From: iosluver@gmail.com
Date: Thu Nov 15 2007 - 22:50:35 ART
Hi GS,
Can someone please point out my mistake here. I am tryng to filter igmp requests to certain Multicast groups on a LAN segment while permiting others.
I have PIM sparse-mode running on the links between all routers. I applied the config below. Correct me if I'm wrong here, but shouldn't R2 prevent R6 from joining 227.7.7.7 while allowing it to join 226.6.6.6. I see R6 responding to the ICMP requests. Worse still, I'm logging ACL violations & though the packet is denied, R2 adds a route for the group in its mroute table.
Is this a bad approach for testing this? Hope someone takes time out to read this. .
Here is a sketchy picture of what I did. Thanks in advance
R1-------FRAME-RELAY---------R2=========LAN=======R6
R2
+++++++++++++++++++++++++++++++++++++++++
ip access-list standard IGMP-VLAN26
permit 226.0.0.0 0.255.255.255
deny any log
interface FastEthernet0/0
ip address 173.1.26.2 255.255.255.0
ip pim sparse-dense-mode
ip rip advertise 10
ip rip authentication mode md5
ip rip authentication key-chain RIP
ip igmp access-group IGMP-VLAN26
speed 100
full-duplex
interface Serial0/0.201 point-to-point
ip address 173.1.12.2 255.255.255.0
ip pim sparse-mode
ip rip advertise 10
no ip route-cache
frame-relay interface-dlci 201
+++++++++++++++++++++++++++++++++++++++++++
R6
+++++
interface FastEthernet0/0.62
encapsulation dot1Q 62
ip address 192.10.1.6 255.255.255.0
ip pim sparse-mode
ip rip advertise 10
no ip route-cache
ip igmp join-group 226.6.6.6
ip igmp join-group 227.7.7.7
no snmp trap link-status
++++++++++++++++++++++++++++++++++++++++++++++
R1
+++++
interface Loopback0
ip address 150.1.1.1 255.255.255.0
ip pim sparse-mode
end
interface Serial0/0.102 point-to-point
ip address 173.1.12.1 255.255.255.0
ip pim sparse-mode
ip rip advertise 10
frame-relay interface-dlci 102
end
************************************************************
DEBUG OUTPUT
===============================================================
%SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1 packet
%SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1 packet
Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to us
Join-list: (*, 227.7.7.7), RPT-bit set, WC-bit set, S-bit set
Add FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by PIM *G Join
Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 27.7.7.7
Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue
Building Join/Prune packet for nbr 173.1.12.1
Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
Send v2 join/prune to 173.1.12.1 (Serial0/0.201)
Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 227.7.7.7
Insert (*,227.7.7.7) join in nbr 173.1.26.2's queue
Building Join/Prune packet for nbr 173.1.26.2
Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu
Insert (173.1.18.1,227.7.7.7) join in nbr 173.1.26.2's que
Building Join/Prune packet for nbr 173.1.26.2
Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join
Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join
Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
===============================================================
Rack3R1#ping 226.6.6.6 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:
Reply to request 0 from 173.1.26.6, 61 ms
Reply to request 0 from 173.1.26.6, 77 ms
Reply to request 1 from 173.1.26.6, 64 ms
Rack3R1#ping 227.7.7.7 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:
Reply to request 0 from 173.1.26.6, 64 ms
Reply to request 0 from 173.1.26.6, 116 ms
Reply to request 0 from 173.1.26.6, 80 ms
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART