Skip to Content.
Sympa Menu

wg-multicast - Re: what to put in multicast boundary access list

Subject: All things related to multicast

List archive

Re: what to put in multicast boundary access list


Chronological Thread 
  • From: ken lindahl <>
  • To: ,
  • Cc:
  • Subject: Re: what to put in multicast boundary access list
  • Date: Fri, 22 Jun 2001 16:41:24 -0700 (PDT)

On Fri, 22 Jun 2001, Toerless Eckert
<>
wrote:
>On Fri, Jun 22, 2001 at 03:16:02PM -0400, Alan Crosswell wrote:
>> Is there a more up-to-date list of recommended groups to drop at the
>> boundary? For example, I noticed I am getting NTP from about 8 sources.
>
>I don't think you need to drop more with the boundary-command, it is
>sufficient to discard the rest via MSDP. Just also do an inbound MSDP
>filter. Check out
>
> ftp://ftpeng.cisco.com/ipmulticast/config-notes/msdp-sa-filter.txt
...

nice list, thanks! it had not occurred to me block the rfc 1918
sources, doh!

Alan mentioned ntp specifically and 224.0.1.1 is not on the list.
a couple months ago our ntp guy asked that ntp multicasts be blocked
at the edge of campus, so i added 224.0.1.1 to the msdp filters. as
i understand it, the issue is that workstations listening to ntp multicast
may choose to sync with a distant ntp server instead of a closer one. we
found numerous ucb hosts syncing with remote ntp servers rather than one
of the campus stratum 1 or 2 servers. the ntp docs actually recommend using
some sort of authentication to restrict the set of trusted servers,
it was apparent that this was not going to happen here soon, so we
added the ntp group to our msdp sa filters. this seems to be a local
decision, not something to recommend globally.

ken

since Alan included his msdp filter, i'll include ours for comparison:

deny ip any host 224.0.1.35 (55373 matches)
deny ip any host 224.0.1.22 (131331 matches)
deny ip any host 224.0.1.24 (217024 matches)
deny ip any host 224.0.1.60 (30092 matches)
deny ip any host 224.0.1.1 (1594315 matches)
deny ip any host 224.0.1.2 (179819 matches)
deny ip any host 224.0.1.3 (29557 matches)
deny ip any host 224.0.2.2 (117365 matches)
deny ip any host 224.0.1.39
deny ip any host 224.0.1.40
deny ip any host 229.55.150.208 (1757105 matches)
deny ip any 239.0.0.0 0.255.255.255 (1342424 matches)
permit ip any any (64430531 matches)

btw, the high number of hits on 239.0.0.0/8 are all internally originated.




Archive powered by MHonArc 2.6.16.

Top of Page