PIM Accept-RP is a security feature allows a router to accept join and prune messages from specific RP's and if configured a list of defined groups in a ACL. The features consists of a single command ip pim accept-rp [ rp-address ] [ acl ] that is best configured across the entire multicast domain. But at a minimum is needed on the RP itself.
Concepts tested
- Control group joins in a sparse mode environment
- Configuring sparse mode
- verify *,G filtering
Lab Tasks
- Configure sparse mode on all paths between the source and destination
- Configured R4 as a static RP
- Configure R4 so that its loopback address is the only RP and that only the group 231.1.1.1 can send multicast.
GNS3 configuration file, requires IOS v15 for the 7200 router: Link
Solution
Receiver(config)#ip multicast-routing
R2(config)#ip multicast-routing
R2(config)#ip pim rp-address 4.4.4.4 1
R2(config)#int s2/0
R2(config-if)#ip pim sparse-mode
Solution
Receiver(config)#ip multicast-routing
Receiver(config)#int g0/0
Receiver(config-if)#ip pim sparse-mode
R2(config)#ip multicast-routing
R2(config)#ip pim rp-address 4.4.4.4 1
R2(config)#int s2/0
R2(config-if)#ip pim sparse-mode
R2(config)#int g0/0
R2(config-if)#ip pim sparse-mode
R3(config)#ip multicast-routing
R3(config)#ip pim rp-address 4.4.4.4 1
R3(config)#ip pim rp-address 4.4.4.4 1
R3(config)#int g0/0
R3(config-if)#ip pim sparse-mode
R3(config-if)#int g1/0
R3(config-if)#ip pim sparse-mode
R4(config)#ip multicast-routing
R4(config)#int g0/0
R4(config)#int g0/0
R4(config-if)#ip pim sparse-mode
R4(config-if)#int g1/0
R4(config-if)#ip pim sparse-mode
R4(config-if)#int g2/0
R4(config-if)#ip pim sparse-mode
R4(config-if)#int s3/0
R4(config-if)#ip pim sparse-mode
R4(config)#int loopback 0
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit
R4(config)#access-list 1 permit 231.0.0.0 0.255.255.255
R4(config)#access-list 1 permit 224.0.1.40
R4(config)#ip pim rp-address 4.4.4.4
R4(config)#ip pim accept-rp 4.4.4.4 1
R4(config)#int loopback 0
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit
R4(config)#access-list 1 permit 231.0.0.0 0.255.255.255
R4(config)#access-list 1 permit 224.0.1.40
R4(config)#ip pim rp-address 4.4.4.4
R4(config)#ip pim accept-rp 4.4.4.4 1
Source(config)#ip multicast-routing
Source(config)#int g0/0
Source(config-if)#ip pim sparse-mode
Verification
R4:
Lets test that our configuration works first by making sure we can receive traffic for the 231.0.0.1 group. Enable Debug ip pim on R4 and join Recievers g0/0 interface to the 231.0.0.1 group and then ping the group from the source router.
*Nov 18 05:30:44.315: PIM(0): Received v2 Join/Prune on GigabitEthernet1/0 from 120.0.34.3, to us
*Nov 18 05:30:44.319: PIM(0): Join-list: (*, 231.0.0.1), RPT-bit set, WC-bit set, S-bit set
*Nov 18 05:30:44.323: PIM(0): Update GigabitEthernet1/0/120.0.34.3 to (*, 231.0.0.1), Forward state, by PIM *G Join
*Nov 18 05:30:45.159: PIM(0): Building Periodic (*,G) Join / (S,G,RP-bit) Prune message for 231.0.0.1
*Nov 18 05:30:44.315: PIM(0): Received v2 Join/Prune on GigabitEthernet1/0 from 120.0.34.3, to us
*Nov 18 05:30:44.319: PIM(0): Join-list: (*, 231.0.0.1), RPT-bit set, WC-bit set, S-bit set
*Nov 18 05:30:44.323: PIM(0): Update GigabitEthernet1/0/120.0.34.3 to (*, 231.0.0.1), Forward state, by PIM *G Join
*Nov 18 05:30:45.159: PIM(0): Building Periodic (*,G) Join / (S,G,RP-bit) Prune message for 231.0.0.1
Souce:
Source#ping 231.0.0.1 rep 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 231.0.0.1, timeout is 2 seconds:
Reply to request 0 from 120.0.0.1, 184 ms
Reply to request 1 from 120.0.0.1, 104 ms
Reply to request 2 from 120.0.0.1, 112 ms
OK, looks good.
Now lets test that we have limited joins to just the groups we defined. Add the following to R4's configuration so that we can watch the ACL counters.
R4(config)#access-list 1 deny 239.0.0.1
Now join Receiver's G0/0 to the group 239.0.0.1
R4:
*Nov 18 05:41:15.531: PIM(0): Received v2 Join/Prune on GigabitEthernet1/0 from 120.0.34.3, to us
*Nov 18 05:41:15.535: %PIM-6-INVALID_RP_JOIN: Received (*, 239.0.0.1) Join from 120.0.34.3 for invalid RP 4.4.4.4
R4#
*Nov 18 05:41:15.539: PIM(0): Join-list: (*, 239.0.0.1),, ignored, invalid RP 4.4.4.4 from 120.0.34.3
R4#sh ip mroute 239.0.0.1
Group 239.0.0.1 not found
Source:
Source#ping 239.0.0.1 rep 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 239.0.0.1, timeout is 2 seconds:
........
No comments:
Post a Comment