Skip to Content.
Sympa Menu

wg-multicast - Re: Recommended MSDP ACL

Subject: All things related to multicast

List archive

Re: Recommended MSDP ACL


Chronological Thread 
  • From: "John M. Zwiebel" <>
  • To: Greg Shepherd <>,
  • Cc: Beau Williamson <>, "Kevin C. Almeroth" <>, , ,
  • Subject: Re: Recommended MSDP ACL
  • Date: Mon, 06 Dec 1999 10:39:17 -0800

In addition to what Beau stated...
... the redistribute command has been going through some growing pains.
Now that the "A" flag gets set to control which sources are orignated by
an RP, the redistribute command acts a bit more the way Beau wants it to.

The "redistribution" was from PIM to MSDP, although that has certainly
caused some misunderstanding on the part of many who have deployed it. Now,
that command is used more to limit which sources will be advertised in an
SA, than to actually permit which sources are going to be advertised.

ie, once upon a time, we had the msdp border command which was used to
advertise dense-mode sources. Now, we have the interface proxy register
command which is used to register a dense-mode source with an RP which
in turn sets the A flag so that only one MSDP system will be responsible for
advertising the SA.

yes, this makes for configuration problems and backward compatibilty problems,
but its better than letting folks mess up their configs as they have in the
past causing MSDP SA loops etc.

Toerless has a writeup on the new 'proxy-register' command. I don't know
if its been posted yet on ftp-eng.

z

^
^
^ On Mon, 6 Dec 1999, Beau Williamson wrote:
^
^ > At 02:33 PM 12/5/1999, Kevin C. Almeroth wrote:
^ > >Does anybody else have any suggestions/comments/recommendations?
^ > >
^ > >-Kevin
^ > >
^ > >>>Here is the current recommendation:
^ > >>>
^ > >>>access-list 111 deny ip any host 224.0.2.2
^ > >>>access-list 111 deny ip any host 224.0.1.3
^ > >>>access-list 111 deny ip any host 224.0.1.24
^ > >>>access-list 111 deny ip any host 224.0.1.22
^ > >>>access-list 111 deny ip any host 224.0.1.2
^ > >>>access-list 111 deny ip any host 224.0.1.35
^ > >>>access-list 111 deny ip any host 224.0.1.60
^ > >>>access-list 111 deny ip any host 224.0.1.39
^ > >>>access-list 111 deny ip any host 224.0.1.40
^ > >>>access-list 111 deny ip any 239.0.0.0 0.255.255.255
^ > >>>access-list 111 deny ip 10.0.0.0 0.255.255.255 any
^ > >>>access-list 111 deny ip 127.0.0.0 0.255.255.255 any
^ > >>>access-list 111 deny ip 172.0.0.0 0.255.255.255 any <<<<<<<
^ > >>>access-list 111 deny ip 192.0.0.0 0.255.255.255 any <<<<<<<
^ > >>>access-list 111 permit ip any any
^ > >
^ > Shep, et al,
^ >
^ > Uh, aren't the last two entries a bit too broad in scope? Shouldn't
they
really be:
^ >
^ > access-list 111 deny ip 172.16.0.0 0.15.255.255 any
^ > access-list 111 deny ip 192.168.0.0 0.0.255.255 any
^
^ Good point. For the reference, here is a snip from RFC1918:
^
^ 3. Private Address Space
^
^ The Internet Assigned Numbers Authority (IANA) has reserved the
^ following three blocks of the IP address space for private internets:
^
^ 10.0.0.0 - 10.255.255.255 (10/8 prefix)
^ 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
^ 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
^
^
^
^ > to match RFC1918 ranges?
^ >
^ > Also, are you using these in 'sa-filter' lists or 'sa redistribute'
lists
or both?
^
^ I currently have confi'd this for 'sa-filter'. Can you explain the
^ difference?
^
^ Thanks,
^ Greg
^
^ > Beau
^ >
^ >
^
^

------------------------------------------------------------------------------
John Zwiebel Phone: 408-526-5303
Cisco Systems Inc.
IP Multicast Group




Archive powered by MHonArc 2.6.16.

Top of Page