10-09-2012 02:49 PM - edited 03-07-2019 09:22 AM
Hello,
I am looking for a way to block a specific multicast group on the network that does not entail me touching all my devices to update an ACL or somthing. I was thinking, if the multicast group didnt have an RP, it would keep it off the WAN and limit it to a local segment, which is OK.
I'm trying to block 239.255.255.200, Printers and a few other things are babbling across it and there's no need for it to go across the WAN. I'm using PIM-SM and was using a static Anycast RP (with MSDP between them). So... I fired up GNS3, setup our network and started monkeying with AutoRP. AutoRP would seem to do the trick because it will recognize negative statements in the ACL. I have it setup and running in the "lab". I hae a mapping agent and the candidate RP. Assume PIM is working as expected.
Candidate RP:
R1= Candidate RP:
R1(config-std-nacl)#do sh access-list 1
Standard IP access list 1
5 deny 239.255.255.200
10 permit 224.0.0.0, wildcard bits 15.255.255.255
ip pim send-rp-announce 10.10.250.1 scope 25 group-list 1 interval 5
R2= Mapping Agent:
ip pim autorp listener
ip pim send-rp-discovery Loopback0 scope 200
R3= A Branch Router:
R4#sh ip pim rp mapping
PIM Group-to-RP Mappings
Group(s) 224.0.0.0/4
RP 10.10.250.1 (?), v2v1
Info source: 192.168.250.37 (?), elected via Auto-RP
Uptime: 00:16:46, expires: 00:02:33
Group(s) (-)239.255.255.200/32
RP 10.10.250.1 (?), v2v1
Info source: 192.168.250.37 (?), elected via Auto-RP
Uptime: 00:08:33, expires: 00:02:36
So AutoRP seems to be working, my RP mappings are getting to my branch... What does the ( - ) next to the group i want to deny signify? will it not use that RP for that group?
10-09-2012 09:08 PM
Hello,
This configuration causes the Candidate RP to announce its willingness to be a RP for all multicast groups except 239.255.255.200. The problem with this configuration is that this group basically does not have a RP and if the routers are configured as ip pim sparse-dense-mode they will fall back to PIM-DM operation for this particular group. This would be remedied best by reconfiguring the entire network for ip pim sparse-mode or no ip pim dm-fallback.
A different solution would be to have your Candidate RP become an RP for all groups, and then use the ip pim accept-register list ACL command on this RP to filter out all PIM Register messages that are coming for a particular (S, G), in this case, the (*, 239.255.255.200).
See more about the command here:
Best regards,
Peter
10-10-2012 04:50 AM
Thanks Peter. I'm not using sparse-dense. Mode. I'm using ip pim autorp listener to avoid that behavior. I haven't had a chance to check the link you included, but I will so later today.
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: