we're using pim sparse mode in a customer network with catalyst 2/3/4/6K switches, all multicast routers are redundant with pim dr running for access subnets. RPs are configured with anycast rp.
A) Is there any possiblity to prevent rogue pim routers/igmp queriers connected to host ports from getting connected to the legal pim routers and from getting involved in the local igmp traffic?
Maybe like DHCP Snooping used with DHCP. I read that in the latest Sup2T ios (http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/catalyst6500/ios/15-2SY/config_guide/sup2T/15_2_sy_swcg_2T.pdf) there is a feature called 'ipv4 router guard' which does exactly what we're looking for:
'When configured, the Router Guard feature makes the specified port a host port only. The port is prevented from becoming a router port, even if a multicast router control packets are received. In addition, any control packets normally received from multicast routers, such as IGMP queries and PIM joins, will also be discarded by this filter.'
Afaik, PIM authentication isn't supported in current catalyst ios versions.
Using a normal port ACL is not an option in our case because of a management decision.
B) Is there any possibility to prevent (on a per-subnet basis) rogue sources from sending multicast streams to legal multicast-groups?
Maybe, can I configure a svi of a host subnet or a host port to drop any incoming multicast stream while still accepting IGMP and sending out legal multicast streams?
Using 'ip pim accept-register' command on the rp is not an option because we've tons of legal sources which would end in an very huge error-prone acl
Unfortunately, a normal ACL is not an option here, too.
We use two pim routers in each host subnet for redundancy, they elect the PIM DR.
Does pim passive mode work here?
(Config Guide: If the ip pim passive command is configured on an interface enabled for IP multicast, the router will operate this interface in PIM passive mode, which means that the router will not send PIM messages on the interface nor will it accept PIM messages from other routers across this interface. The router will instead consider that it is the only PIM router on the network and thus act as the DR and also as the DF for all bidir-PIM group ranges. IGMP operations are unaffected by this command. ... The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces.)
ip pim neighbor-filter maybe would work to prevent rogue pim routers to connect to the legal pim routers but wouldn't rogue pim routers still be able to manipulate the layer2 switch to send all igmp traffic to them and not to the legal pim routers?