From: Jude Chou (qingjiong@gmail.com)
Date: Sat May 31 2008 - 05:54:40 ART
Hi Tom:
Look this:
rp-announce rp-announce
router 1 router 2
| |
---------------------
|
router 3 rp-agent
|
|
router 4
router 1
ip multicast-routing
int lo0
ip address 1.1.1.1 255.255.255.255
ip igmp join 224.1.1.1
ip igmp join 224.2.2.2
ip pim sparse-dense-mode
int e0/0
ip address 192.168.123.1 255.255.255.0
ip pim sparse-dense-mode
access-list 1 permit 224.1.1.1
access-list 1 permit 224.2.2.2
ip pim send-rp-announce lo0 scope 16 group-list 1
router 2
ip multicast-routing
int lo0
ip address 2.2.2.2 255.255.255.255
ip igmp join 224.1.1.1
ip igmp join 224.2.2.2
ip pim sparse-dense-mode
int e0/0
ip address 192.168.123.2 255.255.255.0
ip pim sparse-dense-mode
access-list 1 permit 224.1.1.1
access-list 1 permit 224.2.2.2
ip pim send-rp-announce lo0 scope 16 group-list 1
router 3
ip multicast-routing
int lo0
ip add 3.3.3.3 255.255.255.255
ip pim sparse-dense-mode
int e0/0
ip address 192.168.123.3 255.255.255.0
ip pim sparse-dense-mode
int e0/1
ip address 192.168.34.3 255.255.255.0
router 4
ip multicast-routing
int e0/1
ip address 192.168.34.4 255.255.255.0
ip pim sparse-dense-mode
What should i do on router 3 when use command "show ip pim rp mapping" then display like this:
Group(s) 224.1.1.1/32
RP 1.1.1.1 (?), v2v1
Info source: 3.3.3.3 (?), elected via Auto-RP
Uptime: 00:23:25, expires: 00:02:22
Group(s) 224.2.2.2/32
RP 1.1.1.1 (?), v2v1
Info source: 3.3.3.3 (?), elected via Auto-RP
Uptime: 00:23:25, expires: 00:02:19
Is this OK?
access-list 1 permit 224.1.1.1
access-list 1 permit 224.2.2.2
access-list 2 permit 1.1.1.1
ip pim rp-announce-filter rp-list 2 group-list 1
Or
access-list 1 permit 224.1.1.1
access-list 1 permit 224.2.2.2
access-list 2 permit 1.1.1.1
ip pim rp-announce-filter rp-list 2 group-list 1
access-list 3 deny any
access-list 4 permit 2.2.2.2
ip pim rp-announce-filter rp-list 4 group-list 3
Why?
Regards
Jude
2008-05-31
Jude Chou
7"<~HK#: Thomas Fowles
7"KMJ1<d#: 2008-05-31 11:57:43
JU<~HK#: David Lonnie
3-KM#: Cisco certification
VwLb#: Re: rp spoofing
David-
You would want to configure it more like this:
access-list 11 deny 50.50.1.1
access-list 11 permit any
access-list 22 deny 224.10.10.10
access-list 22 permit any
ip pim rp-announce-filter rp-list 11 group-list 22
What this says is for all RPs except 50.50.1.1, allow everything except
224.10.10.10.
If you want to experiment, run "debug ip pim auto-rp" and type "clear ip pim
rp-mapping" to see the effects of various changes to the access-lists. You
can also have multiple filters defined.
Here is a great document that explains this quite well:
http://www.cisco.com/en/US/tech/tk828/technologies_configuration_example09186a00801cb923.shtml
HTH
-Tom
CCIE#18762
http://www.linkedin.com/in/thomasfowles
On Fri, May 30, 2008 at 10:37 PM, David Lonnie <david.lonnie@gmail.com >
wrote:
> Hi,exports:
>
> There is a router R1 in a multicast domain (for example,224.10.10.10).
> It's auto-rp, and at the same time,it's rp-agent.
>
> R1:
> ip multcast-routing
> interface lo0
> ip address 50.50.1.1 255.255.255.0
> ip pim sparse-dense-mode
>
> access-list 1 permit 224.10.10.10
> ip pim send-rp-announce lo0 scope 16 group-list 1
> ip pim send-rp-discovery lo0 scope 16
>
> This is my question. How to configure R1to prevent RP spoofing,only accept
> loopback0 as RP for group 224.10.10.10
>
> I check it on Document CD.
>
> http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_04.html#wp1014569
> ip pim rp-announce-filter
>
> To filter incoming Auto-RP announcement messages coming from the rendezvous
> point (RP), use the *ip pim rp-announce-filter* command in global
> configuration mode. To remove the filter, use the *no* form of this
> command.
>
>
>
> So I add these configurations.
>
> access-list 2 deny host 50.50.1.1
> access-list 2 permit ip any
> ip pim rp-announce-filter rp-list 2 group-list 1
>
> Is it correct? And anything else should be configured?
> Please correct me if I'm wrong.I'll be very appreciated.
>
>
> David
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:18 ART