RE: IP IGMP filter???

From: Daniel Kutchin (daniel@kutchin.com)
Date: Sun Nov 18 2007 - 16:50:12 ART

• Next message: Antonio Soares: "RE: Problems with Dot1p"
• Previous message: Enyi Abajue: "Full Reachability: Local Adddress of Frame Network"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Next in thread: Daniel Kutchin: "FW: IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I labbed up your setup and only confirmed your result exactly.

It looks like you can't prevent R6 from receiving the 227.7.7.7 packets
using the "ip igmp access-group" and a standard access-list on R2.

Didn't try the extended access-list, however, because I'm curious to know
when the standard access-list should work for a pre-IGMPv3.

Were you able to get a solution that worked?

Regards

Daniel

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
iosluver@gmail.com
Sent: Freitag, 16. November 2007 02:51
To: ccielab@groupstudy.com
Subject: IP IGMP filter???

Hi GS,

Can someone please point out my mistake here. I am tryng to filter igmp
requests to certain Multicast groups on a LAN segment while permiting
others.

I have PIM sparse-mode running on the links between all routers. I applied
the config below. Correct me if I'm wrong here, but shouldn't R2 prevent R6
from joining 227.7.7.7 while allowing it to join 226.6.6.6. I see R6
responding to the ICMP requests. Worse still, I'm logging ACL violations &
though the packet is denied, R2 adds a route for the group in its mroute
table.

Is this a bad approach for testing this? Hope someone takes time out to read
this. .

Here is a sketchy picture of what I did. Thanks in advance

R1-------FRAME-RELAY---------R2=========LAN=======R6

R2
+++++++++++++++++++++++++++++++++++++++++
ip access-list standard IGMP-VLAN26
 permit 226.0.0.0 0.255.255.255
 deny any log

interface FastEthernet0/0
 ip address 173.1.26.2 255.255.255.0
 ip pim sparse-dense-mode
 ip rip advertise 10
 ip rip authentication mode md5
 ip rip authentication key-chain RIP
 ip igmp access-group IGMP-VLAN26
 speed 100
 full-duplex

interface Serial0/0.201 point-to-point
 ip address 173.1.12.2 255.255.255.0
 ip pim sparse-mode
 ip rip advertise 10
 no ip route-cache
 frame-relay interface-dlci 201

+++++++++++++++++++++++++++++++++++++++++++

R6
+++++
interface FastEthernet0/0.62
 encapsulation dot1Q 62
 ip address 192.10.1.6 255.255.255.0
 ip pim sparse-mode
 ip rip advertise 10
 no ip route-cache
 ip igmp join-group 226.6.6.6
 ip igmp join-group 227.7.7.7
 no snmp trap link-status

++++++++++++++++++++++++++++++++++++++++++++++

R1
+++++

interface Loopback0
 ip address 150.1.1.1 255.255.255.0
 ip pim sparse-mode
end

interface Serial0/0.102 point-to-point
 ip address 173.1.12.1 255.255.255.0
 ip pim sparse-mode
 ip rip advertise 10
 frame-relay interface-dlci 102
end
************************************************************

DEBUG OUTPUT
===============================================================
%SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
packet
%SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
packet

Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to us
Join-list: (*, 227.7.7.7), RPT-bit set, WC-bit set, S-bit set
Add FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by PIM *G
Join
Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 27.7.7.7
Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue
Building Join/Prune packet for nbr 173.1.12.1
Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
Send v2 join/prune to 173.1.12.1 (Serial0/0.201)
Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 227.7.7.7
Insert (*,227.7.7.7) join in nbr 173.1.26.2's queue
Building Join/Prune packet for nbr 173.1.26.2
Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu
Insert (173.1.18.1,227.7.7.7) join in nbr 173.1.26.2's que
Building Join/Prune packet for nbr 173.1.26.2
Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join
Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join
Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
===============================================================

Rack3R1#ping 226.6.6.6 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:

Reply to request 0 from 173.1.26.6, 61 ms
Reply to request 0 from 173.1.26.6, 77 ms
Reply to request 1 from 173.1.26.6, 64 ms
Rack3R1#ping 227.7.7.7 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:

Reply to request 0 from 173.1.26.6, 64 ms
Reply to request 0 from 173.1.26.6, 116 ms
Reply to request 0 from 173.1.26.6, 80 ms

• Next message: Antonio Soares: "RE: Problems with Dot1p"
• Previous message: Enyi Abajue: "Full Reachability: Local Adddress of Frame Network"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Next in thread: Daniel Kutchin: "FW: IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART