CCIE Pursuit Blog

August 9, 2008

Internetwork Expert Volume II: Lab 5 – Section 6

Section 5 – IP Multicast – 9 Points

5.1 PIM

You are asked to configured IP Multicast on a number of specific interfaces.  You are not told which PIM mode to use, but the last requirement is:

“Multicast groups without an active RP should run in dense mode.”

This statement (and the following tasks) shows that there will be an RP.  We run sparse mode with RPs.  But we need to make sure that if a group finds itself without an active RP it should run in dense mode.  This means we need to run sparse-dense mode.

r1(config)#ip multicast-routing
r1(config)#int fa0/0
r1(config-if)#ip pim sparse-dense-mode

5.2 RP Assignment

Configure a couple of loopbacks as RP candidates via Auto-RP.  You are also asked to have r1 act as the mapping agent and to map 239.0.0.0-239.255.255.255 to r3 and 226.0.0.0-238.255.255.255 to r5.  The final requirement is:

“Use the minimum number of access-lists and access list entries on r1 to accomplish this.”

Let’s set up our RP candidates first

ip pim send-rp-announce

To use Auto-RP to configure groups for which the router will act as a rendezvous point (RP), use the ip pim send-rp-announce command in global configuration mode. To unconfigure this router as an RP, use the no form of this command.

r3:

r3(config)#int lo0
r3(config-if)#ip pim sparse-dense-mode

r3(config)#access-list 31 perm 239.0.0.0 0.255.255.255

r3(config)#ip pim send-rp-announce lo0 scope 16 group-list 31

The last requirement is for the minimal ACL lines on r1, not r5, so I can be as verbose as I like :-)

r5(config)#int lo0
r5(config-if)#ip pim sparse-dense-mode

r5(config)#access-list 51 perm 226.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 227.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 228.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 229.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 230.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 231.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 232.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 233.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 234.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 235.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 236.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 237.0.0.0 0.255.255.255
r5(config)#access-list 51 perm 238.0.0.0 0.255.255.255

Now the mapping agent:

r1(config)#int lo0
r1(config-if)#ip pim sparse-dense-mode

ip pim send-rp-discovery

r1(config)#ip pim send-rp-discovery lo0 scope 16

Okay.  Now to assign the correct RP to the correct groups:

ip pim rp-announce-filter

To filter incoming Auto-RP announcement messages coming from the rendezvous point (RP), use the ip pim rp-announce-filter command in global configuration mode. To remove the filter, use the no form of this command.

ip pim [vrf vrf-name] rp-announce-filter rp-list access-list group-list access-list
no ip pim [vrf vrf-name] rp-announce-filter rp-list access-list group-list access-list

Syntax Description
 vrf
 (Optional) Supports the multicast Virtual Private Network (VPN) routing and forwarding (VRF) instance.
 
vrf-name
 (Optional) Name assigned to the VRF.
 
rp-list access-list
 Specifies the number or name of a standard access list of RP addresses that are allowable for the group ranges

supplied in the group-list access-list combination.

group-list access-list
 Specifies the number or name of a standard access list that describes the multicast groups the RPs serve.

It looks like we’ll need two ACLs for each RP filter – one that matches the RP and another that matches the groups we want assigned that RP.

r1(config)#access-list 3 perm 150.1.3.3 <-r3’s loopback
r1(config)#access-list 5 perm 150.1.5.5 <-r3’s loopback

r1(config)#access-list 31 perm 239.0.0.0 0.255.255.255 <-groups associated with r3’s loopback

Now the hard part, or “How I Lost The Three Points”

I fell for the trap on the “minimal ACL:

226 – 1110|0010
238 – 1110|1110

224.0.0.0 15.255.255.255

r1(config)#access-list 51 perm 224.0.0.0 15.255.255.255

Unfortunately that range overlaps.  IE had the following:

access-list 51 deny 224.0.0.0 1.255.255.255
access-list 51 deny 239.0.0.0 0.255.255.255
access-list 51 permit 224.0.0.0 15.255.255.255

The first 2 lines deny the overlapping space.  There’s a nice breakdown on this in the solution guide.

I did get the rest correct, but I had already lost the 3 points:

r1(config)#ip pim rp-announce-filter rp-list 3 group-list 31
r1(config)#ip pim rp-announce-filter rp-list 5 group-list 51

r1#sh ip pim rp mapping 239.0.0.0
PIM Group-to-RP Mappings
This system is an RP-mapping agent (Loopback0)

Group(s) 239.0.0.0/8
  RP 150.1.3.3 (?), v2v1
    Info source: 150.1.3.3 (?), elected via Auto-RP
         Uptime: 00:18:32, expires: 00:02:23

r1#sh ip pim rp mapping 238.0.0.0
PIM Group-to-RP Mappings
This system is an RP-mapping agent (Loopback0)

Group(s) 238.0.0.0/8
  RP 150.1.5.5 (?), v2v1
    Info source: 150.1.5.5 (?), elected via Auto-RP
         Uptime: 00:01:38, expires: 00:02:21

5.3 Multicast Security

“For security reasons do not allow BB2 to become a PIM neighbor with r1.”

Cool.  Two easy points.

ip pim neighbor-filter

r1(config)#access-list 53 deny 192.10.1.254
r1(config)#access-list 53 permit any
r1(config)#int fa0/0
r1(config-if)#ip pim neighbor-filter 53

5.4 Multicast Filtering

Configure sw2 so that it will not receive any administratively scoped multicast groups.

I pulled this one out of my butt by searching for “administratively scoped” in the IP Multicast command reference.

ip multicast boundary

The configuration example was exactly what I need:

Examples
The following example shows how to set up an IP multicast boundary for all administratively scoped IPv4 multicast addresses by denying the entire administratively scoped IPv4 multicast address space (239.0.0.0/8).

All other Class D addresses are permitted (224.0.0.0/4).

access-list 1 deny 239.0.0.0 0.255.255.255
access-list 1 permit 224.0.0.0 15.255.255.255
interface ethernet 0
 ip multicast boundary 1

r3(config)#access-list 54 deny 239.0.0.0 0.255.255.255
r3(config)#access-list 54 permit 224.0.0.0 15.255.255.255
r3(config)#int fa0/0
r3(config-if)#ip multicast boundary 54

5.5 Multicast Distribution

Configure the network so that the multicast groups that use r3 as their RP must always use a shared tree.

Okay.  I had NO clue on this one.

ip pim spt-threshold

To configure when a Protocol Independent Multicast (PIM) leaf router should join the shortest path source tree for the specified group, use the ip pim spt-threshold command in global configuration mode.

If the infinity keyword is specified, all sources for the specified group will use the shared tree. Specifying a group list access list indicates the groups to which the threshold applies.

r1(config)#access-list 55 permit 239.0.0.0 0.255.255.255
r1(config)#ip pim spt-threshold infinity group-list 52

The Rubric Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 114 other followers