Saturday, January 17, 2009

Multicast - Auto RP Filtering

In this post i detail auto rp filtering. This can be done by the mapping agent in the auto rp domain.

I had some difficulty getting this feature to work as required. In essence the concept is simple: the mapping agent denotes which RPs are allowed to advertise which multicast groups. However i discovered there are some limitations around how this works.

Consider the following

R1 -------- R2 -------- R3

R1 is the rp for groups 230.0.0.0/8 and 231.0.0.0/8

R2 is the mapping agent

R3 is the router initiating pings to the multicast groups.


In the above situation the requirement is for the mapping agent to allow R1 to be the RP for 231.0.0.0/8 and NOT 230.0.0.0/8. The config might be applied as follows

R1
int lo0
ip address 1.1.1.1 255.255.255.0
access-list 1 permit 230.0.0.0 1.255.255.255
ip pim autorp listener
ip pim send-rp-announce lo0 scope 16 group-list 1



R2
access-list 1 permit 1.1.1.1
access-list 2 permit 231.0.0.0 0.255.255.255
ip pim autorp listener
ip pim send-rp-discovery lo0 scope 16
ip pim rp-announce-filter rp-list 1 group-list 2


R3
ip pim autorp listener



I applied the above config and tried a ping from R3 to both multicast groups. To my surprise i was not able to ping either group!

Some research and head scratching later i realised that R2 was filtering both multicast groups from R1. The reason for this is that R1 is advertising itself as the RP for these groups in 1 ACL statement. If the mapping agent blocks any group within this advertised ACL ALL groups within this advertised space are denied.

In summary the mapping agent can only filter based on the same granularity as the multicast groups are advertised by the RP.

Hence to achieve the requirement in the above scenario R1 must first advertise itself as the RP for these multicast groups seperately.

If i change the config on R1 to the following then all is well.

R1
access-list 1 permit 230.0.0.0 0.255.255.255
access-list 1 permit 231.0.0.0 0.255.255.255



Router_3#p 231.31.31.31 repeat 3

Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 231.31.31.31, timeout is 2 seconds:

Reply to request 0 from 142.1.13.1, 96 ms
Reply to request 1 from 142.1.13.1, 156 ms
Reply to request 2 from 142.1.13.1, 168 ms
Router_3#p 230.30.30.30 repeat 3

Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 230.30.30.30, timeout is 2 seconds:
...

Note to myself: Watch out for this feature/anomoly:-)

No comments: