Saturday, January 3, 2009

Multicast Routing - Part III Controlling Access Part 2

In my fist post on controlling multicast access i described the 'ip igmp access-group' command.

As denoted this can be usefull controlling access to specified multicast address spaces. On a further lab i encountered a multicast access scenario that required multicast traffic to be restricted in both directions i.e. not only prevent multicast feeds being accepted from an interface, but also prevent multicast feeds being sent out an interface.

In such a situation where multicast access control is required in both directions then the 'multicast boundary' functionality can be used. This creates more stringent access control.

Access can be controlled in a granular fashion by utilising the access-list parameter.

For example...use this to prevent access to the administratively scoped address space

Router(config-if)# ip multicast boundary 1
Router(config)# access-list 1 deny 239.0.0.0 0.255.255.255
Router(config)# access-list 1 permit 224.0.0.0 15.255.255.255



Whilst researching on multicast boudaries i then realised there was a 3rd option to control multicast access:-)...

The 'ip igmp access-group' command works perfectly for L3 interfaces. However if required to restrict access on a L2 interface this command will NOT cut the mustard.

This is where 'igmp profiles' can be used on an L2 access port.

int f0/01
switchport mode access
switchport access vlan 7
ip igmp filter 1
!
ip igmp profile 1
deny
range 239.0.0.0 239.255.255.255

No comments: