Re: IP IGMP filter???

From: Ladee Geek (ladeegeek@gmail.com)
Date: Mon Nov 19 2007 - 22:40:19 ART

• Next message: Ladee Geek: "Re: IP IGMP filter???"
• Previous message: Vladimir Sousa: "Re: Monitor Ports"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Next in thread: Ladee Geek: "Re: IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There are a couple of config issues here:

1. your statement under the lan interface of r6, ip igmp join-group
227.7.7.7
specifially tells the router to join that group. You get *,g until you
switch over to spt. It's not a dynamic join from an ICMP request. You've
hard coded that router to join the 227.7.7.7 group.

2. the ICMP join requests are coming from the lan, which causes r6 to join
the group on that segment, add the group with *, g and send a join request
to r2. The ICMP join is not going from R2 to R6, the icmp join is going
from R6 to R2. What R2 sends back down is just an mpacket. Not icmp.

Hope this helps. Remember - ICMP is a host to router communication, not
router to router.

Tammy

On 11/15/07, iosluver@gmail.com <iosluver@gmail.com> wrote:
>
> Hi GS,
>
> Can someone please point out my mistake here. I am tryng to filter igmp
> requests to certain Multicast groups on a LAN segment while permiting
> others.
>
> I have PIM sparse-mode running on the links between all routers. I applied
> the config below. Correct me if I'm wrong here, but shouldn't R2 prevent R6
> from joining 227.7.7.7 while allowing it to join 226.6.6.6. I see R6
> responding to the ICMP requests. Worse still, I'm logging ACL violations &
> though the packet is denied, R2 adds a route for the group in its mroute
> table.
>
> Is this a bad approach for testing this? Hope someone takes time out to
> read this. .
>
> Here is a sketchy picture of what I did. Thanks in advance
>
> R1-------FRAME-RELAY---------R2=========LAN=======R6
>
> R2
> +++++++++++++++++++++++++++++++++++++++++
> ip access-list standard IGMP-VLAN26
> permit 226.0.0.0 0.255.255.255
> deny any log
>
> interface FastEthernet0/0
> ip address 173.1.26.2 255.255.255.0
> ip pim sparse-dense-mode
> ip rip advertise 10
> ip rip authentication mode md5
> ip rip authentication key-chain RIP
> ip igmp access-group IGMP-VLAN26
> speed 100
> full-duplex
>
> interface Serial0/0.201 point-to-point
> ip address 173.1.12.2 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> no ip route-cache
> frame-relay interface-dlci 201
>
> +++++++++++++++++++++++++++++++++++++++++++
>
> R6
> +++++
> interface FastEthernet0/0.62
> encapsulation dot1Q 62
> ip address 192.10.1.6 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> no ip route-cache
> ip igmp join-group 226.6.6.6
> ip igmp join-group 227.7.7.7
> no snmp trap link-status
>
> ++++++++++++++++++++++++++++++++++++++++++++++
>
> R1
> +++++
>
> interface Loopback0
> ip address 150.1.1.1 255.255.255.0
> ip pim sparse-mode
> end
>
> interface Serial0/0.102 point-to-point
> ip address 173.1.12.1 255.255.255.0
> ip pim sparse-mode
> ip rip advertise 10
> frame-relay interface-dlci 102
> end
> ************************************************************
>
>
> DEBUG OUTPUT
> ===============================================================
> %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
> packet
> %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
> packet
>
> Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to us
> Join-list: (*, 227.7.7.7 ), RPT-bit set, WC-bit set, S-bit set
> Add FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by PIM *G
> Join
> Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 27.7.7.7
> Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue
> Building Join/Prune packet for nbr 173.1.12.1
> Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> Send v2 join/prune to 173.1.12.1 (Serial0/0.201)
> Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 227.7.7.7
> Insert (*,227.7.7.7) join in nbr 173.1.26.2's queue
> Building Join/Prune packet for nbr 173.1.26.2
> Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu
> Insert (173.1.18.1,227.7.7.7) join in nbr 173.1.26.2's que
> Building Join/Prune packet for nbr 173.1.26.2
> Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join
> Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join
> Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> ===============================================================
>
> Rack3R1#ping 226.6.6.6 repeat 100
>
> Type escape sequence to abort.
> Sending 100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:
>
> Reply to request 0 from 173.1.26.6, 61 ms
> Reply to request 0 from 173.1.26.6, 77 ms
> Reply to request 1 from 173.1.26.6, 64 ms
> Rack3R1#ping 227.7.7.7 repeat 100
>
> Type escape sequence to abort.
> Sending 100, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:
>
> Reply to request 0 from 173.1.26.6 , 64 ms
> Reply to request 0 from 173.1.26.6, 116 ms
> Reply to request 0 from 173.1.26.6, 80 ms
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
r/
Tammy

• Next message: Ladee Geek: "Re: IP IGMP filter???"
• Previous message: Vladimir Sousa: "Re: Monitor Ports"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Next in thread: Ladee Geek: "Re: IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART