RE: IP IGMP filter???

From: Daniel Kutchin (daniel@kutchin.com)
Date: Thu Nov 22 2007 - 12:24:01 ART

• Next message: Joseph Brunner: "RE: To suit or not to suit? That is the question."
• Previous message: dsbabbar@gmail.com: "Re: Quoting the match protocol http mime string"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Access-lists on a router do not act on packets leaving the router.

So you can't use the accesss-list IGMP-VLAN26 (on R2-fa0/0) to block packets
from R2.

Daniel

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of M e
Sent: Mittwoch, 21. November 2007 23:47
To: Ladee Geek
Cc: ccielab@groupstudy.com
Subject: Re: IP IGMP filter???

No worries I'm having a long week too. Maybe I didn't explain my self
properly in my earlier comments. The task at was to verify that R2 would use
 the IGMP filter to deny hosts on VLAN 26 the ability to join group
227.7.7.7, while permitting igmp-joins to 226.6.6.6. The only way I am aware
of for this to happen is to use the "IGMP Join-group" command.

I was under the impression that R2 should filter 227.7.7.7 & permit
226.6.6.6. One of the good fellas on mentioned something about disabling
Multicast routing on R6 (To simiulate) a host which I gave a shot

It turns out I knew the solution but didn't understand what needed to be in
place for it to work.Based on Daniel's comments I decided to turn of IP
routing, Multicast rounting (No PIM between R6's link to R2) & set a R2 as
R6s' default-gateway. It worked like a charm. Here are the results. Now for
some reason, R1 can't ping any of the group that R2 DENIES IGMP PACKETS FOR
(227.7.7.7 in this case) but R2 can. I need to have another look to figure
that one out. But anyway thanks to those who contributed to this thread, I
really appreicate your input. The config is shown below.

Thanks

R6
**************
interface FastEthernet0/0.26
encapsulation dot1Q 26
ip address 173.1.26.6 255.255.255.0
no ip route-cache
ip igmp join-group 225.5.5.5
ip igmp join-group 227.7.7.7
ip igmp join-group 226.6.6.6
end

********************
Rack1R6#sh ip route
Default gateway is 173.1.26.2

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
****************************************************************************
*
****************************************************************************
*

R2
****
Rack1R2#sh run int f0/0
Building configuration...

Current configuration : 295 bytes
!
interface FastEthernet0/0
ip address 173.1.26.2 255.255.255.0
ip pim sparse-mode
ip igmp access-group IGMP-VLAN26
speed 100
full-duplex
end

R2's ALC for IGMP
**********************
ip access-list standard IGMP-VLAN26
permit 225.0.0.0 0.255.255.255
permit 226.0.0.0 0.255.255.255
deny 227.0.0.0 0.255.255.255 log

RP - TO - Group Mappings
*******************************
Rack1R2#show ip pim rp mapping
PIM Group-to-RP Mappings
This system is the Bootstrap Router (v2)

Group(s) 225.0.0.0/8
 RP 150.1.1.1 (?), v2
   Info source: 173.1.12.1 (?), via bootstrap, priority 0, holdtime 150
        Uptime: 00:14:52, expires: 00:01:37
Group(s) 226.0.0.0/8
 RP 150.1.1.1 (?), v2
   Info source: 173.1.12.1 (?), via bootstrap, priority 0, holdtime 150
        Uptime: 2d07h, expires: 00:01:36
Group(s) 227.0.0.0/8
 RP 150.1.1.1 (?), v2
   Info source: 173.1.12.1 (?), via bootstrap, priority 0, holdtime 150
        Uptime: 2d07h, expires: 00:01:37

****************************************************************************
***************
R1
********
Rack3R1#ping 225.5.5.5

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 225.5.5.5, timeout is 2 seconds:

Reply to request 0 from 173.1.26.6, 64 ms
Reply to request 0 from 173.1.26.6, 144 ms
Reply to request 0 from 173.1.26.6, 76 ms
Rack3R1#ping 226.6.6.6

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:

Reply to request 0 from 173.1.26.6, 84 ms
Reply to request 0 from 173.1.26.6, 108 ms
Reply to request 0 from 173.1.26.6, 96 ms

Rack3R1#ping 227.7.7.7 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:
.......
****************************************************************************
*************************

*Rack1R2#ping 227.7.7.7 - AS MENTIONED ABOVE R2 CAN STILL PING THE FILTERED
GROUP- I suspect some arp feature may be at work here.*

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:

Reply to request 0 from 173.1.26.6, 24 ms

• Next message: Joseph Brunner: "RE: To suit or not to suit? That is the question."
• Previous message: dsbabbar@gmail.com: "Re: Quoting the match protocol http mime string"
• Maybe in reply to: iosluver@gmail.com: "IP IGMP filter???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART