in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 05-05-2012 2:22 PM by welshydragon. 8 replies.
Page 1 of 1 (9 items)
Sort Posts: Previous Next
  • 05-04-2012 2:18 PM

    A quick question on IGMP access-list

    Hello,

    I copied the below from cisco configuration guide:

     

    ip access-list extended test5
     deny igmp host 10.4.4.4 host 232.2.30.30
     permit igmp any any
    !
    interface GigabitEthernet0/3/0
     ip igmp access-group test5

     While the command is understood but where exactly is it going to be applied? Is it on the multicast source interface or on the igmp join group interface.

    Furthermore, if I want to ensure the some group of multicast ONLY is available in a network let say 226.2.2.2 and 227.2.2.2 how and where  will the acl and igmp access-group apply.

    Thanks for your usual help.

    BR

    Filed under:
    • Post Points: 50
  • 05-04-2012 2:26 PM In reply to

    Re: A quick question on IGMP access-list

     

    Hi,

    It is applied on the igmp join group interface (i.e. facing the receivers). It filters IGMP joins not multicast traffic.

    ip access-list standard test5

      permit igmp 226.2.2.2

      permit igmp 227.2.2.2
    !
    interface GigabitEthernet0/3/0
     ip igmp access-group test5

     

    HTH,

    Bassam

    • Post Points: 20
  • 05-04-2012 2:30 PM In reply to

    Re: A quick question on IGMP access-list

    Thanks Bassam.

    • Post Points: 5
  • 05-04-2012 3:56 PM In reply to

    Re: A quick question on IGMP access-list

    adeyholar:
    ip access-list extended test5
     deny igmp host 10.4.4.4 host 232.2.30.30
     permit igmp any any
    !
    interface GigabitEthernet0/3/0
     ip igmp access-group test5

    I think this is quite interesting one as I think this SSM from a source of 10.4.4.4 to group 232.2.30.30 which just happens to be in the default source specific multicast block aka 232.0.0.0/8.

    It would then permit hosts downstream of g0/3/0 to join (via IGMP) any other SSM (even the same group 232.2.30.30 but with a different source) and ASM (any source multicast) groups. All of this assumes you are running igmp version 3 on the interface.

    Typically for ASM i.e. IGMP v1 and 2 (2 is the default when you enable PIM) you would use a standard access list and this would allow/restrict which groups could be joined via IGMP downstream of that interface. 

    HTH

    • Post Points: 20
  • 05-04-2012 4:06 PM In reply to

    Re: A quick question on IGMP access-list

    welshydragon:
    Typically for ASM i.e. IGMP v1 and 2 (2 is the default when you enable PIM) you would use a standard access list and this would allow/restrict which groups could be joined via IGMP downstream of that interface. 

    Welshy,

    Do you mean for IGMP v2 standard access-list is use while extended access-list is used for IGMPv3?

     

    • Post Points: 50
  • 05-05-2012 12:32 AM In reply to

    Re: A quick question on IGMP access-list

    Ahm....usually like the others said it is applied to the IGMP clients facing interface.

    But I dont know if that works with the router self-initiated request like "ip igmp joing-group" maybe that ACL is going not to be used then.

    You can try this when you are using your lab/dynamips when you add another router behind your router where the ACL should work and then put a "ip igmp join-group" to that new routers interface.

     

    Regards!

    Markus

    CCNP | CCIP | CCDP | CCNA Security | Cisco Certified Specialist | JNCIA

    CCIE Written - DONE!

     ------------------------------------------------------------------------------

    http://chasingmyccie.wordpress.com/

    • Post Points: 5
  • 05-05-2012 3:26 AM In reply to

    Re: A quick question on IGMP access-list

     

    Hi,

    In general, the answer is yes, since in extended access-list you specify the multicast sources which v3 deals with. However, both types of lists can be used for all versions:

    1. For v1 & v2 a standard access-list can be used since it specifies groups only but not the sources. An extended-list can be used for these versions by specifying the the source as host 0.0.0.0.
    2. For v3, you can use a standard access-list only if you don't want to filter any source. This later case is equivalent to an extended list with source of 0.0.0.0 255.255.255.255. Extended lists will be used for any other case for v3.

    In short, as you see, your conclusions is more logical and practical to be followed. However, be aware of other possibilities as you can asked to configure a task with some constraint in the lab exam.

     

    HTH,

    Bassam

    • Post Points: 5
  • 05-05-2012 9:16 AM In reply to

    Re: A quick question on IGMP access-list

    adeyholar:
    Furthermore, if I want to ensure the some group of multicast ONLY is available in a network let say 226.2.2.2 and 227.2.2.2 how and where  will the acl and igmp access-group apply.

     

    Like the others have mentioned, you can use IGMP Access Groups to prevent receivers from joining any other group then 227.2.2.2 or 226.2.2.2. You could also use the "multicast boundary" to stop all joins and multicast traffic from coming in or going out the configured interface. The multicast boundary will stop the joins from coming and the multicast traffic from going out. You can also stop auto-rp messages for denied groups with the filter-autorp option. 

     

    In Spare-mode, You could also use the Accept-Register filter on the RP, to prevent source DR's from registering sources that are sending to unspecified groups 

     

    Here's the command reference for both: 

    IP Multicast Boundary: http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_03.html#wp1071517

     

    RP Accept Register Filter:http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_04.html#wp1039548

    I believe that in every person is a kind of circuit which resonates to intellectual discovery—and the idea is to make that resonance work

    — Carl Sagan

    • Post Points: 5
  • 05-05-2012 2:22 PM In reply to

    Re: A quick question on IGMP access-list

    adeyholar:
    Do you mean for IGMP v2 standard access-list is use while extended access-list is used for IGMPv3?

    I think Bassam's post a little further up covers this - I was purely explaining your config snippet :-)

    • Post Points: 5
Page 1 of 1 (9 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved