From: Salau, Yemi (yemi.salau@siemens.com)
Date: Wed Apr 09 2008 - 07:25:18 ART
The desired behaviour is security concerned.
Security in the sense that we want only certain RPs to announce
themselves as RP for certain groups, so as to mitigate against "rogue"
RP within the multicast domain.
Like you mentioned, the configuration is done on MA since it's the one
charged with electing RPs for groups or technically speaking RP-to-Group
mapping within the multicast domain.
Talking about configurations, I would suggest you use the group-list
option to complete your intent. If you don't, the router might use a
"default" group-list with "deny" any any ....
So, make your intentions clear to the Router.... Also note that from the
COD CR
http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_04.htm
l#wp1014569 the "group-list" syntax is not treated as optional .... It's
rather mandatory in other to make your intent clear to the Router. Like
I said, I could only think there is " default group-list" option if you
don't declare one ... most likely that default group-list uses deny any
any. This is probably down to the logic built into this feature set on
the IOS.
Could you try group-list keyword with access-list and let's see what you
get?
Many Thanks
Yemi Salau
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Mohmmad, Imran
Sent: Wednesday, April 09, 2008 9:05 AM
To: ccielab@groupstudy.com
Subject: pim rp announce-filter
Hi Experts,
Need to know what is the desired behavior of "ip pim
rp-announce-filter", as per CDOC if I am interpreting it correctly, it
says that when applied on RP mapping agent it will allow the Mapping
Agent to accept RP announcement from the RP those are permitted in
rp-list.
When configured on MA its denying the RP announcement messages from the
RP that is permitted in rp-list, and if put the deny statement in
rp-list acl it starts accepting the announcement.
Is this behaviour is normal?
Rack1R5#
ip pim autorp listener
ip pim send-rp-announce Loopback0 scope 16 interval 3
ip pim send-rp-discovery Loopback0 scope 16
ip pim rp-announce-filter rp-list 5
ip mroute 204.12.1.254 255.255.255.255 Serial1/1
interface Serial1/1
ip address 141.1.45.5 255.255.255.0
ip access-group 1 in
ip accounting access-violations
ip pim sparse-mode
serial restart-delay 0
interface Ethernet0/1
ip address 141.1.0.5 255.255.255.0
ip pim sparse-mode
no ip route-cache
no ip mroute-cache
full-duplex
Rack1R5#sh access-lists 5
Standard IP access list 5
20 permit 150.1.4.4 (306 matches)
Rack1R5#sh ip pim rp mapping
PIM Group-to-RP Mappings
This system is an RP (Auto-RP)
This system is an RP-mapping agent (Loopback0)
Group(s) 224.0.0.0/4
RP 150.1.5.5 (?), v2v1
Info source: 150.1.5.5 (?), elected via Auto-RP
Uptime: 00:07:17, expires: 00:00:08
Now when I have explicitly permitted the RP 150.1.5.5 in ACL 5, it
doesn't show me the RP mapping.
Rack1R5#sh access-lists 5
Standard IP access list 5
20 permit 150.1.4.4 (336 matches)
10 permit 150.1.5.5 (1 match)
Rack1R5#sh ip pim rp mapping
PIM Group-to-RP Mappings
This system is an RP (Auto-RP)
This system is an RP-mapping agent (Loopback0)
Imran
This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:50 ART