From: shiran guez (shiranp3@gmail.com)
Date: Fri Nov 16 2007 - 18:49:16 ART
this is not what I meant, I did mean that I would not use IGMP ACCESS-GROUP
to filter multicast.
IGMP is HOST to ROUTER, the igmp join-group is emulating a host that is
joining a group on the local Router mean that if you ping from R1 to R6, R1
do not use IGMP to find R6 Groups.
he use PIM.
if you want to block this groups in R2 I would use pim boundary filter
On Nov 16, 2007 6:46 PM, M e <iosluver@gmail.com> wrote:
> Hi,
>
> Thanks for your input on this. I though the solution I used was
> correct & according to Internetwork Expert's solution guide (5 dayboot
> camp), that's the answer. Unfortunately, it doesn't seem to be the
> case.
>
> Shiran
>
> I'm not sure I understood what you meant in the first response you
> made. It sounds like you are saying IGMP requests are not required on
> the segment between R2 & R6 because the access-group was applied.
> Unless I'm missing something, the IGMP ACCESS-GROUP doesn't send IGMP
> join requests does it? IMHO, I thought the purpose of using the an
> IGMP filter was to restrict the groups to which hosts on a LAN
> segment could join. Aren't IGMP requests needed in order to receive
> Multicast traffic?
>
> My question was, If I permit a multicast group (226.0.0.0
> 0.255.255..255) in an ACL & & deny all others. I Then reference the
> ACL in an IGMP access-group statement, doesn't that mean "PERMIT IGMP
> REQUESTS TO ONLY 226.0.0.0 0.255.255.255" & DENY ALL OTHERS?
>
> Kindly indulge me if you can. Thanks again for your interest.
>
>
>
>
>
>
>
>
>
> On Nov 16, 2007 9:48 AM, shiran guez <shiranp3@gmail.com> wrote:
> > Chan
> >
> > it doesn't meter what mode is on the incoming interface as you cant
> control
> > what type traffic mode is coming in to you.
> >
> > when you specify on F0/0 under R2 or any other interface it only
> reference
> > to the traffic type that you are allowed to send out the interface.
> >
> > also igmp is a client to router message not a router to router dense or
> > sparse is router to router communication.
> >
> > I would use the ip multicast boundary to filter a group
> >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/mlt_i1h.htm#wp1112742
> >
> >
> >
> > On Nov 16, 2007 3:39 PM, Chan Hong <chan_hong33@yahoo.com> wrote:
> >
> > >
> > >
> > >
> > > In your config, it's sparse-dense mode on R2 Fa0/0
> > > Check out does the fall back dense happen on R2 when you block the
> igmp
> > report message from R6.
> > >
> > >
> > >
> > >
> > >
> > > ----- 6l%s-l%s ----
> > > 1H%s$H!R shiran guez <shiranp3@gmail.com>
> > > &,%s$H iosluver@gmail.com
> > > 0F%;(CC) ccielab@groupstudy.com
> > > 6G0e$i4A!R 2007 &~ 11$k 16 $i ,P4A$- $U$H 1:44:32
> > > %DCD!G Re: IP IGMP filter???
> > >
> > > the access-group is not filtering, it is like a Join Group but for the
> > > network behind it so what you did is on R2 made the network 173.1.26.0all
> > > the host behind it can use group 226.6.6.6 without actually send a
> Join,
> > and
> > > on R6 you actually explicitly joined both groups.
> > >
> > > to filter this 227.7.7.7 you need a access list and assign it to the
> > > interface ip access-group ...
> > >
> > > please some one comment as I do not see other way for this scenario.
> > >
> > > unless you use IGMPv3 where you can filter.
> > >
> > > On Nov 16, 2007 3:50 AM, <iosluver@gmail.com > wrote:
> > >
> > > > Hi GS,
> > > >
> > > > Can someone please point out my mistake here. I am tryng to filter
> igmp
> > > > requests to certain Multicast groups on a LAN segment while
> permiting
> > > > others.
> > > >
> > > > I have PIM sparse-mode running on the links between all routers. I
> > applied
> > > > the config below. Correct me if I'm wrong here, but shouldn't R2
> prevent
> > R6
> > > > from joining 227.7.7.7 while allowing it to join 226.6.6.6. I see R6
> > > > responding to the ICMP requests. Worse still, I'm logging ACL
> violations
> > &
> > > > though the packet is denied, R2 adds a route for the group in its
> mroute
> > > > table.
> > > >
> > > > Is this a bad approach for testing this? Hope someone takes time out
> to
> > > > read this. .
> > > >
> > > > Here is a sketchy picture of what I did. Thanks in advance
> > > >
> > > > R1-------FRAME-RELAY---------R2=========LAN=======R6
> > > >
> > > > R2
> > > > +++++++++++++++++++++++++++++++++++++++++
> > > > ip access-list standard IGMP-VLAN26
> > > > permit 226.0.0.0 0.255.255.255
> > > > deny any log
> > > >
> > > > interface FastEthernet0/0
> > > > ip address 173.1.26.2 255.255.255.0
> > > > ip pim sparse-dense-mode
> > > > ip rip advertise 10
> > > > ip rip authentication mode md5
> > > > ip rip authentication key-chain RIP
> > > > ip igmp access-group IGMP-VLAN26
> > > > speed 100
> > > > full-duplex
> > > >
> > > > interface Serial0/0.201 point-to-point
> > > > ip address 173.1.12.2 255.255.255.0
> > > > ip pim sparse-mode
> > > > ip rip advertise 10
> > > > no ip route-cache
> > > > frame-relay interface-dlci 201
> > > >
> > > > +++++++++++++++++++++++++++++++++++++++++++
> > > >
> > > > R6
> > > > +++++
> > > > interface FastEthernet0/0.62
> > > > encapsulation dot1Q 62
> > > > ip address 192.10.1.6 255.255.255.0
> > > > ip pim sparse-mode
> > > > ip rip advertise 10
> > > > no ip route-cache
> > > > ip igmp join-group 226.6.6.6
> > > > ip igmp join-group 227.7.7.7
> > > > no snmp trap link-status
> > > >
> > > > ++++++++++++++++++++++++++++++++++++++++++++++
> > > >
> > > > R1
> > > > +++++
> > > >
> > > > interface Loopback0
> > > > ip address 150.1.1.1 255.255.255.0
> > > > ip pim sparse-mode
> > > > end
> > > >
> > > > interface Serial0/0.102 point-to-point
> > > > ip address 173.1.12.1 255.255.255.0
> > > > ip pim sparse-mode
> > > > ip rip advertise 10
> > > > frame-relay interface-dlci 102
> > > > end
> > > > ************************************************************
> > > >
> > > >
> > > > DEBUG OUTPUT
> > > > ===============================================================
> > > > %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0,
> 1
> > > > packet
> > > > %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0,
> 1
> > > > packet
> > > >
> > > > Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to us
> > > > Join-list: (*, 227.7.7.7), RPT-bit set, WC-bit set, S-bit set
> > > > Add FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by
> PIM
> > *G
> > > > Join
> > > > Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for
> 27.7.7.7
> > > > Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue
> > > > Building Join/Prune packet for nbr 173.1.12.1
> > > > Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> > > > Send v2 join/prune to 173.1.12.1 (Serial0/0.201)
> > > > Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for
> 227.7.7.7
> > > > Insert (*, 227.7.7.7) join in nbr 173.1.26.2's queue
> > > > Building Join/Prune packet for nbr 173.1.26.2
> > > > Adding v2 ( 150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> > > > Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> > > > Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu
> > > > Insert (173.1.18.1,227.7.7.7) join in nbr 173.1.26.2 's que
> > > > Building Join/Prune packet for nbr 173.1.26.2
> > > > Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join
> > > > Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join
> > > > Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> > > > ===============================================================
> > > >
> > > > Rack3R1#ping 226.6.6.6 repeat 100
> > > >
> > > > Type escape sequence to abort.
> > > > Sending 100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:
> > > >
> > > > Reply to request 0 from 173.1.26.6 , 61 ms
> > > > Reply to request 0 from 173.1.26.6, 77 ms
> > > > Reply to request 1 from 173.1.26.6, 64 ms
> > > > Rack3R1#ping 227.7.7.7 repeat 100
> > > >
> > > > Type escape sequence to abort.
> > > > Sending 100, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:
> > > >
> > > > Reply to request 0 from 173.1.26.6, 64 ms
> > > > Reply to request 0 from 173.1.26.6, 116 ms
> > > > Reply to request 0 from 173.1.26.6, 80 ms
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > >
> > > --
> > > Shiran Guez
> > > MCSE CCNP NCE1
> > > http://cciep3.blogspot.com
> > > http://www.linkedin.com/in/cciep3
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > > ________________________________
> > Yahoo! :t$W&w%~'p2$!A1P'A&p&s(>=d6B+H! $F8Q's&h
> >
> >
> >
> > --
> > Shiran Guez
> > MCSE CCNP NCE1
> > http://cciep3.blogspot.com
> > http://www.linkedin.com/in/cciep3
>
-- Shiran Guez MCSE CCNP NCE1 http://cciep3.blogspot.com http://www.linkedin.com/in/cciep3
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART