From: Salau, Yemi (yemi.salau@siemens.com)
Date: Fri Sep 21 2007 - 14:09:22 ART
You could argue that, the join messages only get as far as the switch
before the switch only issue an (S,G) join towards the source, this is
what actually goes out of the svi, not the Membership Report from the
Host.
The switch doesn't really care who is sending that Membership report as
long as there is someone sending it, all it then do is request for the
group(by sending the RP an (S,G) join
After thinking about this, I am not too sure the svi will be the best
place to filter the join message from the client, because the membership
report don't even cross that layer-3 boundary. If you noticed, Joseph
applied his to the fa0/0 and not the svi!
Any other Ideas please?
Many Thanks
Yemi Salau
-----Original Message-----
From: Gregory Gombas [mailto:ggombas@gmail.com]
Sent: Friday, September 21, 2007 2:57 PM
To: Salau, Yemi
Cc: Joseph Brunner; Matthew Long; ccielab@groupstudy.com
Subject: Re: Client/PC Based Multicast Filtering
Wait - but couldn't Joe's access-group be applied to the router or SVI
rather than every single switch port?
On 9/21/07, Salau, Yemi <yemi.salau@siemens.com> wrote:
> Hello Joseph,
>
> Thanks for your contribution, I'm not overthinking this, just trying
to
> save myself of having to configure this for over 10,000 multicast PCs.
> As in I'll have to configure that access-group on all the ports that
> connects to 10,000 PCs ... Init?
>
> If there is no better way to do this, then I will have to just take my
> fate yet again!
>
> Many Thanks
>
> Yemi Salau
>
> -----Original Message-----
> From: Joseph Brunner [mailto:joe@affirmedsystems.com]
> Sent: Thursday, September 20, 2007 7:24 PM
> To: Salau, Yemi; 'Matthew Long'
> Cc: ccielab@groupstudy.com
> Subject: RE: Client/PC Based Multicast Filtering
>
> Why over think this?
>
> Why not...
>
> !deny certain pc's from sending igmp v2 join's
> access-list 101 deny igmp host 10.10.10.x host 239.1.1.1
> !
> access-list 101 deny igmp host 10.10.10.x host 239.1.1.1
> !
> !permit the others
> access-list 101 permit igmp host 10.10.10.5 host 239.1.1.1
> !
> !deny all other igmp
> access-list 101 deny igmp any any
> !
> permit all else
> !
> access-list 101 permit ip any any
> !
> Apply
> int f0/0
> ip access-group 101 in
>
> I just did this in my lab... seems to work...
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Salau, Yemi
> Sent: Thursday, September 20, 2007 12:32 PM
> To: Matthew Long; Joseph Brunner
> Cc: ccielab@groupstudy.com
> Subject: Client/PC Based Multicast Filtering
>
> I was faced with a task to prevent some PCs(Clients) from joining 2
> particular multicast groups. IGMPv2 is in use ...
>
> How would you go about this, considering the fact that there are some
> Clients in same subnet, connected at same layer2 point on the network,
> who should be able to receive the multicast traffic.
>
> I was thinking of ip igmp access-group, but this will only prevent
(S,G)
> feeds, as in, it only controls access based on the source of the feed
> and also the destination multicast address. But my headache is around
> prevent certain PCs from joining certain groups, if I implement ip
igmp
> access-group, all pcs would potentially be prevented from joining the
> group.
>
> Another one I'm thinking is mac access-list, but then I will have to
do
> this on all vlans across 3 different sites. What's the simplest way of
> doing this?
>
> Any Fresh ideas will be appreciated as my head is just too hot at the
> moment!
>
> Many Thanks
>
> Yemi Salau
>
>
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART