PIM Accept RP is a security feature on Cisco IOS routers that prevents unwanted rendezvous points or multicast groups to become activate in the PIM sparse mode domain. By default a RP will accept all multicast groups in the 224.0.0.0/4 range (the entire class D range) but if we want we can configure our router to allow only PIM join/prune messages towards the groups that we want.
Let me demonstrate this feature using a very simple topology:
Only 2 routers, R1 will be our rendezvous point. Let’s configure this network so that PIM sparse mode is enabled and R1 becomes the RP:
R1(config)#ip multicast-routing
R1(config)#ip pim rp-address 192.168.12.1
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip pim sparse-mode
R2(config)#ip multicast-routing
R2(config)#ip pim rp-address 192.168.12.1
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip pim sparse-mode
This is how we enable multicast routing, configure R1 as the RP and enable sparse mode. Let’s take a look what multicast groups R1 will serve:
R1#show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s): 224.0.0.0/4, Static
RP: 192.168.12.1 (?)
R2#show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s): 224.0.0.0/4, Static
RP: 192.168.12.1 (?)
Both routers agree that R1 is the RP for the entire multicast group range 224.0.0.0/4. Let’s change it so that it only accepts multicast group 239.1.1.1:
R1(config)#ip pim accept-rp 192.168.12.1 GROUPS
R1(config)#ip access-list standard GROUPS
R1(config-std-nacl)#permit 239.1.1.1
The ip pim accept-rp command lets us define what groups we want to be the RP for. Let’s test to see if it works:
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip igmp join-group 239.2.2.2
We will configure R2 to join multicast group address 239.2.2.2. Let’s see what R1 thinks of it:
R1#
%PIM-6-INVALID_RP_JOIN: Received (*, 239.2.2.2) Join from 192.168.12.2 for invalid RP 192.168.12.1
As you can see above it is being rejected. Keep in mind that this command is not a “RP” command, it can be configured on all PIM enabled routers in your network. If you only configure it on the RP then unwanted PIM join messages can traverse the network but they will be dropped at the RP. If you don’t want this then you should configure this on all PIM enabled routers in your network.
hostname R1
!
ip cef
!
ip multicast-routing
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
ip pim sparse-mode
!
ip pim rp-address 192.168.12.1
ip pim accept-rp 192.168.12.1 GROUPS
!
ip access-list standard GROUPS
permit 239.1.1.1
!
end
hostname R2
!
ip cef
!
ip multicast-routing
!
interface FastEthernet0/0
ip address 192.168.12.3 255.255.255.0
ip pim sparse-mode
ip igmp join-group 239.2.2.2
!
ip pim rp-address 192.168.12.1
!
end
That’s all there is to it! If you have any questions feel free to ask.
No comments:
Post a Comment