wg-multicast - Re: revised Abilene multicast 'cookbook' available
Subject: All things related to multicast
List archive
- From: Alan Crosswell <>
- To: John Kristoff <>
- Cc:
- Subject: Re: revised Abilene multicast 'cookbook' available
- Date: Wed, 28 Jul 2004 15:57:33 -0400
Oh, man, I can't dogfight with your campus? Sheesh:-)
One question that came up during last week's workshop was whether one can disable PIM on a hosts-only interface (e.g. only listen to IGMP but ignore PIM DR election, etc.) Do you know if this can be done in Juniper- or Cisco-ese? Given that our routers are numbered .1 on our /24's, someone else can always win the DR election assuming the DR priority can't be set to infinity somehow. Of course they always win the IGMP Querier election:-)
/a
John Kristoff wrote:
On Tue, 27 Jul 2004 19:17:19 -0500
Brent Sweeny
<>
wrote:
Based on suggestions from helpful readers (thanks!), I've made a number of
revisions to the cookbook. As always, it's at
www.abilene.iu.edu/mccook.html.
In particular we'll be making some revisions to the filter lists which I'll
add to the cookbook as they're agreed on here, and additional suggestions are
always welcome.
In the 'MSDP Filter contents' for a Juniper config, the last line is:
route-filter 239.0.0.0/8 orlonger; ! GLOP space
The comment should be:
! admin scoped
In addition, here is an example of what I do (an extract with some
minor details take out or changed for anonymity sake):
routing-options {
multicast {
scope sgi-dogfight {
prefix 224.0.1.2/32;
interface all;
}
scope ntp {
prefix 224.0.1.1/32;
interface all;
}
scope rwhod {
prefix 224.0.1.3/32;
interface all;
}
scope nis+ {
prefix 224.0.1.8/32;
interface all;
}
scope srvloc {
prefix 224.0.1.22/32;
interface all;
}
scope microsoft-ds {
prefix 224.0.1.24/32;
interface all;
}
scope nbc-pro {
prefix 224.0.1.25/32;
interface all;
}
scope srvloc-da {
prefix 224.0.1.35/32;
interface all;
}
scope cisco-rp-announce {
prefix 224.0.1.39/32;
interface all;
}
scope cisco-rp-discovery {
prefix 224.0.1.40/32;
interface all;
}
scope hp-device-discovery {
prefix 224.0.1.60/32;
interface all;
}
scope lucent-avaya-ap {
prefix 224.0.1.76/32;
interface all;
}
scope rwho-group {
prefix 224.0.2.1/32;
interface all;
}
scope sun-rpc {
prefix 224.0.2.2/32;
interface all;
}
scope cisco-aironet-ap {
prefix 224.1.0.1/32;
interface all;
}
scope retrospect {
prefix 224.1.0.38/32;
interface all;
}
scope norton-ghost {
prefix 224.77.0.0/16;
interface all;
}
scope igmp-control-224-128-0 {
prefix 224.128.0.0/24;
}
scope reserved-225 {
prefix 225.0.0.0/8;
interface all;
}
scope reserved-226 {
prefix 226.0.0.0/8;
interface all;
}
scope reserved-227 {
prefix 227.0.0.0/8;
interface all;
}
scope reserved-228 {
prefix 228.0.0.0/8;
interface all;
}
scope reserved-229 {
prefix 229.0.0.0/8;
interface all;
}
scope reserved-230 {
prefix 230.0.0.0/8;
interface all;
}
scope reserved-231 {
prefix 231.0.0.0/8;
interface all;
}
scope igmp-control-232-0-0 {
prefix 232.0.0.0/24;
interface all;
}
scope igmp-control-232-128-0 {
prefix 232.128.0.0/24;
interface all;
}
scope igmp-control-233-0-0 {
prefix 233.0.0.0/24;
interface all;
}
scope igmp-control-233-128-0 {
prefix 233.128.0.0/24;
interface all;
}
scope reserved-234 {
prefix 234.0.0.0/8;
interface all;
}
scope reserved-235 {
prefix 235.0.0.0/8;
interface all;
}
scope reserved-236 {
prefix 236.0.0.0/8;
interface all;
}
scope reserved-237 {
prefix 237.0.0.0/8;
interface all;
}
scope reserved-238 {
prefix 238.0.0.0/8;
interface all;
}
scope admin-scoped {
prefix 239.0.0.0/8;
interface all;
}
}
}
protocols {
igmp {
/* disable IGMP on interfaces where it is not needed */
interface [interface] {
disable;
}
}
sap;
msdp {
/* Global MSDP cache shielding using RED-based control of SAs */
active-source-limit {
maximum 26000;
threshold 25000;
}
export [ multicast-bogons no-ssm ];
import [ multicast-bogons no-ssm ];
}
pim {
import multicast-bogons;
rp {
bootstrap-import no-bsr;
bootstrap-export no-bsr;
local {
family inet {
address [rp-address];
group-ranges {
/* control, adhoc, sap, assignments and IANA reserved
*/
224.0.0.0/8;
/* SSM */
232.0.0.0/8;
/* GLOP */
233.0.0.0/8;
}
}
}
}
interface all {
mode sparse;
version 2;
}
/* disable specific interfaces we don't need PIM on */
interface [interface] {
disable;
}
}
}
policy-options {
/* Reject all PIM bootstrap router (BSR) messages */
policy-statement no-bsr {
then reject;
}
policy-statement multicast-bogons {
term bogon-groups {
from {
/* Network Time Protocol (NTP) */
route-filter 224.0.1.1/32 exact;
/* SGI dogfight */
route-filter 224.0.1.2/32 exact;
/* rwhod */
route-filter 224.0.1.3/32 exact;
/* Sun's NIS+ */
route-filter 224.0.1.8/32 exact;
/* srvloc */
route-filter 224.0.1.22/32 exact;
/* microsoft-ds */
route-filter 224.0.1.24/32 exact;
/* nbc-pro */
route-filter 224.0.1.25/32 exact;
/* srvloc-da */
route-filter 224.0.1.35/32 exact;
/* cisco-rp-announce */
route-filter 224.0.1.39/32 exact;
/* cisco-rp-discovery */
route-filter 224.0.1.40/32 exact;
/* hp-device-discovery */
route-filter 224.0.1.60/32 exact;
/* Lucent/Avaya AP */
route-filter 224.0.1.76/32 exact;
/* rwho group (BSD) */
route-filter 224.0.2.1/32 exact;
/* SUN RPC */
route-filter 224.0.2.2/32 exact;
/* Cisco/Aironet AP */
route-filter 224.1.0.1/32 exact;
/* Dantz Retrospect */
route-filter 224.1.0.38/32 exact;
/* IGMP control */
route-filter 224.128.0.0/24 orlonger;
/* IANA reserved */
route-filter 225.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 226.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 227.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 228.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 229.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 230.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 231.0.0.0/8 orlonger;
/* IGMP control */
route-filter 232.0.0.0/24 orlonger;
/* IGMP control */
route-filter 232.128.0.0/24 orlonger;
/* IGMP control */
route-filter 233.0.0.0/24 orlonger;
/* IGMP control */
route-filter 233.128.0.0/24 orlonger;
/* IANA reserved */
route-filter 234.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 235.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 236.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 237.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 238.0.0.0/8 orlonger;
/* admin scoped */
route-filter 239.0.0.0/8 orlonger;
}
then reject;
}
term bogon-sources {
/* IANA reserved and special use */
from {
source-address-filter 0.0.0.0/8 orlonger;
source-address-filter 1.0.0.0/8 orlonger;
source-address-filter 2.0.0.0/8 orlonger;
source-address-filter 5.0.0.0/8 orlonger;
source-address-filter 7.0.0.0/8 orlonger;
source-address-filter 10.0.0.0/8 orlonger;
source-address-filter 23.0.0.0/8 orlonger;
source-address-filter 27.0.0.0/8 orlonger;
source-address-filter 31.0.0.0/8 orlonger;
source-address-filter 36.0.0.0/8 orlonger;
source-address-filter 37.0.0.0/8 orlonger;
source-address-filter 39.0.0.0/8 orlonger;
source-address-filter 41.0.0.0/8 orlonger;
source-address-filter 42.0.0.0/8 orlonger;
source-address-filter 49.0.0.0/8 orlonger;
source-address-filter 50.0.0.0/8 orlonger;
source-address-filter 71.0.0.0/8 orlonger;
source-address-filter 72.0.0.0/8 orlonger;
source-address-filter 73.0.0.0/8 orlonger;
source-address-filter 74.0.0.0/8 orlonger;
source-address-filter 75.0.0.0/8 orlonger;
source-address-filter 76.0.0.0/8 orlonger;
source-address-filter 77.0.0.0/8 orlonger;
source-address-filter 78.0.0.0/8 orlonger;
source-address-filter 79.0.0.0/8 orlonger;
source-address-filter 80.0.0.0/8 orlonger;
source-address-filter 89.0.0.0/8 orlonger;
source-address-filter 90.0.0.0/8 orlonger;
source-address-filter 91.0.0.0/8 orlonger;
source-address-filter 92.0.0.0/8 orlonger;
source-address-filter 93.0.0.0/8 orlonger;
source-address-filter 94.0.0.0/8 orlonger;
source-address-filter 95.0.0.0/8 orlonger;
source-address-filter 96.0.0.0/8 orlonger;
source-address-filter 97.0.0.0/8 orlonger;
source-address-filter 98.0.0.0/8 orlonger;
source-address-filter 99.0.0.0/8 orlonger;
source-address-filter 100.0.0.0/8 orlonger;
source-address-filter 101.0.0.0/8 orlonger;
source-address-filter 102.0.0.0/8 orlonger;
source-address-filter 103.0.0.0/8 orlonger;
source-address-filter 104.0.0.0/8 orlonger;
source-address-filter 105.0.0.0/8 orlonger;
source-address-filter 106.0.0.0/8 orlonger;
source-address-filter 107.0.0.0/8 orlonger;
source-address-filter 108.0.0.0/8 orlonger;
source-address-filter 109.0.0.0/8 orlonger;
source-address-filter 110.0.0.0/8 orlonger;
source-address-filter 111.0.0.0/8 orlonger;
source-address-filter 112.0.0.0/8 orlonger;
source-address-filter 113.0.0.0/8 orlonger;
source-address-filter 114.0.0.0/8 orlonger;
source-address-filter 115.0.0.0/8 orlonger;
source-address-filter 116.0.0.0/8 orlonger;
source-address-filter 117.0.0.0/8 orlonger;
source-address-filter 118.0.0.0/8 orlonger;
source-address-filter 119.0.0.0/8 orlonger;
source-address-filter 120.0.0.0/8 orlonger;
source-address-filter 121.0.0.0/8 orlonger;
source-address-filter 122.0.0.0/8 orlonger;
source-address-filter 123.0.0.0/8 orlonger;
source-address-filter 124.0.0.0/8 orlonger;
source-address-filter 125.0.0.0/8 orlonger;
source-address-filter 126.0.0.0/8 orlonger;
source-address-filter 127.0.0.0/8 orlonger;
source-address-filter 169.254.0.0/16 orlonger;
source-address-filter 172.16.0.0/12 orlonger;
source-address-filter 173.0.0.0/8 orlonger;
source-address-filter 174.0.0.0/8 orlonger;
source-address-filter 175.0.0.0/8 orlonger;
source-address-filter 176.0.0.0/8 orlonger;
source-address-filter 177.0.0.0/8 orlonger;
source-address-filter 178.0.0.0/8 orlonger;
source-address-filter 179.0.0.0/8 orlonger;
source-address-filter 180.0.0.0/8 orlonger;
source-address-filter 181.0.0.0/8 orlonger;
source-address-filter 182.0.0.0/8 orlonger;
source-address-filter 183.0.0.0/8 orlonger;
source-address-filter 184.0.0.0/8 orlonger;
source-address-filter 185.0.0.0/8 orlonger;
source-address-filter 186.0.0.0/8 orlonger;
source-address-filter 187.0.0.0/8 orlonger;
source-address-filter 189.0.0.0/8 orlonger;
source-address-filter 190.0.0.0/8 orlonger;
source-address-filter 192.0.2.0/24 orlonger;
source-address-filter 197.0.0.0/8 orlonger;
source-address-filter 223.0.0.0/8 orlonger;
source-address-filter 224.0.0.0/3 orlonger;
}
then reject;
}
term default {
then accept;
}
}
/* Reject all single source multicast (SSM) */
policy-statement no-ssm {
term ssm {
from {
route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
}
}
Then also loopback filter MSDP packets to allow only MSDP peers (by IP
address and protocol TCP and port msdp). Also filter SAPs to arrive on
224.2.127.254/32:udp:9875. Furthermore, filter so that IGMP is only
from local peer IP, multicast data packets are only 224/4:UDP. Only
allow multicast 224.0.0.13:pim from peers. ...and if you need to, do
some rate limiting of multicast.
Doing all that keeps out quite a bit of the known bad stuff while
allowing the known good stuff to pass.
John
- revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/16/2004
- Re: revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/27/2004
- Re: revised Abilene multicast 'cookbook' available, John Kristoff, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Dave McGaugh, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Charles R. Anderson, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/29/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, John Kristoff, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/27/2004
Archive powered by MHonArc 2.6.16.