Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14497
Views
6
Helpful
8
Replies

ACL Multicast entries

Go to solution
andromeda
Level 1
Level 1

‎01-21-2020 04:15 PM

Hello,

 

I have a question regarding an ACL to allow multicast packets, it's more for a general question: say I run pim dense, and want to allow traffic (packets) coming from source to a multicast group address. Knowing that the ACL processes the entries top to bottom and when an ACL entry matches, the processing stops, how would an ACL allowing such traffic look? Assuming both igmp and pim need to be allowed?

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to andromeda

‎01-22-2020 04:27 PM

@andromeda let me try to summarize it.

 

If you are looking to filter the Source of Multicast traffic in a scenario where attacker just target multicast group address to disrupt the multicast stream then you need to do it using IP Multicast boundary.

 

You can only allow specific Sources and Designation groups in ACL and bind it with ip multicast boundary command. The traffic not match by ACL will be discarded once it reached to Router control plane.

 

Let say in above scenario, you want to block multicast traffic sourced from 181.1.2.201 then you can do that by doing below. Below config will block multicast traffic from 181.1.2.201 but allow anything else

 

ip access-list extended acc_grp13
deny ip host 181.1.2.201 any
permit ip any any
!
interface gigabitethernet 2/3/0
ip multicast boundary acc_grp13 in

 

Let say, you want to allow source "181.1.2.201" and destination "232.1.1.8" but block any thing else source from ""181.1.2.201" and then allow all the multicast sources then:

 

ip access-list extended acc_grp13
permit host 181.1.2.201 host 232.1.1.8"

deny host 181.1.2.201 any
permit ip any any
!
interface gigabitethernet 2/3/0
ip multicast boundary acc_grp13 in

!

 

IGMP Access group:

IGMP Access-group will allow you to decide receiver on the interfaces are allowed to join which multicast group.

 

The following example shows how to configure a standard access list to filter the groups that are available on an interface for receivers to join. In this example, Ethernet interface 1/3 is configured to restrict receivers from joining groups in the range 226.1.0.0 through 226.1.255.255. Receivers are permitted to join all other groups on Ethernet interface 1/3.


access-list 1 deny 226.1.0.0 0.0.255.255
access-list 1 permit any log
!
interface ethernet 1/3
ip igmp access-group 1

 

 

---

 

PIM Neighbor Filter. The pim neighbor filter controls which devices can be your PIM neighbor. But this is typically not used for multicast security, infact it is useful in bandwidth saving on slower links

 

View solution in original post

8 Replies 8

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-21-2020 06:00 PM

Hi,

 

The ACL to control multicast traffic need to be applied with multicast boundary command on the interface. ACL work in same way. Only traffic sources and destinations that are permitted in the ACL will be allowed

 

Example: Below example will stop the multicast to receive on the Router from source 181.1.2.201 send to Group 232.1.1.8 and permits everything else

 

ip access-list extended acc_grp13
deny ip host 181.1.2.201 host 232.1.1.8
permit ip any any
!
interface gigabitethernet 2/3/0
ip multicast boundary acc_grp13 in

0 Helpful

Go to solution
andromeda
Level 1
Level 1
In response to Muhammad Awais Khan

‎01-22-2020 06:27 AM

Thanks.

Don't we need to allow/rstrict igmp/pim also?

0 Helpful

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to andromeda

‎01-22-2020 09:42 AM - edited ‎01-22-2020 09:50 AM

Hi,

 

You can add PIM also in above ACL. There is also separate PIM filtering command available that can also be applied on interface level to allow/block neighborship with PIM neighbors using 'Ip pim neighbor filter'

 

For IGMP,  you need to create separate ACL and need to use it with 'ip igmp access-group'

0 Helpful

Go to solution
andromeda
Level 1
Level 1
In response to Muhammad Awais Khan

‎01-22-2020 10:20 AM

Thanks, however Im confused.

Can you provide with an example that uses all mentioned?

0 Helpful

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to andromeda

‎01-22-2020 11:36 AM

Hi,

 

Yes I know it's confusing :)

 

It would suggest you to have a look on below Cisco live doc about multicast security which having graphic illustrations. It.might be more helpful.

 

https://www.google.com/url?sa=t&source=web&rct=j&url=https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2015/pdf/BRKIPM-2262.pdf&ved=2ahUKEwjDs9SF8ZfnAhUm6nMBHfmTA2YQFjAKegQIBBAB&usg=AOvVaw1vdFwDJalguThDltuiW8G_

0 Helpful

Go to solution
andromeda
Level 1
Level 1
In response to Muhammad Awais Khan

‎01-22-2020 02:59 PM

Well, I saw that. thanks anyway, was hoping to get a clearer explanation here...

Thanks.

0 Helpful

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to andromeda

‎01-22-2020 04:27 PM

@andromeda let me try to summarize it.

 

If you are looking to filter the Source of Multicast traffic in a scenario where attacker just target multicast group address to disrupt the multicast stream then you need to do it using IP Multicast boundary.

 

You can only allow specific Sources and Designation groups in ACL and bind it with ip multicast boundary command. The traffic not match by ACL will be discarded once it reached to Router control plane.

 

Let say in above scenario, you want to block multicast traffic sourced from 181.1.2.201 then you can do that by doing below. Below config will block multicast traffic from 181.1.2.201 but allow anything else

 

ip access-list extended acc_grp13
deny ip host 181.1.2.201 any
permit ip any any
!
interface gigabitethernet 2/3/0
ip multicast boundary acc_grp13 in

 

Let say, you want to allow source "181.1.2.201" and destination "232.1.1.8" but block any thing else source from ""181.1.2.201" and then allow all the multicast sources then:

 

ip access-list extended acc_grp13
permit host 181.1.2.201 host 232.1.1.8"

deny host 181.1.2.201 any
permit ip any any
!
interface gigabitethernet 2/3/0
ip multicast boundary acc_grp13 in

!

 

IGMP Access group:

IGMP Access-group will allow you to decide receiver on the interfaces are allowed to join which multicast group.

 

The following example shows how to configure a standard access list to filter the groups that are available on an interface for receivers to join. In this example, Ethernet interface 1/3 is configured to restrict receivers from joining groups in the range 226.1.0.0 through 226.1.255.255. Receivers are permitted to join all other groups on Ethernet interface 1/3.


access-list 1 deny 226.1.0.0 0.0.255.255
access-list 1 permit any log
!
interface ethernet 1/3
ip igmp access-group 1

 

 

---

 

PIM Neighbor Filter. The pim neighbor filter controls which devices can be your PIM neighbor. But this is typically not used for multicast security, infact it is useful in bandwidth saving on slower links

 

Go to solution
andromeda
Level 1
Level 1
In response to Muhammad Awais Khan

‎01-23-2020 06:07 AM

Much better thanks!

0 Helpful
Customers Also Viewed These Support Documents