From: Daniel Kutchin (daniel@kutchin.com)
Date: Mon Nov 19 2007 - 18:20:53 ART
Hi,
Ouch! Forgive my rash response below.
The command - "ip multicast boundary" (same access-list) on R2 - worked, as
suggested by a GS member.
His explanation is therefore valid: The "ip igmp access-group" command is
used to influence router-to-host _IGMP_ communication and *NOT*
router-to-router _PIM_ communication (use the "ip multicast boundary"
command for the latter instead).
I verified this by disabling PIM on R6 (but keeping the "ip igmp join-group"
command) to make it mimic an IGMP host. Then the "ip igmp access-group"
command on R2 stopped R6 from joining the group.
In conclusion, if you want your setup below to work, then
either 1: Simply make R6 to speak just IGMP.
R6(config)#no ip multicast-routing <--- this and/or...
R6(config)#int f0/0.26
R6(config-subif)#no ip pim sparse-mode
R6(config-subif)#
Or 2.: Use the "ip multicast boundary" command instead of the "ip igmp
access-group" command.
---Daniel
On Nov 18, 2007 3:50 PM, Daniel Kutchin <daniel@kutchin.com> wrote: > Hi, > > I labbed up your setup and only confirmed your result exactly. > > It looks like you can't prevent R6 from receiving the 227.7.7.7 packets > using the "ip igmp access-group" and a standard access-list on R2. > > Didn't try the extended access-list, however, because I'm curious to know > when the standard access-list should work for a pre-IGMPv3. > > Were you able to get a solution that worked? > > Regards > > Daniel > > > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > iosluver@gmail.com > Sent: Freitag, 16. November 2007 02:51 > To: ccielab@groupstudy.com > Subject: IP IGMP filter??? > > Hi GS, > > Can someone please point out my mistake here. I am tryng to filter igmp > requests to certain Multicast groups on a LAN segment while permiting > others. > > I have PIM sparse-mode running on the links between all routers. I applied > the config below. Correct me if I'm wrong here, but shouldn't R2 prevent R6 > from joining 227.7.7.7 while allowing it to join 226.6.6.6. I see R6 > responding to the ICMP requests. Worse still, I'm logging ACL violations & > though the packet is denied, R2 adds a route for the group in its mroute > table. > > Is this a bad approach for testing this? Hope someone takes time out to read > this. . > > Here is a sketchy picture of what I did. Thanks in advance > > R1-------FRAME-RELAY---------R2=========LAN=======R6 > > R2 > +++++++++++++++++++++++++++++++++++++++++ > ip access-list standard IGMP-VLAN26 > permit 226.0.0.0 0.255.255.255 > deny any log > > interface FastEthernet0/0 > ip address 173.1.26.2 255.255.255.0 > ip pim sparse-dense-mode > ip rip advertise 10 > ip rip authentication mode md5 > ip rip authentication key-chain RIP > ip igmp access-group IGMP-VLAN26 > speed 100 > full-duplex > > interface Serial0/0.201 point-to-point > ip address 173.1.12.2 255.255.255.0 > ip pim sparse-mode > ip rip advertise 10 > no ip route-cache > frame-relay interface-dlci 201 > > +++++++++++++++++++++++++++++++++++++++++++ > > R6 > +++++ > interface FastEthernet0/0.62 > encapsulation dot1Q 62 > ip address 192.10.1.6 255.255.255.0 > ip pim sparse-mode > ip rip advertise 10 > no ip route-cache > ip igmp join-group 226.6.6.6 > ip igmp join-group 227.7.7.7 > no snmp trap link-status > > ++++++++++++++++++++++++++++++++++++++++++++++ > > R1 > +++++ > > interface Loopback0 > ip address 150.1.1.1 255.255.255.0 > ip pim sparse-mode > end > > interface Serial0/0.102 point-to-point > ip address 173.1.12.1 255.255.255.0 > ip pim sparse-mode > ip rip advertise 10 > frame-relay interface-dlci 102 > end > ************************************************************ > > > DEBUG OUTPUT > =============================================================== > %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1 > packet > %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1 > packet > > Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to us > Join-list: (*, 227.7.7.7), RPT-bit set, WC-bit set, S-bit set > Add FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by PIM *G > Join > Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 27.7.7.7 > Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue > Building Join/Prune packet for nbr 173.1.12.1 > Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join > Send v2 join/prune to 173.1.12.1 (Serial0/0.201) > Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 227.7.7.7 > Insert (*,227.7.7.7) join in nbr 173.1.26.2's queue > Building Join/Prune packet for nbr 173.1.26.2 > Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join > Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26) > Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu > Insert (173.1.18.1,227.7.7.7) join in nbr 173.1.26.2's que > Building Join/Prune packet for nbr 173.1.26.2 > Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join > Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join > Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26) > =============================================================== > > Rack3R1#ping 226.6.6.6 repeat 100 > > Type escape sequence to abort. > Sending 100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds: > > Reply to request 0 from 173.1.26.6, 61 ms > Reply to request 0 from 173.1.26.6, 77 ms > Reply to request 1 from 173.1.26.6, 64 ms > Rack3R1#ping 227.7.7.7 repeat 100 > > Type escape sequence to abort. > Sending 100, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds: > > Reply to request 0 from 173.1.26.6, 64 ms > Reply to request 0 from 173.1.26.6, 116 ms > Reply to request 0 from 173.1.26.6, 80 ms > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART