Re: IP IGMP filter???

From: shiran guez (shiranp3@gmail.com)
Date: Fri Nov 16 2007 - 02:44:32 ART

• Next message: amin: "How I could easily find, which IOS version and which IOS"
• Previous message: Narbik Kocharians: "Re: router ids"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Next in thread: Daniel Kutchin: "RE: IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

the access-group is not filtering, it is like a Join Group but for the
network behind it so what you did is on R2 made the network 173.1.26.0 all
the host behind it can use group 226.6.6.6 without actually send a Join, and
on R6 you actually explicitly joined both groups.

to filter this 227.7.7.7 you need a access list and assign it to the
interface ip access-group ...

please some one comment as I do not see other way for this scenario.

unless you use IGMPv3 where you can filter.

On Nov 16, 2007 3:50 AM, <iosluver@gmail.com> wrote:

> Hi GS,
>
> Can someone please point out my mistake here. I am tryng to filter igmp
> requests to certain Multicast groups on a LAN segment while permiting
> others.
>
> I have PIM sparse-mode running on the links between all routers. I applied
> the config below. Correct me if I'm wrong here, but shouldn't R2 prevent R6
> from joining 227.7.7.7 while allowing it to join 226.6.6.6. I see R6
> responding to the ICMP requests. Worse still, I'm logging ACL violations &
> though the packet is denied, R2 adds a route for the group in its mroute
> table.
>
> Is this a bad approach for testing this? Hope someone takes time out to
> read this. .
>
> Here is a sketchy picture of what I did. Thanks in advance
>
> R1-------FRAME-RELAY---------R2=========LAN=======R6
>
> R2
> +++++++++++++++++++++++++++++++++++++++++
> ip access-list standard IGMP-VLAN26
> permit 226.0.0.0 0.255.255.255
> deny any log
>
> interface FastEthernet0/0
> ip address 173.1.26.2 255.255.255.0
> ip pim sparse-dense-mode
> ip rip advertise 10
> ip rip authentication mode md5
> ip rip authentication key-chain RIP
> ip igmp access-group IGMP-VLAN26
> speed 100
> full-duplex
>
> interface Serial0/0.201 point-to-point
> ip address 173.1.12.2 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> no ip route-cache
> frame-relay interface-dlci 201
>
> +++++++++++++++++++++++++++++++++++++++++++
>
> R6
> +++++
> interface FastEthernet0/0.62
> encapsulation dot1Q 62
> ip address 192.10.1.6 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> no ip route-cache
> ip igmp join-group 226.6.6.6
> ip igmp join-group 227.7.7.7
> no snmp trap link-status
>
> ++++++++++++++++++++++++++++++++++++++++++++++
>
> R1
> +++++
>
> interface Loopback0
> ip address 150.1.1.1 255.255.255.0
> ip pim sparse-mode
> end
>
> interface Serial0/0.102 point-to-point
> ip address 173.1.12.1 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> frame-relay interface-dlci 102
> end
> ************************************************************
>
>
> DEBUG OUTPUT
> ===============================================================
> %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
> packet
> %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
> packet
>
> Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to us
> Join-list: (*, 227.7.7.7), RPT-bit set, WC-bit set, S-bit set
> Add FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by PIM *G
> Join
> Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 27.7.7.7
> Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue
> Building Join/Prune packet for nbr 173.1.12.1
> Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> Send v2 join/prune to 173.1.12.1 (Serial0/0.201)
> Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 227.7.7.7
> Insert (*,227.7.7.7) join in nbr 173.1.26.2's queue
> Building Join/Prune packet for nbr 173.1.26.2
> Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu
> Insert (173.1.18.1,227.7.7.7) join in nbr 173.1.26.2's que
> Building Join/Prune packet for nbr 173.1.26.2
> Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join
> Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join
> Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> ===============================================================
>
> Rack3R1#ping 226.6.6.6 repeat 100
>
> Type escape sequence to abort.
> Sending 100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:
>
> Reply to request 0 from 173.1.26.6, 61 ms
> Reply to request 0 from 173.1.26.6, 77 ms
> Reply to request 1 from 173.1.26.6, 64 ms
> Rack3R1#ping 227.7.7.7 repeat 100
>
> Type escape sequence to abort.
> Sending 100, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:
>
> Reply to request 0 from 173.1.26.6, 64 ms
> Reply to request 0 from 173.1.26.6, 116 ms
> Reply to request 0 from 173.1.26.6, 80 ms
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Shiran Guez
MCSE CCNP NCE1
http://cciep3.blogspot.com
http://www.linkedin.com/in/cciep3

• Next message: amin: "How I could easily find, which IOS version and which IOS"
• Previous message: Narbik Kocharians: "Re: router ids"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Next in thread: Daniel Kutchin: "RE: IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART