Re: rp spoofing

From: David Lonnie (david.lonnie@gmail.com)
Date: Sat May 31 2008 - 06:06:22 ART

• Next message: ahmed badr: "Re: Cleared the Lab"
• Previous message: Sadiq Yakasai: "Re: Cleared the Lab"
• Maybe in reply to: David Lonnie: "rp spoofing"
• Next in thread: akyccie: "Re: rp spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

In my option, only this works.

access-list 3 deny any
access-list 4 permit 2.2.2.2
ip pim rp-announce-filter rp-list 4 group-list 3

==============
On Sat, May 31, 2008 at 4:54 PM, Jude Chou <qingjiong@gmail.com> wrote:

> Hi Tom:
>
> Look this:
> rp-announce rp-announce
> router 1 router 2
> | |
> ---------------------
> |
> router 3 rp-agent
> |
> |
> router 4
>
> router 1
> ip multicast-routing
> int lo0
> ip address 1.1.1.1 255.255.255.255
> ip igmp join 224.1.1.1
> ip igmp join 224.2.2.2
> ip pim sparse-dense-mode
> int e0/0
> ip address 192.168.123.1 255.255.255.0
> ip pim sparse-dense-mode
>
> access-list 1 permit 224.1.1.1
> access-list 1 permit 224.2.2.2
> ip pim send-rp-announce lo0 scope 16 group-list 1
>
> router 2
> ip multicast-routing
> int lo0
> ip address 2.2.2.2 255.255.255.255
> ip igmp join 224.1.1.1
> ip igmp join 224.2.2.2
> ip pim sparse-dense-mode
> int e0/0
> ip address 192.168.123.2 255.255.255.0
> ip pim sparse-dense-mode
> access-list 1 permit 224.1.1.1
> access-list 1 permit 224.2.2.2
> ip pim send-rp-announce lo0 scope 16 group-list 1
>
> router 3
> ip multicast-routing
> int lo0
> ip add 3.3.3.3 255.255.255.255
> ip pim sparse-dense-mode
> int e0/0
> ip address 192.168.123.3 255.255.255.0
> ip pim sparse-dense-mode
> int e0/1
> ip address 192.168.34.3 255.255.255.0
>
> router 4
> ip multicast-routing
> int e0/1
> ip address 192.168.34.4 255.255.255.0
> ip pim sparse-dense-mode
>
> What should i do on router 3 when use command "show ip pim rp mapping" then
> display like this:
>
> Group(s) 224.1.1.1/32
> RP 1.1.1.1 (?), v2v1
> Info source: 3.3.3.3 (?), elected via Auto-RP
> Uptime: 00:23:25, expires: 00:02:22
> Group(s) 224.2.2.2/32
> RP 1.1.1.1 (?), v2v1
> Info source: 3.3.3.3 (?), elected via Auto-RP
> Uptime: 00:23:25, expires: 00:02:19
>
> Is this OK?
>
> access-list 1 permit 224.1.1.1
> access-list 1 permit 224.2.2.2
> access-list 2 permit 1.1.1.1
> ip pim rp-announce-filter rp-list 2 group-list 1
>
> Or
>
> access-list 1 permit 224.1.1.1
> access-list 1 permit 224.2.2.2
> access-list 2 permit 1.1.1.1
> ip pim rp-announce-filter rp-list 2 group-list 1
>
> access-list 3 deny any
> access-list 4 permit 2.2.2.2
> ip pim rp-announce-filter rp-list 4 group-list 3
>
> Why?
>
> Regards
>
> Jude
>
>
> 2008-05-31
>
>
>
> Jude Chou
>
>
>
> 7"<~HK#: Thomas Fowles
> 7"KMJ1<d#: 2008-05-31 11:57:43
> JU<~HK#: David Lonnie
> 3-KM#: Cisco certification
> VwLb#: Re: rp spoofing
> David-
>
> You would want to configure it more like this:
>
> access-list 11 deny 50.50.1.1
> access-list 11 permit any
> access-list 22 deny 224.10.10.10
> access-list 22 permit any
> ip pim rp-announce-filter rp-list 11 group-list 22
>
> What this says is for all RPs except 50.50.1.1, allow everything except
> 224.10.10.10.
>
> If you want to experiment, run "debug ip pim auto-rp" and type "clear ip
> pim
> rp-mapping" to see the effects of various changes to the access-lists. You
> can also have multiple filters defined.
>
> Here is a great document that explains this quite well:
>
> http://www.cisco.com/en/US/tech/tk828/technologies_configuration_example09186a00801cb923.shtml
>
> HTH
>
> -Tom
> CCIE#18762
>
> http://www.linkedin.com/in/thomasfowles
>
>
> On Fri, May 30, 2008 at 10:37 PM, David Lonnie <david.lonnie@gmail.com >
> wrote:
>
> > Hi,exports:
> >
> > There is a router R1 in a multicast domain (for example,224.10.10.10).
> > It's auto-rp, and at the same time,it's rp-agent.
> >
> > R1:
> > ip multcast-routing
> > interface lo0
> > ip address 50.50.1.1 255.255.255.0
> > ip pim sparse-dense-mode
> >
> > access-list 1 permit 224.10.10.10
> > ip pim send-rp-announce lo0 scope 16 group-list 1
> > ip pim send-rp-discovery lo0 scope 16
> >
> > This is my question. How to configure R1to prevent RP spoofing,only
> accept
> > loopback0 as RP for group 224.10.10.10
> >
> > I check it on Document CD.
> >
> >
> http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_04.html#wp1014569
> > ip pim rp-announce-filter
> >
> > To filter incoming Auto-RP announcement messages coming from the
> rendezvous
> > point (RP), use the *ip pim rp-announce-filter* command in global
> > configuration mode. To remove the filter, use the *no* form of this
> > command.
> >
> >
> >
> > So I add these configurations.
> >
> > access-list 2 deny host 50.50.1.1
> > access-list 2 permit ip any
> > ip pim rp-announce-filter rp-list 2 group-list 1
> >
> > Is it correct? And anything else should be configured?
> > Please correct me if I'm wrong.I'll be very appreciated.
> >
> >
> > David
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: ahmed badr: "Re: Cleared the Lab"
• Previous message: Sadiq Yakasai: "Re: Cleared the Lab"
• Maybe in reply to: David Lonnie: "rp spoofing"
• Next in thread: akyccie: "Re: rp spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:18 ART