Re: ACL to permit Multicast from ALL From_NJ on 2009-09-13 (Ccielab archives 09/2009)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Sun, 13 Sep 2009 17:36:05 -0400

The ACL discussion is pretty interesting.

If the question is to permit or not permit mcast on an interface, I suppose
you could simply deny all mcast traffic and permit everything else.

A gotcha ... (thinking out loud here) ... is that routing protocols use
mcast as well. Be careful how you write the ACL ...

Another thought is to block igmp, autorp, bsr, or use a neighbor filter.
here is the output for an extended acl:

R1(config)#ip access-list extended pim
R1(config-ext-nacl)#deny ?
  <0-255> An IP protocol number
  ahp Authentication Header Protocol
  eigrp Cisco's EIGRP routing protocol
  esp Encapsulation Security Payload
  gre Cisco's GRE tunneling
  icmp Internet Control Message Protocol
  igmp Internet Gateway Message Protocol
  ip Any Internet Protocol
  ipinip IP in IP tunneling
  nos KA9Q NOS compatible IP over IP tunneling
  ospf OSPF routing protocol
  pcp Payload Compression Protocol
  pim Protocol Independent Multicast
  tcp Transmission Control Protocol
  udp User Datagram Protocol
!
R1(config-ext-nacl)#deny pim ?
  A.B.C.D Source address
  any Any source host
  host A single source host

HTH,

Andrew

On Sun, Sep 13, 2009 at 5:19 PM, Aundra Browning <
aundra.browning_at_earthlink.net> wrote:

> Hi Guys....
>
> Just have to be careful here - assuming we are referring to matching IP
> Multicast traffic w/an ACL.....you would have to match on the destination
> address as 224.0.0.0 - 239.255.255.255 wouldn't be a source address. Think
> the below was meant to show:
>
> permit ip any 224.0.0.0 15.255.255.255
>
> Hth...
>
> Aundra (Andre) Browning
> CCIE #21901 (R&S)
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Joe
> Astorino
> Sent: Sunday, September 13, 2009 3:34 PM
> To: Lejoe
> Cc: Steve Lyons; Mohamed El Henawy; Cisco certification
> Subject: Re: ACL to permit Multicast
>
> this is always a good one as well to permit the entire IP multicast
> range...
> permit ip 224.0.0.0 15.255.255.255
>
> On Sun, Sep 13, 2009 at 9:16 AM, Lejoe <styran_at_gmail.com> wrote:
>
> > Hi,
> >
> > Adding to Steve's post,
> > - CGMP frames are Ethernet frames, so you cant match it in an IP ACL.
> >
> >
> >
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note0918
> 6a00800b0871.shtml#cgmp<http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note0918%0A6a00800b0871.shtml#cgmp>
> > - MSDP (TCP port 639)
> > - MOSPF (Multicast Extensions to OSPF)
> > - Auto-RP, BSR, Anycast RP ( All use PIM + IGP)
> > - IPv6 MLD ( uses ICMPv6, IP protocol 58)
> > http://www.faqs.org/rfcs/rfc2710.html
> >
> > HTH
> >
> > Lejoe
> >
> >
> >
> > On Sun, Sep 13, 2009 at 10:58 PM, Steve Lyons <charter21p5_at_gmail.com>
> > wrote:
> >
> > > Copying Group:
> > >
> > > PIM is only one protocol within the suite of protocols. Keep in mind
> > there
> > > is also CGMP, IGMP, MSDP, MOSPF, Auto-RP, BSR, Anycast-RP, and in IPV6
> > MLD.
> > > There are also a range of multicast addresses you could allow:
> > >
> > > http://www.iana.org/assignments/multicast-addresses/
> > >
> > > Steve Lyons
> > >
> > > On Sun, Sep 13, 2009 at 7:43 AM, Mohamed El Henawy <m.henawy_at_link.net
> > > >wrote:
> > >
> > > > Assuming that the Source ip is already permitted ofcourse
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: Mohamed El Henawy
> > > > To: Cisco certification
> > > > Sent: Sunday, September 13, 2009 2:32 PM
> > > > Subject: ACL to permit Multicast
> > > >
> > > >
> > > > Hello Group ,
> > > >
> > > > short question...
> > > > if I need to permit multicast on the interface is access-list x
> > permit
> > > > pim
> > > > any any is enough ?
> > > >
> > > >
> > > > Thanks :)
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Regards,
>
> Joe Astorino - CCIE #24347 R&S
> Technical Instructor - IPexpert, Inc.
> Cell: +1.586.212.6107
> Fax: +1.810.454.0130
> Mailto: jastorino_at_ipexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Sun Sep 13 2009 - 17:36:05 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART