10-09-2012 02:49 PM - edited 03-07-2019 09:22 AM
Hello,
I am looking for a way to block a specific multicast group on the network that does not entail me touching all my devices to update an ACL or somthing. I was thinking, if the multicast group didnt have an RP, it would keep it off the WAN and limit it to a local segment, which is OK.
I'm trying to block 239.255.255.200, Printers and a few other things are babbling across it and there's no need for it to go across the WAN. I'm using PIM-SM and was using a static Anycast RP (with MSDP between them). So... I fired up GNS3, setup our network and started monkeying with AutoRP. AutoRP would seem to do the trick because it will recognize negative statements in the ACL. I have it setup and running in the "lab". I hae a mapping agent and the candidate RP. Assume PIM is working as expected.
Candidate RP:
R1= Candidate RP:
R1(config-std-nacl)#do sh access-list 1
Standard IP access list 1
5 deny 239.255.255.200
10 permit 224.0.0.0, wildcard bits 15.255.255.255
ip pim send-rp-announce 10.10.250.1 scope 25 group-list 1 interval 5
R2= Mapping Agent:
ip pim autorp listener
ip pim send-rp-discovery Loopback0 scope 200
R3= A Branch Router:
R4#sh ip pim rp mapping
PIM Group-to-RP Mappings
Group(s) 224.0.0.0/4
RP 10.10.250.1 (?), v2v1
Info source: 192.168.250.37 (?), elected via Auto-RP
Uptime: 00:16:46, expires: 00:02:33
Group(s) (-)239.255.255.200/32
RP 10.10.250.1 (?), v2v1
Info source: 192.168.250.37 (?), elected via Auto-RP
Uptime: 00:08:33, expires: 00:02:36
So AutoRP seems to be working, my RP mappings are getting to my branch... What does the ( - ) next to the group i want to deny signify? will it not use that RP for that group?
10-09-2012 09:08 PM
Hello,
This configuration causes the Candidate RP to announce its willingness to be a RP for all multicast groups except 239.255.255.200. The problem with this configuration is that this group basically does not have a RP and if the routers are configured as ip pim sparse-dense-mode they will fall back to PIM-DM operation for this particular group. This would be remedied best by reconfiguring the entire network for ip pim sparse-mode or no ip pim dm-fallback.
A different solution would be to have your Candidate RP become an RP for all groups, and then use the ip pim accept-register list ACL command on this RP to filter out all PIM Register messages that are coming for a particular (S, G), in this case, the (*, 239.255.255.200).
See more about the command here:
Best regards,
Peter
10-10-2012 04:50 AM
Thanks Peter. I'm not using sparse-dense. Mode. I'm using ip pim autorp listener to avoid that behavior. I haven't had a chance to check the link you included, but I will so later today.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide