. It will be WHAT is being
> > learned,
> > > not who from. (otherwise in BSR-land, that would always be your
> directly
> > > connected neighbors)
> > >
> > > HTH,
> > >
> > >
> > > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> CISSP,
> > > JNCIP, et al.
> > > IPExpert CCIE Program Manager
> > > IPExpert Sr. Technical Instructor
> > > swm@emanon.com/smorris@ipexpert.net
> > > http://www.ipexpert.net
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > john
> > > matijevic
> > > Sent: Saturday, August 07, 2004 8:33 PM
> > > To: 'ccie2be'; 'Group Study'
> > > Subject: RE: ip pim rp-accept <rp-address> [acl#] command
> > >
> > > Hi Tim,
> > > The command can best be explained as follows, from the doccd:
> > > "ip pim accept-rp
> > > To configure a router to accept join or prune messages destined for a
> > > specified rendezvous point (RP) and for a specific list of groups, use
> the
> > > ip pim accept-rp command in global configuration mode"
> > > So you are correct that this can be used on any mcast router in a
mcast
> > > domain. But don't take my word for it, test yourself, that's part of
the
> > > fun. :)
> > >
> > >
> > > Sincerely,
> > >
> > > John Matijevic, CCIE #13254, MCSE, CNE, CCEA
> > > Network Consultant
> > > Hablo Espanol
> > > 305-321-6232
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > > ccie2be
> > > Sent: Saturday, August 07, 2004 7:29 PM
> > > To: Group Study
> > > Subject: ip pim rp-accept <rp-address> [acl#] command
> > >
> > > Hi guys,
> > >
> > > I just wanted to confirm my understanding of the above command.
> > >
> > > My sense is that this command can be used and useful on any mcast
router
> > > in a
> > > mcast domain. This is true regardless of whether Auto-RP or BSR is
> > > used. And,
> > > this is true regardless of whether the router is a c-rp or a MA.
> > >
> > > Can anyone confirm this?
> > >
> > > TIA, Tim
> > >
> > >

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:35 GMT-3