RE: ip multicast boundary vs. ip igmp access-group

From: simon hart (simon@harttel.com)
Date: Tue Oct 11 2005 - 18:03:03 GMT-3

• Next message: Sam - I Am: "2502 router"
• Previous message: Schulz, Dave: "RE: Privilege access from console vs. telnet"
• Maybe in reply to: Ashok M A: "RE: ip multicast boundary vs. ip igmp access-group"
• Next in thread: Ashok M A: "RE: ip multicast boundary vs. ip igmp access-group"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ashok,

I am not sure why you are seeing what you are seeing. IGMP access-group
will stop igmp joins for the group defined, it will not stop PIM messages.
Therefore you should see the *,G in the mroute table.

I have labbed up something similar and am seeing the expected results.

R3 is directly connected to R6 via ethernet. R3 is both mapping agent and
RP for all groups.

Here is the config for R3

interface Ethernet0
 ip address 157.1.36.3 255.255.255.0
 ip pim sparse-mode
 ip igmp access-group 20

Standard IP access list 20
    10 deny 232.2.2.2 (9 matches)
    20 permit any (19 matches)

Here is the interface config for R6

interface FastEthernet1/0
 ip address 157.1.36.6 255.255.255.0
 ip pim sparse-mode
 ip igmp join-group 232.2.2.2

This is the show mroute table on R3

(*, 232.2.2.2), 00:07:05/00:03:21, RP 150.1.3.3, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Ethernet0, Forward/Sparse, 00:07:05/00:03:21

The *,G entry exists, however if we look at the igmp group membership on R3
we see the following

IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
224.0.1.39 Loopback0 00:51:37 00:02:23 150.1.3.3
224.0.1.39 Ethernet0 00:51:44 00:02:25 157.1.36.3
224.0.1.40 Ethernet0 00:06:38 00:02:30 157.1.36.6
224.0.1.40 Loopback0 00:51:33 00:02:26 150.1.3.3

As expected, no group membership report for 232.2.2.2 but membership reports
for Auto-RP

Now if I take the access list of off R3 we will see the following:

Rack1R3#sh ip igmp group
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
224.0.1.39 Loopback0 00:54:14 00:02:45 150.1.3.3
224.0.1.39 Ethernet0 00:54:21 00:02:46 157.1.36.3
224.0.1.40 Ethernet0 00:09:15 00:02:47 157.1.36.6
224.0.1.40 Loopback0 00:54:10 00:02:49 150.1.3.3
232.2.2.2 Ethernet0 00:00:14 00:02:45 157.1.36.6

As I have taken of the access-group, R3 is now seeing the membership report
for 232.2.2.2 This is because R6 is on the same lan segment. Also the
mroute table is the same
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 232.2.2.2), 00:11:43/00:02:42, RP 150.1.3.3, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Ethernet0, Forward/Sparse, 00:11:43/00:02:41

The thing to remember in this instance is the group table is getting
populated by the IGMP joins from 6, and the mroute table is getting
populated by the PIM joins from R6.

I am not sure what is happening with your config. Is there additional
config on your RP?? Does you router need a reboot??
Are you debugging the PIM messages??

HTH

Simon

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Ashok M A
Sent: 11 October 2005 16:51
To: Venkataramanaiah.R
Cc: simon@harttel.com; dusth@comcast.net; ccielab@groupstudy.com
Subject: Re: ip multicast boundary vs. ip igmp access-group

Thanks Venkat for the reply.

So if i configure the igmp access-group on the router
connecting the member, why i cant see the (*,G) on the
router?

