From: Marvin Greenlee (marvin@ipexpert.com)
Date: Wed Feb 21 2007 - 01:42:16 ART
"Broken access list example"
(not really broken, just may not perform as you expect it to)
The access list in the command send-rp-announce on the RP is sent to the
mapping agent line by line. Depending on how the groups are sent, filtering
on the mapping agent can block the groups.
Basic setup R3/R6 as candidates, R5 acting as a mapping agent.
! First, a "OK" config, sending individual groups. The desired config for
this setup is to have R5 allow R6 as RP for the 226 groups and R3 as RP for
the 225 groups.
R6(config)#access-list 24 permit 225.0.0.1
R6(config)#access-list 24 permit 225.0.0.2
R6(config)#access-list 24 permit 225.0.0.3
R6(config)#access-list 24 permit 226.0.0.1
R6(config)#access-list 24 permit 226.0.0.2
R6(config)#access-list 24 permit 226.0.0.3
R6(config)#ip pim send-rp-announce loop1 scope 4 group-list 24
R3(config)#access-list 24 permit 225.0.0.1
R3(config)#access-list 24 permit 225.0.0.2
R3(config)#access-list 24 permit 225.0.0.3
R3(config)#access-list 24 permit 226.0.0.1
R3(config)#access-list 24 permit 226.0.0.2
R3(config)#access-list 24 permit 226.0.0.3
R3(config)#ip pim send-rp-announce loop1 scope 4 group-list 24
R5(config)#ip access-list standard permitR3
R5(config-std-nacl)#permit 3.3.3.3
R5(config)#ip access-list standard permitR6
R5(config-std-nacl)#permit 6.6.6.6
R5(config)#ip access-list standard R3group
R5(config-std-nacl)#permit 225.0.0.0 0.0.0.3
R5(config)#ip access-list standard R6group
R5(config-std-nacl)#permit 226.0.0.0 0.0.0.3
R5(config)#ip pim rp-announce-filter rp-list permitR3 group-list R3group
R5(config)#ip pim rp-announce-filter rp-list permitR6 group-list R6group
!! -- How to break things --
With the same configuration on R5, if R3 just announces candidacy for the
entire block, the announcement will be filtered.
R3(config)#access-list 24 permit 224.0.0.0 15.255.255.255
OUTPUT ON R5 - Debug ip pim auto-rp:
*Feb 2 01:22:37.036: Auto-RP(0): Received RP-announce, from 3.3.3.3, RP_cnt
1, ht 181
*Feb 2 01:22:37.036: Auto-RP(0): Filtered 224.0.0.0/4 for RP 3.3.3.3
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
marvin@ipexpert.com
http://www.IPexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of M S
Sent: Tuesday, February 20, 2007 11:08 PM
To: ccielab@groupstudy.com
Subject: Multicast access-lists
Hello
I am curious about these two versions of a multicast boundry access-list.
I've been told that some multicast access-lists, are not parsed correctly
when deny statments or cidr blocks are included.
does anybody know which types of multicast lists don't work properly, is
it the multicast boundry list that behave this way?
Also, for testing purposes, would creating a sparse mode topology and
using the igmp join-group 239.1.1.1 on one of the routers prove this
concept if i am unable to ping 239.1.1.1
Version 1 is suspect
access-list 39 remark prevent the spread of administrativly scoped
addresses
access-list 39 remark permit multicast addresses 232.0.0.0/5
access-list 39 deny 239.0.0.0 0.255.255.255
access-list 39 perm 232.0.0.0 7.255.255.255
version 2
access-list 39 permit 232.0.0.0 0.255.255.255
access-list 39 permit 233.0.0.0 0.255.255.255
access-list 39 permit 234.0.0.0 0.255.255.255
access-list 39 permit 235.0.0.0 0.255.255.255
access-list 39 permit 236.0.0.0 0.255.255.255
access-list 39 permit 237.0.0.0 0.255.255.255
access-list 39 permit 238.0.0.0 0.255.255.255
end
------------------------------------------------------------------------
The average US Credit Score is 675. The cost to see yours: $0 by
Experian.
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:47 ART