From: Chan Hong (chan_hong33@yahoo.com)
Date: Fri Nov 16 2007 - 05:59:29 ART
If block in and out direction of the multicast packet, use ip multicast
boundary
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/
mlt_i1h.htm#wp1112742
Block pim neighbor and create stub multicast domain,
use ip pim neighbor-fitler
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/
mlt_i2h.htm#wp1069459
Block igmp join message, use ip igmp access-group
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/
mlt_i1h.htm#wp1117805
Block BSR message, use ip pim bsr-border
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/
mlt_i2h.htm#wp1068853
Block Autorp message, use ACL to block 224.0.1.39 & 40,
and then permit 224.0.0.0 15.255.255.255
Block msdp message to other domain,
use ip msdp border
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/
mlt_i1h.htm#wp1073944
Correct me if I'm wrong
----- 6l%s-l%s ----
1H%s$H!R
shiran guez <shiranp3@gmail.com>
&,%s$H iosluver@gmail.com
0F%;(CC)
ccielab@groupstudy.com
6G0e$i4A!R 2007 &~ 11$k 16 $i ,P4A$- $U$H 1:44:32
%DCD!G Re: IP IGMP filter???
the access-group is not filtering, it is like a
Join Group but for the
network behind it so what you did is on R2 made the
network 173.1.26.0 all
the host behind it can use group 226.6.6.6 without
actually send a Join, and
on R6 you actually explicitly joined both groups.
to filter this 227.7.7.7 you need a access list and assign it to the
interface
ip access-group ...
please some one comment as I do not see other way for
this scenario.
unless you use IGMPv3 where you can filter.
On Nov 16, 2007
3:50 AM, <iosluver@gmail.com> wrote:
> Hi GS,
>
> Can someone please point
out my mistake here. I am tryng to filter igmp
> requests to certain Multicast
groups on a LAN segment while permiting
> others.
>
> I have PIM sparse-mode
running on the links between all routers. I applied
> the config below.
Correct me if I'm wrong here, but shouldn't R2 prevent R6
> from joining
227.7.7.7 while allowing it to join 226.6.6.6. I see R6
> responding to the
ICMP requests. Worse still, I'm logging ACL violations &
> though the packet
is denied, R2 adds a route for the group in its mroute
> table.
>
> Is this a
bad approach for testing this? Hope someone takes time out to
> read this. .
>
> Here is a sketchy picture of what I did. Thanks in advance
>
>
R1-------FRAME-RELAY---------R2=========LAN=======R6
>
> R2
>
+++++++++++++++++++++++++++++++++++++++++
> ip access-list standard
IGMP-VLAN26
> permit 226.0.0.0 0.255.255.255
> deny any log
>
> interface
FastEthernet0/0
> ip address 173.1.26.2 255.255.255.0
> ip pim
sparse-dense-mode
> ip rip advertise 10
> ip rip authentication mode md5
>
ip rip authentication key-chain RIP
> ip igmp access-group IGMP-VLAN26
>
speed 100
> full-duplex
>
> interface Serial0/0.201 point-to-point
> ip
address 173.1.12.2 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> no ip route-cache
> frame-relay interface-dlci 201
>
>
+++++++++++++++++++++++++++++++++++++++++++
>
> R6
> +++++
> interface
FastEthernet0/0.62
> encapsulation dot1Q 62
> ip address 192.10.1.6
255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> no ip
route-cache
> ip igmp join-group 226.6.6.6
> ip igmp join-group 227.7.7.7
>
no snmp trap link-status
>
> ++++++++++++++++++++++++++++++++++++++++++++++
>
> R1
> +++++
>
> interface Loopback0
> ip address 150.1.1.1 255.255.255.0
>
ip pim sparse-mode
> end
>
> interface Serial0/0.102 point-to-point
> ip
address 173.1.12.1 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> frame-relay interface-dlci 102
> end
>
************************************************************
>
>
> DEBUG
OUTPUT
> ===============================================================
>
%SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
>
packet
> %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0,
1
> packet
>
> Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to
us
> Join-list: (*, 227.7.7.7), RPT-bit set, WC-bit set, S-bit set
> Add
FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by PIM *G
> Join
> Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 27.7.7.7
>
Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue
> Building Join/Prune
packet for nbr 173.1.12.1
> Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit,
RPT-bit, S-bit Join
> Send v2 join/prune to 173.1.12.1 (Serial0/0.201)
>
Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 227.7.7.7
>
Insert (*,227.7.7.7) join in nbr 173.1.26.2's queue
> Building Join/Prune
packet for nbr 173.1.26.2
> Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit,
RPT-bit, S-bit Join
> Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
>
Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu
> Insert
(173.1.18.1,227.7.7.7) join in nbr 173.1.26.2's que
> Building Join/Prune
packet for nbr 173.1.26.2
> Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join
>
Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join
> Send v2 join/prune to
173.1.26.2 (FastEthernet0/0.26)
>
===============================================================
>
>
Rack3R1#ping 226.6.6.6 repeat 100
>
> Type escape sequence to abort.
> Sending
100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:
>
> Reply to
request 0 from 173.1.26.6, 61 ms
> Reply to request 0 from 173.1.26.6, 77 ms
>
Reply to request 1 from 173.1.26.6, 64 ms
> Rack3R1#ping 227.7.7.7 repeat 100
>
> Type escape sequence to abort.
> Sending 100, 100-byte ICMP Echos to
227.7.7.7, timeout is 2 seconds:
>
> Reply to request 0 from 173.1.26.6, 64 ms
> Reply to request 0 from 173.1.26.6, 116 ms
> Reply to request 0 from
173.1.26.6, 80 ms
>
>
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART