HPE Community
Comware Based
1752754 Members
5355 Online
108789 Solutions
New Discussion

Deny PIM/IGMP Sources

 
manuel.bitzi
Trusted Contributor

‎08-06-2013 05:22 AM

‎08-06-2013 05:22 AM

Deny PIM/IGMP Sources

Hi guys

 

I have the following configuration

 

#
interface Vlan-interface1
 ip address 172.21.200.200 255.255.0.0
 igmp enable
 igmp group-policy 2001
 pim dm
 pim neighbor-policy 2000

#

acl number 2000
 description DenyAllPIMNeighbors
 rule 0 deny
acl number 2001
 description AllowIGMPGroups
 rule 0 permit source 239.192.0.0 0.0.255.255
 rule 100 deny

#

 

Unfortunalely multiple groups are imported to PIM:

 

[HP-Vlan-interface1]disp pim routing-table

      VPN-Instance: public net  Total 0 (*, G) entry; 8 (S, G) entries

 (172.21.1.183, 230.0.0.4)

      Protocol: pim-dm, Flag: LOC ACT

     UpTime: 00:18:38

     Upstream interface: Vlan-interface1

         Upstream neighbor: NULL

         RPF prime neighbor: NULL

     Downstream interface(s) information: None

 (172.21.2.120, 239.255.255.250)

     Protocol: pim-dm, Flag: LOC ACT

     UpTime: 00:16:27

     Upstream interface: Vlan-interface1

         Upstream neighbor: NULL

         RPF prime neighbor: NULL

     Downstream interface(s) information: None

 

How can I control this unwanted Groups?

 

 

br

Manuel

H3CSE, MASE Network Infrastructure [2011], Switzerland
1 REPLY 1
FabianoChoueiri
Occasional Collector

‎08-13-2013 04:28 PM

‎08-13-2013 04:28 PM

Re: Deny PIM/IGMP Sources

Manuel, are the hosts 172.21.1.183 and 172.21.2.120 in the same vlan 1 where you have igmp and pim enabled ?

If yes it means that these hosts are using some application that transmit multicast.

And for that reason you are seeing them in your pim routing table.

 

Is one of these hosts using Jboss ? Jboss uses the multicast 230.0.0.4 to its  auto-discovery feature.

Windows computers and printers use 239.255.255.250 multicast ip address to discover another network

devices, this is the UPNP protocol.

 

So, I think that there is no way to make a filter to all possibilities you may have because you cant predict

what softwares are gonna be installed in the computers in that vlan. And many of these softwares

maybe use multicast.

 

Dont worry. This is a normal situation. You only have to use the  igmp group-policy command in your

switches to deny access to this unwanted multicast groups. If you dont do that, you will have

unwanted multicast transmissions in your network.

 

There is the command "register-policy   <acl-number> " in PIM-View that works with pim sm to prevent unauthorized register messages. But this is not your case as you are using pim dm.

 

Bye. Fabiano.

 

 

 

 

 

 

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.