wg-multicast - Re: Firewall ruleset/ACL best practice
Subject: All things related to multicast
List archive
- From: Marshall Eubanks <>
- To: Leonard Giuliano <>
- Cc: debbie fligor <>, wg-multicast List <>
- Subject: Re: Firewall ruleset/ACL best practice
- Date: Thu, 10 May 2007 15:05:28 -0400
On May 10, 2007, at 2:49 PM, Leonard Giuliano wrote:
On Thu, 10 May 2007, debbie fligor wrote:
-) >
-) > In a router you want to block 232.0.0.0/4 outbound but not inbound, which
-) > is generally pretty simple.
-)
Also, blocking all of 224/4 (I assume that's what Marshall meant) may have
Yes. Sorry for the typo.
other problems, like preventing protocols like OSPF and VRRP, which use
mcast, from working. So you may want to allow just 224.0.0/24 to get out.
And PIM itself uses multicast, so that's a good idea.
-)
-) I think you have to be careful where you do this. If it's at your campus
-) edge, that should work. If it's on the net where the users are because you
-) don't want that traffic in your core at all, you need to be careful.
Yes. And it occurred to me that some campuses have multicast edges in non-obvious places (such as at the nearest
Giga-POP). So, "edge" here is really at the PIM domain boundary, which may not be the same as the AS
boundary.
-)
-) I was planning on using an ACL to block a specific group from going out an
-) interface in order to keep traffic local to that net and mentioned this to an
-) SE. He said he'd just had that come up elsewhere, and if I applied that ACL
-) to that interface the router would drop it before processing the IGMP and
-) then couldn't be the IGMP querier for that group (which I needed it to be).
-) This is for Foundry gear, others may be different.
-)
-) Also what Bruce said below about IGMP for joins applies as well.
-)
Regards
Marshall
- Firewall ruleset/ACL best practice, Bayly, Thomas G., 05/09/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/09/2007
- Re: Firewall ruleset/ACL best practice, Bruce Curtis, 05/09/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/09/2007
- Re: Firewall ruleset/ACL best practice, debbie fligor, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/10/2007
- Re: Firewall ruleset/ACL best practice, jf, 05/16/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/10/2007
- Re: Firewall ruleset/ACL best practice, debbie fligor, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/09/2007
Archive powered by MHonArc 2.6.16.