Re: Auto RP spoofing prevention

From: cisco efiko (ciscoefiko@googlemail.com)
Date: Mon Jul 16 2007 - 06:22:22 ART

• Next message: arali : "Download IOS from running VPN concentrator"
• Previous message: Salau, Yemi: "RE: Confused on Reflexive ACL"
• Maybe in reply to: darth router: "Auto RP spoofing prevention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok, but how would you mitigate against MA spoofing? What you have explained
works for RP's.

On 7/16/07, darth router <darklordrouter@gmail.com> wrote:
>
> A simple permit on the mapping agent with the rp-list and grouplist would
> prevent any other RP from becoming the RP for these groups correct? For
> example, if I wanted to map 232.22.22.22 to a particular 150.1.4.4
>
> ip pim rp-announce-filter rp-list 10 group-list 20
>
> access-list 10 permit 150.1.4.4
> access-list 20 permit 232.22.22.22
>
> This itself would create an implicit deny on any other RP announcing
> itself
> with the group of 232.22.22.22, right? I have labbed this up and it seems
> so
> but I want to make sure there are no other caveats.
>
>
> DR
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: arali : "Download IOS from running VPN concentrator"
• Previous message: Salau, Yemi: "RE: Confused on Reflexive ACL"
• Maybe in reply to: darth router: "Auto RP spoofing prevention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART