Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2590
Views
5
Helpful
8
Replies

Cisco Router ACL Multicast Setup - Multicast Output Only

Jersey331
Level 1
Level 1

‎03-24-2019 01:46 PM

Hey guys, I have a small home network, where i would like to sent multicast (239.1.1.1) from Router 1 (Cisco 892FSP-K9, IOS 15.2) to Router 2 where Router 1 has PIM-DENSE Mode set.

 

I would like to secure Router 1's network so no one can get into Router 1 network from Router 2. I have created these ACL and they seem to be working to stop any PING messages to the interface on Router 1 but is can anyone confirm I have these ACL correct that I have setup on Router 1? Essentially I want to make sure only multicast on 239.1.1.1 leave Router 1 and only let IGMP messages come into Router 1 so it knows to output the mutlicast.

 

Permit IGMP Any Any

Permit PIM Any Any

Permit ip Host 239.1.1.1 Any

 

Thanks for anyone help!!

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎03-24-2019 02:46 PM

If i understand correctly, you looking only router1 network should able to get stream from 239.1.1.1 (rest need to be deny) is this correct ?

 

Another way, if you have known network IP address in the Router 1, Only allow them in ACL and rest deny so no one can get to that stream ?

 

Make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Jersey331
Level 1
Level 1
In response to balaji.bandi

‎03-25-2019 03:08 AM

Hi BB,
Thanks for your response back.
So I would like Router 1 to only output multicast on destination IP 239.1.1.1 and only allow IGMP messages into Router 1 from Router 2. I had hoped my ACL I wrote could work but wondering if anyone could confirm whether thats the best way to do it.
I know all the network details of Router 1's interface where the multicast is coming out if you think my ACL could be better done through your suggestion?
Thanks for the help!
0 Helpful

chrihussey
VIP Alumni
VIP Alumni
In response to Jersey331

‎03-25-2019 07:30 AM

Hello,

For the purposes of this scenario, you only want R1 to send the multicast stream 239.1.1.1 to R2. All other traffic in and out of R1 is not permitted. Correct?

If so, although it could probably be accomplished with one ACL, two may prove to be more effective (in and out ACLs).

 

R1 outbound ACL:

Permit IGMP Any Any

Permit PIM Any Any

Permit ip any host 239.1.1.1

(Note: A typical multicast packet has the multicast group as the destination IP)

 

R1 inbound ACL:

Permit IGMP Any Any

Permit PIM Any Any

(Should be no need for a multicast entry as it won't be sent in this direction)

 

Hope this helps

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎03-25-2019 07:23 AM

It is not clear to me how you are using this access list. The first line seems to be oriented to inbound traffic

Permit IGMP Any Any

The second line might be either inbound or outbound

Permit PIM Any Any

And the third line seem to be oriented to outbound traffic 

Permit ip Host 239.1.1.1 Any

Can you clarify how you are using this access list?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Jersey331
Level 1
Level 1
In response to Richard Burts

‎03-25-2019 07:31 AM

Hi Rick,

 

Apologies for that, I am still reading up on ACL.

 

So talking to a friend, I should have something like this:

 

So for ACL IN

permit IGMP any any

permit pim any any

deny tcp any any any eq ftp

deny tcp any any eq telnet

deny tcp any any eq www

deny tcp any any

deny udp any any

deny ip any any

 

And ACL Out

Permit host IP Host 239.0.0.1 Any

deny tcp any any any eq ftp

deny tcp any any eq telnet

deny tcp any any eq www

deny tcp any any

deny udp any any

deny ip any any

 

Do you think that would work?

 

Thanks for the help!!

 

0 Helpful

chrihussey
VIP Alumni
VIP Alumni
In response to Jersey331

‎03-25-2019 08:47 AM

You really don't need the "denys". There is an implicit "deny all" by default at the end of an access-list. It isn't shown, but it's there.

So to clarify:

ACL IN

permit IGMP any any

permit pim any any

("deny ip any any" is there but not shown)

You can add it in if you'd like so you'll know it is there, but it's not necessary.

Jersey331
Level 1
Level 1
In response to chrihussey

‎03-25-2019 09:31 AM

Thanks for that!

I had thought I would have a ACL to permit only multicast out so nobody could get into the router but actually the easier thing is to only have an IN ACL and only permit IGMP and PIM. So anything can leave the router but only certain items can come into the router.

 

Thanks all for the help!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Jersey331

‎03-25-2019 11:13 AM

yes that is good approach, rather complicate things.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents