PIM Accept-register is a security feature that allows control over which sources and groups can register with the RP. The command is configured in addition to the RP configuration and includes an access list option that controls sources and groups based on the access list configuration below:
ip access-list extended ip source source_wildcard_mask group group_wildcard_mask
The access list above is included in the ip pim accept-register command or optionally a route-map can also be used.
Concepts tested
- Configuring PIM-SM
- DR election and placement
- PIM accept register
Topology
Lab Tasks
- Configure all devices with PIM-SM on connected interfaces
- Configure R1 as the RP
- Configure R1 so that it only accepts source registrations from the source IP 4.4.4.4 for the group 239.0.0.0/24.
- Test your configuration by having R1's g0/0 join the group 239.0.0.1 and ping the group from R4 sourcing from its loopback 0 interface which should be successful.
- Test your configuration again by having R1's g0/0 interface join the group 239.1.1.1 and have R4 ping the group sourcing it from its loopback 0 interface which should fail.
GNS3 configuration file, requires IOS v15 for the 7200 router: Link
Solution
R1(config)#ip multicast-routing
R1(config)#ip pim rp-address 1.1.1.1
R1(config)#int g0/0
R1(config-if)#ip pim sparse-mode
R1(config-if)#int g1/0
R1(config-if)#ip pim sparse-mode
R1(config)#ip access-list extended ALLOWED_GROUPS
R1(config-ext-nacl)#permit ip host 4.4.4.4 239.0.0.0 0.0.0.255
R1(config-ext-nacl)#deny ip any any <== So we can look at the counters and confirm its working
R1(config-ext-nacl)#exit
R1(config)#ip pim accept-register list ALLOWED_GROUPS
R2(config)#ip pim rp-address 1.1.1.1
R2(config)#int g0/0
R2(config-if)#ip pim sparse-mode
R2(config-if)#int g1/0
R2(config-if)#ip pim sparse-mode
R3(config)#ip pim rp-address 1.1.1.1
R3(config)#int g0/0
R3(config-if)#ip pim sparse-mode
R3(config-if)#int g1/0
R3(config-if)#ip pim sparse-mode
R4(config)#ip multicast-routing
R4(config)#int g0/0
R4(config-if)#ip pim sparse-mode
R4(config-if)#int g1/0
R4(config-if)#ip pim sparse-mode
Verification
R1#deb ip pim 239.0.0.1
R1(config-if)#ip igmp join-group 239.0.0.1
R4#ping 239.0.0.1 source loopback 0 rep 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.
Reply to request 1 from 120.0.0.1, 140 ms
Reply to request 2 from 120.0.0.1, 112 ms
Reply to request 3 from 120.0.0.1, 120 ms
Reply to request 4 from 120.0.0.1, 112 ms
Extended IP access list ALLOWED_GROUPS
10 permit ip host 4.4.4.4 239.0.0.0 0.0.0.255 (5 matches)
*Nov 20 07:24:26.167: PIM(0): Received v2 Register on GigabitEthernet0/0 from 120.0.24.4
*Nov 20 07:24:26.167: for 4.4.4.4, group 239.0.0.1
*Nov 20 07:24:26.175: PIM(0): Adding register decap tunnel (Tunnel1) as accepting interface of (4.4.4.4, 239.0.0.1).
*Nov 20 07:24:26.179: PIM(0): Send v2 Register-Stop to 120.0.24.4 for 4.4.4.4, group 239.0.0.1
Now lets try a group that isn't in our access list.
R4#ping 239.1.1.1 source loopback 0 rep 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.....
R1:
*Nov 20 07:26:23.643: %PIM-4-INVALID_SRC_REG: Received Register from 120.0.24.4 for (4.4.4.4, 239.1.1.1), not willing to be RP
No comments:
Post a Comment