From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Nov 08 2004 - 08:54:29 GMT-3
access-list 1 deny 226.26.26.26
access-list 1 permit any
int e0
ip access-group 1 <in|out> <-- stops packets with SOURCE address of
226.26.26.26
or
int e0
ip multicast boundary 1 <-- stops packets with DEST address of
226.26.26.26
Don't forget that when dealing with multicast the source address of the
packet is a regular unicst address while the destination address is a
multicast address. So, if you want to prevent multicast traffic from
crossing an interface in either direction , the destination address must be
the address that's looked at. Also, notice that the ip multicast boundary
<acl#> has no direction parameters. It stops the specified multicast traffic
in both directions.
HTH, Tim
----- Original Message -----
From: "Hai Minh" <minh@ipmac.com.vn>
To: "ccie2be" <ccie2be@nyc.rr.com>; <ccielab@groupstudy.com>
Sent: Monday, November 08, 2004 4:08 AM
Subject: Re: Multicast question
> Tim,
>
> Yes, it's "ip igmp access-group" command.
>
> Thanks for your explaination, but I'm confuse why does the command "ip
> multicast boundary" consider the address as destination address.
>
> HTH
> Hai Minh
>
> ----- Original Message -----
> From: "ccie2be" <ccie2be@nyc.rr.com>
> To: "Hai Minh" <minh@ipmac.com.vn>; <ccielab@groupstudy.com>
> Sent: Monday, November 08, 2004 10:47 AM
> Subject: Re: Multicast question
>
>
> > Are you sure there is a command, ip multicast access-group. I looked
for
> it
> > but came up empty, however, there is a command, ip igmp access-group
which
> > is used to prevent joins.
> >
> > Now, this might be obvious to lots of people, but I didn't notice this
> until
> > it was explicitly pointed out to me, I think by Scott Morris.
> >
> > When the ip multicast boundary # command is used, it's referencing an
acl
> > just like the command, ip access-group #, so I wondered why was the ip
> > multcast boundary command needed. Isn't the ip access-group sufficient
to
> > do the job?
> >
> > The answer, of course, is it isn't. This is because when the ip
> > access-group # command is used, it interprets the ip addresses in the
acl
> as
> > source ip addresses. With the command, ip multicast boundary #, the ip
> > addresses referenced by the acl are interpreted as destination
addresses.
> >
> > A minor point, no doubt, but it highlights how important it is to pay
> > attention to details.
> >
> > HTH, Tim
> >
> >
> > ----- Original Message -----
> > From: "Hai Minh" <minh@ipmac.com.vn>
> > To: <ccielab@groupstudy.com>
> > Sent: Saturday, November 06, 2004 11:35 PM
> > Subject: Multicast question
> >
> >
> > > Hi group,
> > >
> > > I have this configuration. What is the different between the command
"ip
> > > multicast boundary" and "ip multicast access-group" in this case ? I
> think
> > > both of them are used to block the hosts to join to the multicast
group
> > > 226.26.26.26.
> > >
> > > Could someone please explain to me ?
> > >
> > > Thanks in advance
> > >
> > > ================
> > > R1
> > > interface E0/0
> > > ip multicast boundary 1
> > >
> > > interface E0/1
> > > ip multicast access-group 1
> > >
> > > access-list 1 deny 226.26.26.26
> > > access-list 1 permit any
> > > =======================
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:40 GMT-3