From: shiran guez (shiranp3@gmail.com)
Date: Fri Nov 16 2007 - 10:48:24 ART
Chan
it doesn't meter what mode is on the incoming interface as you cant control
what type traffic mode is coming in to you.
when you specify on F0/0 under R2 or any other interface it only reference
to the traffic type that you are allowed to send out the interface.
also igmp is a client to router message not a router to router dense or
sparse is router to router communication.
I would use the ip multicast boundary to filter a group
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/himc_r/mlt_i1h.htm#wp1112742
On Nov 16, 2007 3:39 PM, Chan Hong <chan_hong33@yahoo.com> wrote:
> In your config, it's sparse-dense mode on R2 Fa0/0
> Check out does the fall back dense happen on R2 when you block the igmp
> report message from R6.
>
>
> ----- 6l%s-l%s ----
> 1H%s$H!R shiran guez <shiranp3@gmail.com>
> &,%s$H iosluver@gmail.com
> 0F%;(CC) ccielab@groupstudy.com
> 6G0e$i4A!R 2007 &~ 11$k 16 $i ,P4A$- $U$H 1:44:32
> %DCD!G Re: IP IGMP filter???
>
> the access-group is not filtering, it is like a Join Group but for the
> network behind it so what you did is on R2 made the network 173.1.26.0 all
> the host behind it can use group 226.6.6.6 without actually send a Join,
> and
> on R6 you actually explicitly joined both groups.
>
> to filter this 227.7.7.7 you need a access list and assign it to the
> interface ip access-group ...
>
> please some one comment as I do not see other way for this scenario.
>
> unless you use IGMPv3 where you can filter.
>
> On Nov 16, 2007 3:50 AM, <iosluver@gmail.com> wrote:
>
> > Hi GS,
> >
> > Can someone please point out my mistake here. I am tryng to filter igmp
> > requests to certain Multicast groups on a LAN segment while permiting
> > others.
> >
> > I have PIM sparse-mode running on the links between all routers. I
> applied
> > the config below. Correct me if I'm wrong here, but shouldn't R2 prevent
> R6
> > from joining 227.7.7.7 while allowing it to join 226.6.6.6. I see R6
> > responding to the ICMP requests. Worse still, I'm logging ACL violations
> &
> > though the packet is denied, R2 adds a route for the group in its mroute
> > table.
> >
> > Is this a bad approach for testing this? Hope someone takes time out to
> > read this. .
> >
> > Here is a sketchy picture of what I did. Thanks in advance
> >
> > R1-------FRAME-RELAY---------R2=========LAN=======R6
> >
> > R2
> > +++++++++++++++++++++++++++++++++++++++++
> > ip access-list standard IGMP-VLAN26
> > permit 226.0.0.0 0.255.255.255
> > deny any log
> >
> > interface FastEthernet0/0
> > ip address 173.1.26.2 255.255.255.0
> > ip pim sparse-dense-mode
> > ip rip advertise 10
> > ip rip authentication mode md5
> > ip rip authentication key-chain RIP
> > ip igmp access-group IGMP-VLAN26
> > speed 100
> > full-duplex
> >
> > interface Serial0/0.201 point-to-point
> > ip address 173.1.12.2 255.255.255.0
> > ip pim sparse-mode
> > ip rip advertise 10
> > no ip route-cache
> > frame-relay interface-dlci 201
> >
> > +++++++++++++++++++++++++++++++++++++++++++
> >
> > R6
> > +++++
> > interface FastEthernet0/0.62
> > encapsulation dot1Q 62
> > ip address 192.10.1.6 255.255.255.0
> > ip pim sparse-mode
> > ip rip advertise 10
> > no ip route-cache
> > ip igmp join-group 226.6.6.6
> > ip igmp join-group 227.7.7.7
> > no snmp trap link-status
> >
> > ++++++++++++++++++++++++++++++++++++++++++++++
> >
> > R1
> > +++++
> >
> > interface Loopback0
> > ip address 150.1.1.1 255.255.255.0
> > ip pim sparse-mode
> > end
> >
> > interface Serial0/0.102 point-to-point
> > ip address 173.1.12.1 255.255.255.0
> > ip pim sparse-mode
> > ip rip advertise 10
> > frame-relay interface-dlci 102
> > end
> > ************************************************************
> >
> >
> > DEBUG OUTPUT
> > ===============================================================
> > %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
> > packet
> > %SEC-6-IPACCESSLOGNP: list IGMP-VLAN26 denied 0 227.7.7.7 -> 0.0.0.0, 1
> > packet
> >
> > Received v2 Join/Prune on FastEthernet0/0 from 173.1.26.6, to us
> > Join-list: (*, 227.7.7.7), RPT-bit set, WC-bit set, S-bit set
> > Add FastEthernet0/0/173.1.26.6 to (*, 227.7.7.7), Forward state, by PIM
> *G
> > Join
> > Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 27.7.7.7
> > Insert (*,227.7.7.7) join in nbr 173.1.12.1's queue
> > Building Join/Prune packet for nbr 173.1.12.1
> > Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> > Send v2 join/prune to 173.1.12.1 (Serial0/0.201)
> > Building Triggered (*,G) Join / (S,G,RP-bit) Prune message for 227.7.7.7
> > Insert (*,227.7.7.7) join in nbr 173.1.26.2's queue
> > Building Join/Prune packet for nbr 173.1.26.2
> > Adding v2 (150.1.1.1/32, 227.7.7.7), WC-bit, RPT-bit, S-bit Join
> > Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> > Insert (150.1.1.1,227.7.7.7) join in nbr 173.1.26.2's queu
> > Insert (173.1.18.1,227.7.7.7) join in nbr 173.1.26.2's que
> > Building Join/Prune packet for nbr 173.1.26.2
> > Adding v2 (150.1.1.1/32, 227.7.7.7), S-bit Join
> > Adding v2 (173.1.18.1/32, 227.7.7.7), S-bit Join
> > Send v2 join/prune to 173.1.26.2 (FastEthernet0/0.26)
> > ===============================================================
> >
> > Rack3R1#ping 226.6.6.6 repeat 100
> >
> > Type escape sequence to abort.
> > Sending 100, 100-byte ICMP Echos to 226.6.6.6, timeout is 2 seconds:
> >
> > Reply to request 0 from 173.1.26.6, 61 ms
> > Reply to request 0 from 173.1.26.6, 77 ms
> > Reply to request 1 from 173.1.26.6, 64 ms
> > Rack3R1#ping 227.7.7.7 repeat 100
> >
> > Type escape sequence to abort.
> > Sending 100, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:
> >
> > Reply to request 0 from 173.1.26.6, 64 ms
> > Reply to request 0 from 173.1.26.6, 116 ms
> > Reply to request 0 from 173.1.26.6, 80 ms
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Shiran Guez
> MCSE CCNP NCE1
> http://cciep3.blogspot.com
> http://www.linkedin.com/in/cciep3
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ------------------------------
> Yahoo! :t$W&w%~'p2$!A1P'A&p&s(>=d6B+H! *$F8Q's&h*<http://hk.promo.yahoo.com/security/index.html>
>
-- Shiran Guez MCSE CCNP NCE1 http://cciep3.blogspot.com http://www.linkedin.com/in/cciep3
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART