Comware

 View Only

  • 1.  Deny PIM/IGMP Sources

    Posted Aug 06, 2013 08:22 AM

    Hi guys

     

    I have the following configuration

     

    #
    interface Vlan-interface1
     ip address 172.21.200.200 255.255.0.0
     igmp enable
     igmp group-policy 2001
     pim dm
     pim neighbor-policy 2000

    #

    acl number 2000
     description DenyAllPIMNeighbors
     rule 0 deny
    acl number 2001
     description AllowIGMPGroups
     rule 0 permit source 239.192.0.0 0.0.255.255
     rule 100 deny

    #

     

    Unfortunalely multiple groups are imported to PIM:

     

    [HP-Vlan-interface1]disp pim routing-table

          VPN-Instance: public net  Total 0 (*, G) entry; 8 (S, G) entries

     (172.21.1.183, 230.0.0.4)

          Protocol: pim-dm, Flag: LOC ACT

         UpTime: 00:18:38

         Upstream interface: Vlan-interface1

             Upstream neighbor: NULL

             RPF prime neighbor: NULL

         Downstream interface(s) information: None

     (172.21.2.120, 239.255.255.250)

         Protocol: pim-dm, Flag: LOC ACT

         UpTime: 00:16:27

         Upstream interface: Vlan-interface1

             Upstream neighbor: NULL

             RPF prime neighbor: NULL

         Downstream interface(s) information: None

     

    How can I control this unwanted Groups?

     

     

    br

    Manuel



  • 2.  RE: Deny PIM/IGMP Sources

    Posted Aug 13, 2013 07:29 PM

    Manuel, are the hosts 172.21.1.183 and 172.21.2.120 in the same vlan 1 where you have igmp and pim enabled ?

    If yes it means that these hosts are using some application that transmit multicast.

    And for that reason you are seeing them in your pim routing table.

     

    Is one of these hosts using Jboss ? Jboss uses the multicast 230.0.0.4 to its  auto-discovery feature.

    Windows computers and printers use 239.255.255.250 multicast ip address to discover another network

    devices, this is the UPNP protocol.

     

    So, I think that there is no way to make a filter to all possibilities you may have because you cant predict

    what softwares are gonna be installed in the computers in that vlan. And many of these softwares

    maybe use multicast.

     

    Dont worry. This is a normal situation. You only have to use the  igmp group-policy command in your

    switches to deny access to this unwanted multicast groups. If you dont do that, you will have

    unwanted multicast transmissions in your network.

     

    There is the command "register-policy   <acl-number> " in PIM-View that works with pim sm to prevent unauthorized register messages. But this is not your case as you are using pim dm.

     

    Bye. Fabiano.

     

     

     

     

     

     

     

     



Related Content