From: Riapolov, Bradley (BRiapolo@wm.com)
Date: Sun Apr 22 2007 - 13:39:17 ART
Thanks to all for the input. Below is the summary for those who are interested:
DocCD says: (http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/mlt_i2h.htm#wp1069977)
"...The following example configures the router to accept RP announcements from RPs in access list 1 for group ranges described in access list 2:
ip pim rp-announce-filter rp-list 1 group-list 2
access-list 1 permit 10.0.0.1
access-list 1 permit 10.0.0.2
access-list 2 permit 224.0.0.0 192.168.255.255..."
According to Cisco's example, the MA should accept RP accouncements from RPs in ACL1 destined to Multicast groups in ACL2. This does not appear to be the case on my rack!!! If someone can get this to work this way, please email me - I would like to find out what I am doing wrong. Here is what I have found (I have labbed it up, debugged it every step of the way and this is how it worked on my rack):
1) If you want to filter out a specific RP (notice this DENIES, not accepts the announcements as the DocCD states):
> R4(config)#do sri pim
> ip pim send-rp-discovery Loopback104 scope 16
> ip pim rp-announce-filter rp-list 1 group-list 2
> R4(config)#do sri access
> access-list 1 permit 172.16.103.1
> access-list 2 permit 231.1.1.1
> R4(config)#do sh ip pi rp
> Group: 231.1.1.1, RP: 172.16.101.1, v2, v1, uptime 00:02:50, expires
> 00:02:05
2) If you want to accept announcements from just one RP and deny the rest (at least one way of doing this):
R4(config)#do sri pim
ip pim send-rp-discovery Loopback104 scope 16
ip pim rp-announce-filter rp-list 1 group-list 2
R4(config)#do sri access
access-list 1 deny 172.16.101.1
access-list 1 permit any
access-list 2 deny 231.1.1.1
R4(config)#do sh ip pim rp
Group: 231.1.1.1, RP: 172.16.101.1, v2, v1, uptime 00:16:32, expires 00:02:27
I would like to be proven wrong if I am (and will take it like a man :) ) - I am sure we will all learn in the process. I am usually not in the habit of going against the DocCD, but would like to know if I misunderstand the topic. Also, please lab this up. The scenario is tricky since both 172.16.101.1 and 172.16.103.1 are announcing they are the RP - so the MA (172.16.104.1) will want to choose 172.16.103.1 because of the higher ip! The end result is to advertise 172.16.101.1 as the RP of choice and block other RPs.
-----Original Message-----
From: ivan [mailto:ivan@iip.net]
Sent: Sunday, April 22, 2007 9:57 AM
To: ccielab@groupstudy.com; Riapolov, Bradley
Cc: Narbik Kocharians
Subject: Re: RP-filtering - what am i missing?
RP filtering is extraordinary thing (IMO). If you want to filter all group
from all fake RP except CRP 172.16.103.1 and group 231.1.1.1
Filter must look like
ip pim send-rp-discovery Loopback104 scope 16
ip pim rp-announce-filter rp-list 1 group-list 2
ip pim rp-announce-filter rp-list 3 group-list 4
R4(config)#do sri access
access-list 1 permit 172.16.103.1
access-list 2 permit 231.1.1.1
access-list 3 permit any
access-list 4 deny any
MA listen update from CRP 172.16.103.1 and permit to advrtise information
about 231.1.1.1 group. Also MA listen advertisment from any CRP (ACL3) but
deny advertising any information (ACL4) from this CRP.
On Saturday 21 April 2007 22:00, Riapolov, Bradley wrote:
> interesting observation. Thank you. I finally got this to work with a lot
> simpler config - thanks everybody. All you have to do is just filter the
> traffic you do not want.
>
> R4(config)#do sri pim
> ip pim send-rp-discovery Loopback104 scope 16
> ip pim rp-announce-filter rp-list 1 group-list 2
> R4(config)#do sri access
> access-list 1 permit 172.16.103.1
> access-list 2 permit 231.1.1.1
> R4(config)#do sh ip pi rp
> Group: 231.1.1.1, RP: 172.16.101.1, v2, v1, uptime 00:02:50, expires
> 00:02:05
>
>
>
> -----Original Message-----
> From: Narbik Kocharians [mailto:narbikk@gmail.com]
> Sent: Saturday, April 21, 2007 11:59 AM
> To: Riapolov, Bradley
> Cc: ccielab@groupstudy.com
> Subject: Re: RP-filtering - what am i missing?
>
>
> This is what i found when i tried filtering. If the RP was claiming to be
> the RP for only two Mcast groups, the downstream router (The mapping agent)
> was able to filter one of the groups. But if the RP was the RP for all
> groups i could not filter one of the group addresses successfuly.
>
> On 4/21/07, Riapolov, Bradley < BRiapolo@wm.com> wrote:
>
> Two RPs ( 172.16.101.1, 172.16.103.1), R4 is mapping and has elected the
> highest ip as the acting RP. Now, I would like to test RP-FILTERING with
> the intent to make 172.16.101.1 the RP - it does not work, why - am I
> missing how this is supposed to work? When I run debug ip pim auto-rp,
> filtering does not happen!
> R4#sri pim
> ip pim send-rp-discovery Loopback104 scope 16
> ip pim rp-announce-filter rp-list 1 group-list 2
> ip pim rp-announce-filter rp-list 3 group-list 4
> R4#sri access-list
> access-list 1 permit 172.16.101.1
> access-list 2 permit 224.0.0.0 15.255.255.255
> access-list 3 deny any
> access-list 4 deny any
>
> R4(other routers show the same info) #sh ip pim rp
> Group: 231.1.1.1, RP: 172.16.103.1, v2, v1, uptime 00:11:55, expires
> 00:02:0
>
> Thank you,
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> <http://www.groupstudy.com/list/CCIELab.html>
>
>
>
>
>
> --
> Narbik Kocharians
> CCIE# 12410 (R&S, SP, Security)
> CCSI# 30832
> Network Learning, Inc. (CCIE class Instructor)
> www.ccbootcamp.com <http://www.ccbootcamp.com> (CCIE Training)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- NOC umos.ru Ivan Kuchin (495) 137-31-04
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:36 ART