暗夜星空: IGMP Filter

Friday, February 21, 2020

IGMP Filter

Multicast IGMP membership report messages include the multicast group addresses that our receivers want to join. By default, all multicast groups will be accepted. What if we want to restrict this?

It is possible to filter certain multicast groups. We can configure IGMP filtering on a multicast router or on a switch where IGMP snooping is enabled. In this lesson, I’ll show you how to do both.

We will use the following topology for this:

R1 will be our multicast router, SW1 has IGMP snooping enabled and H1 is a multicast receiver.

Configuration

First, let’s enable PIM on R1 so that it processes IGMP traffic:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip pim sparse-mode

And let’s enable a debug so we can see IGMP filtering in action:

R1#debug ip igmp 
IGMP debugging is on

Right now there are no filters. Let’s configure H1 to join a multicast group so that we can see what the debug normally looks like:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group 239.1.1.1

Here’s what we get:

R1#
IGMP(0): Received v2 Report on FastEthernet0/0 from 192.168.1.1 for 239.1.1.1
IGMP(0): Received Group record for group 239.1.1.1, mode 2 from 192.168.1.1 for 0 sources
IGMP(0): WAVL Insert group: 239.1.1.1 interface: FastEthernet0/0Successful

R1 receives the membership report for 239.1.1.1 and installs it. We can verify this with the show ip igmp groups command:

R1#show ip igmp groups 
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter   Group Accounted
239.1.1.1        FastEthernet0/0          00:00:43  00:02:45  192.168.1.1

So far so good…time to filter something!

Router IGMP Filter

Let’s configure our router to filter multicast group 239.2.2.2. We’ll need to create an access-list for this:

R1(config)#ip access-list standard LIMIT_IGMP
R1(config-std-nacl)#deny host 239.2.2.2
R1(config-std-nacl)#permit 224.0.0.0 15.255.255.255

The access-list above will deny 239.2.2.2 and permit any other multicast groups. Let’s enable it with the ip igmp access-group command:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip igmp access-group LIMIT_IGMP

Now let’s see what happens when our receiver joins 239.2.2.2:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group 239.2.2.2

Here’s what the router will tell us:

R1#
IGMP(0): Received v2 Report on FastEthernet0/0 from 192.168.1.1 for 239.2.2.2
IGMP(*): Group 239.2.2.2 access denied on FastEthernet0/0

As expected, the multicast group is denied. You can also see these matches in the access-list:

R1#show access-lists 
Standard IP access list LIMIT_IGMP
    10 deny   239.2.2.2 (2 matches)
    20 permit 224.0.0.0, wildcard bits 15.255.255.255 (2 matches)

That’s all there is to it.

Switch IGMP Snooping Filter

Let’s see how we can create a filter on the switch. We need to create an IGMP profile for this:

SW1(config)#ip igmp profile 1
SW1(config-igmp-profile)#deny
SW1(config-igmp-profile)#range 239.3.3.3

The profile above lets us block multicast group 239.3.3.3. Let’s activate it:

SW1(config)#interface FastEthernet 0/2
SW1(config-if)#ip igmp filter 1

The ip igmp filter command is what we need to activate the IGMP profile. You can activate this on a port, SVI or VLAN.

Let’s see if it works. We’ll enable a debug on the switch:

SW1#
SW1#debug ip igmp filter
IGMP debugging is on

Let’s join multicast group 239.3.3.3:

H1(config)#interface FastEthernet 0/0  
H1(config-if)#ip igmp join-group 239.3.3.3

Here’s what the switch will tell us:

SW1#
IGMPFILTER: igmp_filter_process_pkt(): checking group 239.3.3.3 from Fa0/2: deny
IGMPFILTER: igmp_filter_process_pkt(): checking group 239.2.2.2 from Fa0/2: permit

Multicast group 239.3.3.3 is denied, you can see that 239.2.2.2 is still accepted.

hostname H1
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip igmp join-group 239.1.1.1
 ip igmp join-group 239.2.2.2
 ip igmp join-group 239.3.3.3
!
end

hostname R1
!
interface GigabitEthernet0/1
 ip address 192.168.1.254 255.255.255.0
 ip pim sparse-mode
 ip igmp access-group LIMIT_IGMP
!
ip access-list standard LIMIT_IGMP
 deny   239.2.2.2
 permit 239.0.0.0 0.255.255.255
!
end

hostname SW1
!
ip igmp profile 1
    range 239.3.3.3 239.3.3.3
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 ip igmp filter 1
!
end

Conclusion

IGMP can be filtered on switch or router.

暗夜星空

Friday, February 21, 2020

IGMP Filter

Configuration

Router IGMP Filter

Switch IGMP Snooping Filter

`hostname SW1 ! ip igmp profile 1 range 239.3.3.3 239.3.3.3 ! interface FastEthernet0/1 ! interface FastEthernet0/2 ip igmp filter 1 ! end`

Conclusion

No comments:

Post a Comment