RE: Use of "ip pim rp-announce-filter"

From: Ashok Ananda \(aananda\) (aananda@cisco.com)
Date: Thu Oct 20 2005 - 14:39:44 GMT-3

I am sharing what I found..

For example,
If C-RP announces the group 224.0.0.0/5 and ip pim rp-announce-filter
has 224.0.0.0/4 then 224.0.0.0/5 will be accepted by MA, and you can
see 224.0.0.0/5 as the group with "sh ip pim rp map".
If C-RP announces the group 224.0.0.0/4 and ip pim rp-announce-filter
has 224.0.0.0/5 then 224.0.0.0/4 will be accepted by MA, and you can
see 224.0.0.0/4 as the group with "sh ip pim rp map".
If C-RP announces the group 225.0.0.0/4 and ip pim rp-announce-filter
has 224.0.0.0/4 then 225.0.0.0/4 will be rejected by MA, and you see
NOTHING as the group with "sh ip pim rp map".
If C-RP announces the group 225.0.0.0/8 and ip pim rp-announce-filter
has 224.0.0.0/4 then 225.0.0.0/8 will be accepted by MA, and you see
225.0.0.0/8 as the group with "sh ip pim rp map".

Thanks & Regards,

Ashok M A

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian McGahan
Sent: Thursday, October 20, 2005 9:32 PM
To: Eugene Ward; pv.ryan@gmail.com
Cc: guxiaojian@gmail.com; ccielab@groupstudy.com
Subject: RE: Use of "ip pim rp-announce-filter"

> On the mapping agent side, suppose you had three routers advertising
> themselves as RPs for the 239.0.0.0/8 range. You could use the
"rp-list"
> option to specify which routers are allowed to be RPs. Also, you
could
> use the "group-list" option in conjunction with the "rp-list" option
in
> the "rp-announce-filter" message to specify a particular RP with a
> particular range. For example (on the mapping agent):

        If by this you mean that a candidate RP can announce 224.0.0.0/4
and the rp-announce-filter can limit them to 224.0.0.0/5, no. The
rp-announce-filter is used to either accept or reject an RP, along with
the groups it is announcing. If RP "X" is advertising groups
224.0.0.0/5, and mapping agent "Y" wants RP X and only RP X to service
these groups there must be matching access-list logic on both X and Y
for this range, along with an additional filter on Y assigning
224.0.0.0/5 to no other RPs.

        You would *assume* that the correct logic would be that the
candidate RPs could just announce 224.0.0.0/4 and the mapping agent
could sort through it, but it doesn't work that way. Think of this
feature instead as a way to prevent arbitrary devices from advertising
themselves as candidate RPs for your auto-rp domain.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Eugene Ward
> Sent: Thursday, October 20, 2005 5:59 AM
> To: pv.ryan@gmail.com
> Cc: guxiaojian@gmail.com; ccielab@groupstudy.com
> Subject: Re: Use of "ip pim rp-announce-filter"
>
> Ryan,
>
> The "group-list" option in the "send-rp-announce" message is to limit
the
> subset of groups advertised by a potential RP. For example, if you
did
> not use the "group-list" option, the router would advertise itself as
an
> RP for the whole 224.0.0.0/4 multicast range. However, let's say that
you
> only want the router to be an RP for the 239.0.0.0/8 range; then use
the
> "group-list" to reference an ACL matching only that range.
>
> On the mapping agent side, suppose you had three routers advertising
> themselves as RPs for the 239.0.0.0/8 range. You could use the
"rp-list"
> option to specify which routers are allowed to be RPs. Also, you
could
> use the "group-list" option in conjunction with the "rp-list" option
in
> the "rp-announce-filter" message to specify a particular RP with a
> particular range. For example (on the mapping agent):
>
> ip pim rp-announce-filter rp-list 1 group-list 11 ip pim
> rp-announce-filter rp-list 2 group-list 12
>
> access-list 1 permit 4.4.4.4
> access-list 2 permit 7.7.7.7
> access-list 11 permit 239.0.0.0 0.255.255.255 access-list 12 permit
> 224.0.0.0 0.255.255.255
>
> 4.4.4.4 is the RP for the 239/8 range, while 7.7.7.7 is the RP for the
> 224/8 range.
>
> Lastly, (I semi-remember how this works), if the "group-list" option
is
> used with the "rp-announce-filter" command, then the "group-list"
> advertised by the RP needs to line up with the "group-list" on the
mapping
> agent. I'm sure someone will correct me if I have missed anything.
>
> HTH,
>
> Eugene
>
> ----------------------------------------------------------------------
>
>
> Ok. the "group-list" option in rp-announce-filter is used for security

> reason. I want to know what is the use of "group-list" option in
> rp-send-announce ?
>
> I only know that group-list option is used to limit the join-group
> access of RP. But not sure the result when use "group-list" in
> "rp-announce-filter" and "rp-send-announce".
>
>
> Thanks!
> Ryan
>
>
> 2005/10/20, Jian Gu <guxiaojian@gmail.com>:
> > ip pim rp-announce-filter should always be configured on mapping
agents,
> > what you've configured on RP (group-list etc) is irrelavent, the
command
> is
> > there mainly for security reason, immagine what will happen if a RP
is
> > adverstising bogus RP-address.
> >
> >
> > On 10/19/05, The Great Ryan <pv.ryan@gmail.com> wrote:
> > >
> > > Hi, Group,
> > >
> > > ---(e0)R1(s1)------(s1)R2(e0)---
> > >
> > >
> > > I setup a lab for RP Filtering by using Auto-RP
> > > R1 acts as RP announcement
> > > R2 acts as mapping agent
> > >
> > > In R1, I already limit the use of RP by access-list 11 (i.e.
> 224.0.0.0
> > > 7.255.255.255)
> > > Is it necessary to also set a RP-filter on the mapping agent to
> limit
> > > the use of RP?
> > > I have no idea where I should put "ip pim
> rp-announce-filter" in
> > > multicast network. Thanks !
> > >
> > > Ryan
> > > =======================================
> > > R2#show ip pim rp mapping
> > > PIM Group-to-RP Mappings
> > > This system is an RP-mapping agent (Loopback0)
> > >
> > > Group(s) 224.0.0.0/5
> > > RP 172.16.1.1 (?), v2v1
> > > Info source: 172.16.1.1 (?), elected via Auto-RP
> > > Uptime: 00:20:11, expires: 00:02:48
> > >
> > > ================R1 Config========================
> > >
> > > interface Loopback 0
> > > ip address 172.16.1.1 255.255.255.0 interface serial 1 ip pim
> > > sparse-dense-mode !
> > > ip pim send-rp-announce Loopback0 scope 15 group-list 11
> > > access-list 11 permit 224.0.0.0 7.255.255.255
> > > ================R2 Config========================
> > > R2
> > >
> > > interface s1
> > > ip pim sparse-dense-mode
> > > !
> > > ip pim send-rp-discovery Loopback0 scope 15 ip pim
> > > rp-announce-filter rp-list 1 group-list 11 access-list 1 permit
> > > 172.16.1.1 access-list 11 permit 224.0.0.0 7.255.255.255
>
>
> ___________________________________________________________________
> Try Juno Platinum for Free! Then, only $9.95/month!
> Unlimited Internet Access with 250MB of Email Storage.
> Visit http://www.juno.com/value to sign up today!
>
>

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:51 GMT-3