Config is:
~~~~~
R2#sri e0
Building configuration...

Current configuration : 115 bytes
!
interface Ethernet0
 ip address 22.22.22.2 255.255.255.0
 ip pim sparse-dense-mode
 ip igmp access-group 33
end

R2#

R2#show access-lists 33
Standard IP access list 33
    permit 224.1.1.2
    deny 224.1.1.7 (7 matches)
    permit any (15 matches)
R2#

R2#sh ip igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime
Expires Last Reporter
224.0.1.39 Ethernet0 1d22h
00:02:03 22.22.22.2
224.1.1.8 Ethernet0 23:40:44
00:02:57 22.22.22.7
R2#

R2#sh ip mroute 224.1.1.2
Group 224.1.1.2 not found
R2#

R2#sh ip mroute 224.1.1.2
Group 224.1.1.2 not found
R2#sh ip mroute 224.1.1.8
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM
Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F -
Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created
entry,
       X - Proxy Join Timer Running, A - Candidate for
MSDP Advertisement,
       U - URD, I - Received Source Specific Host
Report
Outgoing interface flags: H - Hardware switched
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD,
State/Mode

(*, 224.1.1.8), 00:08:14/00:02:45, RP 5.5.5.5, flags:
SJC
  Incoming interface: Serial0.56, RPF nbr 10.1.1.5
  Outgoing interface list:
    Ethernet0, Forward/Sparse-Dense, 00:08:14/00:02:45

R2#

R2 directly connected to R8.

R8#sri e0
Building configuration...

Current configuration : 124 bytes
!
interface Ethernet0
 ip address 22.22.22.8 255.255.255.0
 ip igmp join-group 224.1.1.2
 ip igmp join-group 224.1.1.8
end

R8#

Thanks,

Ashok

--- "Venkataramanaiah.R" <vramanaiah@gmail.com> wrote:

> Ashok.. This behaviour makes perfect sense to me..
> After it is the IGMP join
> that you are preventing using the ip igmp
> access-group command. The (*,G)
> that you are mentioning are the PIM joins sent by
> the downstream routers,
> which obviously will not be filtered.
>
> -Venkat
>
> On 10/11/05, Ashok M A <ashok_ccie@yahoo.co.in>
> wrote:
> >
> > Adding to this, I could see "ip igmp access-group"
> has
> > effect only if it is configured on the router
> where
> > the hosts directly connected. This has no effect
> if
> > configured on other router on the path towards the
> RP.
> > I see (*,G) is not filtered if configured on the
> > router on the path towards the RP.
> >
> > Corret me if I am missing something.
> >
> >
> > Thanks & Regards,
> >
> > Ashok M A
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of simon
> hart
> > Sent: Thursday, September 01, 2005 6:44 PM
> > To: dusth@comcast.net; ccielab@groupstudy.com
> > Subject: RE: ip multicast boundary vs. ip igmp
> > access-group
> >
> > Dustin,
> >
> > The difference between the two commands are:
> >
> > ip multicast boundary - this will prevent mulicast
> > traffic within the specified access list from
> > transiting the interface, thus blocking the
> defined
> > traffic.
> >
> > ip igmp access-group - this will prevent hosts
> within
> > the attached subnet from joining multicast groups
> > identified within the associated access list.
> > This command does not stop the multicast traffic
> from
> > transiting the interface (ie to a PIM neighbor),
> just
> > stops the hosts from joining.
> >
> > HTH
> >
> > Simon
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com]On Behalf Of
> > dusth@comcast.net
> > Sent: 01 September 2005 13:43
> > To: ccielab@groupstudy.com
> > Subject: ip multicast boundary vs. ip igmp
> > access-group
> >
> >
> > Hello group,
> > I'm confused the difference between < ip multicast
> > boundary vs. ip igmp
> > access-group>. I do not know exactly when to use
> one
> > or the other. Is
> > access-group><ip
> > mulitcast boundary> command used when filter out
> only
> > one single multicast stream? In contrast, is <ip
> igmp
> > access-group> command used when need to filter a
> > range of multicast stream?
> > Please help.
> > Thanks,
> > Dustin
> >
> >
> >
> >
> >
> >
>

• Next message: Sam - I Am: "2502 router"
• Previous message: Schulz, Dave: "RE: Privilege access from console vs. telnet"
• Maybe in reply to: Ashok M A: "RE: ip multicast boundary vs. ip igmp access-group"
• Next in thread: Ashok M A: "RE: ip multicast boundary vs. ip igmp access-group"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3