HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Deny PIM/IGMP Sources

 
manuel.bitzi
Trusted Contributor

Deny PIM/IGMP Sources

Hi guys

 

I have the following configuration

 

#
interface Vlan-interface1
 ip address 172.21.200.200 255.255.0.0
 igmp enable
 igmp group-policy 2001
 pim dm
 pim neighbor-policy 2000

#

acl number 2000
 description DenyAllPIMNeighbors
 rule 0 deny
acl number 2001
 description AllowIGMPGroups
 rule 0 permit source 239.192.0.0 0.0.255.255
 rule 100 deny

#

 

Unfortunalely multiple groups are imported to PIM:

 

[HP-Vlan-interface1]disp pim routing-table

      VPN-Instance: public net  Total 0 (*, G) entry; 8 (S, G) entries

 (172.21.1.183, 230.0.0.4)

      Protocol: pim-dm, Flag: LOC ACT

     UpTime: 00:18:38

     Upstream interface: Vlan-interface1

         Upstream neighbor: NULL

         RPF prime neighbor: NULL

     Downstream interface(s) information: None

 (172.21.2.120, 239.255.255.250)

     Protocol: pim-dm, Flag: LOC ACT

     UpTime: 00:16:27

     Upstream interface: Vlan-interface1

         Upstream neighbor: NULL

         RPF prime neighbor: NULL

     Downstream interface(s) information: None

 

How can I control this unwanted Groups?

 

 

br

Manuel

H3CSE, MASE Network Infrastructure [2011], Switzerland
1 REPLY
FabianoChoueiri
Occasional Collector

Re: Deny PIM/IGMP Sources

Manuel, are the hosts 172.21.1.183 and 172.21.2.120 in the same vlan 1 where you have igmp and pim enabled ?

If yes it means that these hosts are using some application that transmit multicast.

And for that reason you are seeing them in your pim routing table.

 

Is one of these hosts using Jboss ? Jboss uses the multicast 230.0.0.4 to its  auto-discovery feature.

Windows computers and printers use 239.255.255.250 multicast ip address to discover another network

devices, this is the UPNP protocol.

 

So, I think that there is no way to make a filter to all possibilities you may have because you cant predict

what softwares are gonna be installed in the computers in that vlan. And many of these softwares

maybe use multicast.

 

Dont worry. This is a normal situation. You only have to use the  igmp group-policy command in your

switches to deny access to this unwanted multicast groups. If you dont do that, you will have

unwanted multicast transmissions in your network.

 

There is the command "register-policy   <acl-number> " in PIM-View that works with pim sm to prevent unauthorized register messages. But this is not your case as you are using pim dm.

 

Bye. Fabiano.