Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
5
Helpful
3
Replies

Multicast boundary DMVPN

Go to solution
thoward1
Level 1
Level 1

‎07-16-2019 07:52 PM - edited ‎02-21-2020 09:42 PM

I am running a dual hub, single cloud DMVPN. There is any source multicast traffic being produced and consumed on the network. Both DMVPN hubs are rendevouz points, using MSDP.

There is a host that is producing multicast traffic on the network behind one of the hubs to a specific multicast group. I want to prevent this multicast traffic from being accessible at the second hub router as well as at certain spoke routers. There is other multicast traffic that the same host is producing to a separate multicast group and I still want this traffic to be available everywhere.

There seems to be a lot of multicast security options but it isn't clear if any could help with what I am trying to achieve. What would be the suggested method to use?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to thoward1

‎07-16-2019 09:53 PM

You can use PIM Allow-RP feature at the hub which can do the same job by
have multiple dummy RPs for different groups and accordingly control which
spokes join the group using static pointing.


https://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-2s/imc_pim_allowrp.html

View solution in original post

3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-16-2019 08:46 PM

Hi,

You can use multi-cast boundary interface command as your 2nd hub and
specific spokes to allow the required multicast groups.

Let's say that you have group 239.1.1.1 to be blocked from 2nd hub and x
spokes and group 239.2.2.2 to be allowed for all nodes.

At your hub 2 and x spokes you can create a stand ACLs to allow 239.2.2.2
only. Then you apply to exit interfaces to block multicast traffic to
239.1.1.1

***** remember to rate useful posts
0 Helpful

Go to solution
thoward1
Level 1
Level 1
In response to Mohammed al Baqari

‎07-16-2019 08:55 PM

Thanks for the info.

Blocking the multicast group on the 2nd hub and at the prohibited spokes was a backup plan.

I was hoping to block the multicast traffic from ever getting to those routers in the first place. I would like the permitted routers to have control over where the traffic goes rather than the prohibited routers having control (if that is possible).

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to thoward1

‎07-16-2019 09:53 PM

You can use PIM Allow-RP feature at the hub which can do the same job by
have multiple dummy RPs for different groups and accordingly control which
spokes join the group using static pointing.


https://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-2s/imc_pim_allowrp.html
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents