Re: rp spoofing

From: Thomas Fowles (tfowles@gmail.com)
Date: Sat May 31 2008 - 00:56:38 ART

• Next message: Piyoush Sharma: "Re: Do Real Devices Actually Work!????"
• Previous message: Dale Kling: "Re: Do Real Devices Actually Work!????"
• Maybe in reply to: David Lonnie: "rp spoofing"
• Next in thread: David Lonnie: "Re: rp spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

David-

You would want to configure it more like this:

access-list 11 deny 50.50.1.1
access-list 11 permit any
access-list 22 deny 224.10.10.10
access-list 22 permit any
ip pim rp-announce-filter rp-list 11 group-list 22

What this says is for all RPs except 50.50.1.1, allow everything except
224.10.10.10.

If you want to experiment, run "debug ip pim auto-rp" and type "clear ip pim
rp-mapping" to see the effects of various changes to the access-lists. You
can also have multiple filters defined.

Here is a great document that explains this quite well:
http://www.cisco.com/en/US/tech/tk828/technologies_configuration_example09186a00801cb923.shtml

HTH

-Tom
CCIE#18762

http://www.linkedin.com/in/thomasfowles

On Fri, May 30, 2008 at 10:37 PM, David Lonnie <david.lonnie@gmail.com>
wrote:

> Hi,exports:
>
> There is a router R1 in a multicast domain (for example,224.10.10.10).
> It's auto-rp, and at the same time,it's rp-agent.
>
> R1:
> ip multcast-routing
> interface lo0
> ip address 50.50.1.1 255.255.255.0
> ip pim sparse-dense-mode
>
> access-list 1 permit 224.10.10.10
> ip pim send-rp-announce lo0 scope 16 group-list 1
> ip pim send-rp-discovery lo0 scope 16
>
> This is my question. How to configure R1to prevent RP spoofing,only accept
> loopback0 as RP for group 224.10.10.10
>
> I check it on Document CD.
>
> http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_04.html#wp1014569
> ip pim rp-announce-filter
>
> To filter incoming Auto-RP announcement messages coming from the rendezvous
> point (RP), use the *ip pim rp-announce-filter* command in global
> configuration mode. To remove the filter, use the *no* form of this
> command.
>
>
>
> So I add these configurations.
>
> access-list 2 deny host 50.50.1.1
> access-list 2 permit ip any
> ip pim rp-announce-filter rp-list 2 group-list 1
>
> Is it correct? And anything else should be configured?
> Please correct me if I'm wrong.I'll be very appreciated.
>
>
> David
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Piyoush Sharma: "Re: Do Real Devices Actually Work!????"
• Previous message: Dale Kling: "Re: Do Real Devices Actually Work!????"
• Maybe in reply to: David Lonnie: "rp spoofing"
• Next in thread: David Lonnie: "Re: rp spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:18 ART