Cisco Community
English
Register
ANNOUNCEMENT - Security Restructure has finished!. Email and Web Notifications are ON now - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
993
Views
0
Helpful
2
Replies
rtjensen4
rtjensen4 Enthusiast
Enthusiast
‎10-09-2012 02:49 PM
‎10-09-2012 02:49 PM

Block Multicast group RP

Hello,

I am looking for a way to block a specific multicast group on the network that does not entail me touching all my devices to update an ACL or somthing. I was thinking, if the multicast group didnt have an RP, it would keep it off the WAN and limit it to a local segment, which is OK.

I'm trying to block 239.255.255.200, Printers and a few other things are babbling across it and there's no need for it to go across the WAN. I'm using PIM-SM and was using a static Anycast RP (with MSDP between them). So... I fired up GNS3, setup our network and started monkeying with AutoRP. AutoRP would seem to do the trick because it will recognize negative statements in the ACL. I have it setup and running in the "lab". I hae a mapping agent and the candidate RP. Assume PIM is working as expected.

Candidate RP:

R1= Candidate RP:

R1(config-std-nacl)#do sh access-list 1

Standard IP access list 1

    5 deny   239.255.255.200

    10 permit 224.0.0.0, wildcard bits 15.255.255.255

ip pim send-rp-announce 10.10.250.1 scope 25 group-list 1 interval 5

R2= Mapping Agent:

ip pim autorp listener

ip pim send-rp-discovery Loopback0 scope 200

R3= A Branch Router:

R4#sh ip pim rp mapping

PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4

  RP 10.10.250.1 (?), v2v1

    Info source: 192.168.250.37 (?), elected via Auto-RP

         Uptime: 00:16:46, expires: 00:02:33

Group(s) (-)239.255.255.200/32

  RP 10.10.250.1 (?), v2v1

    Info source: 192.168.250.37 (?), elected via Auto-RP

         Uptime: 00:08:33, expires: 00:02:36

So AutoRP seems to be working, my RP mappings are getting to my branch... What does the ( - ) next to the group i want to deny signify? will it not use that RP for that group?

Labels:
Everyone's tags (3)
0 Helpful
Reply
2 REPLIES 2
Highlighted
Peter Paluch
Hall of Fame Cisco Employee Peter Paluch Hall of Fame Cisco Employee
Hall of Fame Cisco Employee
‎10-09-2012 09:08 PM
‎10-09-2012 09:08 PM

Block Multicast group RP

Hello,

This configuration causes the Candidate RP to announce its willingness to be a RP for all multicast groups except 239.255.255.200. The problem with this configuration is that this group basically does not have a RP and if the routers are configured as ip pim sparse-dense-mode they will fall back to PIM-DM operation for this particular group. This would be remedied best by reconfiguring the entire network for ip pim sparse-mode or no ip pim dm-fallback.

A different solution would be to have your Candidate RP become an RP for all groups, and then use the ip pim accept-register list ACL command on this RP to filter out all PIM Register messages that are coming for a particular (S, G), in this case, the (*, 239.255.255.200).

See more about the command here:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti/command/imc_i3.html#GUID-A3887644-DD8D-4621-B6F2-911191337439

Best regards,

Peter

0 Helpful
Reply
Highlighted
rtjensen4
rtjensen4 Enthusiast
Enthusiast
‎10-10-2012 04:50 AM
‎10-10-2012 04:50 AM

Re: Block Multicast group RP

Thanks Peter. I'm not using sparse-dense. Mode. I'm using ip pim autorp listener to avoid that behavior. I haven't had a chance to check the link you included, but I will so later today.

Sent from Cisco Technical Support iPhone App

0 Helpful
Reply
Latest Contents
Routing about remote access VPN
Created by MarkoAnastasov45813 on 02-26-2020 01:56 AM
0
0
0
0
Hello guys.I installed remote access VPN on Windows 2019. I need to do additional configuration on the router to allow access outside. I got this.Public IP--------------ISP Router-------------Fa0/0 Cisco Router Fa0/1------------------------My Server ... view more
Meet the Authors video - How to Troubleshoot Network Problem...
Created by hiarteag on 02-25-2020 03:43 PM
0
0
0
0
Meet the Authors video - How to Troubleshoot Network Problems with Vinit Jain (Live event – Wednesday, February 12th, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris) This event had place on Wednesday 12th, February 2020 at 10hrs PDT&nbs... view more
Upgrading the hub router in a DMVPN
Created by CiscoMedMed on 02-25-2020 09:50 AM
1
0
1
0
I have a pair of 3945 routers that are proving to be underpowered for the 100+ remote offices connecting to them. Fortunately I happen to have a couple of 4351 ISRs rated for significantly greater encrypted throughput. Is there any way I could upgrade the... view more
SD-Access Authentication Policy Naming Best Practice
Created by ldanny on 02-25-2020 07:38 AM
0
0
0
0
Introduction This article assumes you have the basic knowledge and experience with Cisco DNA Center and Identity Services Engine (ISE).Note when reading this doc the "Authentication Policy" referred to is part of Cisco DNA Center Onboarding section and ha... view more
Cisco 6509-E Guide for NAT
Created by Hamidsattarrana on 02-25-2020 04:20 AM
1
0
1
0
Hi All!Does WS-X6548-GE-45AF and WS-X6148A-GE-45AF support NAT? 
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad