Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
0
Helpful
2
Replies

Block Multicast group RP

rtjensen4
Level 4
Level 4

‎10-09-2012 02:49 PM - edited ‎03-07-2019 09:22 AM

Hello,

I am looking for a way to block a specific multicast group on the network that does not entail me touching all my devices to update an ACL or somthing. I was thinking, if the multicast group didnt have an RP, it would keep it off the WAN and limit it to a local segment, which is OK.

I'm trying to block 239.255.255.200, Printers and a few other things are babbling across it and there's no need for it to go across the WAN. I'm using PIM-SM and was using a static Anycast RP (with MSDP between them). So... I fired up GNS3, setup our network and started monkeying with AutoRP. AutoRP would seem to do the trick because it will recognize negative statements in the ACL. I have it setup and running in the "lab". I hae a mapping agent and the candidate RP. Assume PIM is working as expected.

Candidate RP:

R1= Candidate RP:

R1(config-std-nacl)#do sh access-list 1

Standard IP access list 1

    5 deny   239.255.255.200

    10 permit 224.0.0.0, wildcard bits 15.255.255.255

ip pim send-rp-announce 10.10.250.1 scope 25 group-list 1 interval 5

R2= Mapping Agent:

ip pim autorp listener

ip pim send-rp-discovery Loopback0 scope 200

R3= A Branch Router:

R4#sh ip pim rp mapping

PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4

  RP 10.10.250.1 (?), v2v1

    Info source: 192.168.250.37 (?), elected via Auto-RP

         Uptime: 00:16:46, expires: 00:02:33

Group(s) (-)239.255.255.200/32

  RP 10.10.250.1 (?), v2v1

    Info source: 192.168.250.37 (?), elected via Auto-RP

         Uptime: 00:08:33, expires: 00:02:36

So AutoRP seems to be working, my RP mappings are getting to my branch... What does the ( - ) next to the group i want to deny signify? will it not use that RP for that group?

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎10-09-2012 09:08 PM

Hello,

This configuration causes the Candidate RP to announce its willingness to be a RP for all multicast groups except 239.255.255.200. The problem with this configuration is that this group basically does not have a RP and if the routers are configured as ip pim sparse-dense-mode they will fall back to PIM-DM operation for this particular group. This would be remedied best by reconfiguring the entire network for ip pim sparse-mode or no ip pim dm-fallback.

A different solution would be to have your Candidate RP become an RP for all groups, and then use the ip pim accept-register list ACL command on this RP to filter out all PIM Register messages that are coming for a particular (S, G), in this case, the (*, 239.255.255.200).

See more about the command here:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti/command/imc_i3.html#GUID-A3887644-DD8D-4621-B6F2-911191337439

Best regards,

Peter

0 Helpful

rtjensen4
Level 4
Level 4

‎10-10-2012 04:50 AM

Thanks Peter. I'm not using sparse-dense. Mode. I'm using ip pim autorp listener to avoid that behavior. I haven't had a chance to check the link you included, but I will so later today.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card