03-24-2019 01:46 PM
Hey guys, I have a small home network, where i would like to sent multicast (239.1.1.1) from Router 1 (Cisco 892FSP-K9, IOS 15.2) to Router 2 where Router 1 has PIM-DENSE Mode set.
I would like to secure Router 1's network so no one can get into Router 1 network from Router 2. I have created these ACL and they seem to be working to stop any PING messages to the interface on Router 1 but is can anyone confirm I have these ACL correct that I have setup on Router 1? Essentially I want to make sure only multicast on 239.1.1.1 leave Router 1 and only let IGMP messages come into Router 1 so it knows to output the mutlicast.
Permit IGMP Any Any
Permit PIM Any Any
Permit ip Host 239.1.1.1 Any
Thanks for anyone help!!
03-24-2019 02:46 PM
If i understand correctly, you looking only router1 network should able to get stream from 239.1.1.1 (rest need to be deny) is this correct ?
Another way, if you have known network IP address in the Router 1, Only allow them in ACL and rest deny so no one can get to that stream ?
Make sense ?
03-25-2019 03:08 AM
03-25-2019 07:30 AM
Hello,
For the purposes of this scenario, you only want R1 to send the multicast stream 239.1.1.1 to R2. All other traffic in and out of R1 is not permitted. Correct?
If so, although it could probably be accomplished with one ACL, two may prove to be more effective (in and out ACLs).
R1 outbound ACL:
Permit IGMP Any Any
Permit PIM Any Any
Permit ip any host 239.1.1.1
(Note: A typical multicast packet has the multicast group as the destination IP)
R1 inbound ACL:
Permit IGMP Any Any
Permit PIM Any Any
(Should be no need for a multicast entry as it won't be sent in this direction)
Hope this helps
03-25-2019 07:23 AM
It is not clear to me how you are using this access list. The first line seems to be oriented to inbound traffic
Permit IGMP Any Any
The second line might be either inbound or outbound
Permit PIM Any Any
And the third line seem to be oriented to outbound traffic
Permit ip Host 239.1.1.1 Any
Can you clarify how you are using this access list?
HTH
Rick
03-25-2019 07:31 AM
Hi Rick,
Apologies for that, I am still reading up on ACL.
So talking to a friend, I should have something like this:
So for ACL IN
permit IGMP any any
permit pim any any
deny tcp any any any eq ftp
deny tcp any any eq telnet
deny tcp any any eq www
deny tcp any any
deny udp any any
deny ip any any
And ACL Out
Permit host IP Host 239.0.0.1 Any
deny tcp any any any eq ftp
deny tcp any any eq telnet
deny tcp any any eq www
deny tcp any any
deny udp any any
deny ip any any
Do you think that would work?
Thanks for the help!!
03-25-2019 08:47 AM
You really don't need the "denys". There is an implicit "deny all" by default at the end of an access-list. It isn't shown, but it's there.
So to clarify:
ACL IN
permit IGMP any any
permit pim any any
("deny ip any any" is there but not shown)
You can add it in if you'd like so you'll know it is there, but it's not necessary.
03-25-2019 09:31 AM
Thanks for that!
I had thought I would have a ACL to permit only multicast out so nobody could get into the router but actually the easier thing is to only have an IN ACL and only permit IGMP and PIM. So anything can leave the router but only certain items can come into the router.
Thanks all for the help!
03-25-2019 11:13 AM
yes that is good approach, rather complicate things.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide