wg-multicast - Re: Firewall ruleset/ACL best practice
Subject: All things related to multicast
List archive
- From: jf <>
- To: Marshall Eubanks <>
- Cc:
- Subject: Re: Firewall ruleset/ACL best practice
- Date: Wed, 16 May 2007 08:43:55 -0400
Marshall Eubanks wrote:
>
> On May 10, 2007, at 2:49 PM, Leonard Giuliano wrote:
>
>>
>> On Thu, 10 May 2007, debbie fligor wrote:
>>
>> -) >
>> -) > In a router you want to block 232.0.0.0/4 outbound but not
>> inbound, which
>> -) > is generally pretty simple.
>> -)
>>
>> Also, blocking all of 224/4 (I assume that's what Marshall meant) may
>> have
>
> Yes. Sorry for the typo.
A word of warning about 224/4. In my experience with Catalyst 3550 and
4500 switches, traffic towards 224.0.0.0/0.0.0.255 goes straight to the
CPU - in the case of the 4500 line, regardless of port ACL or igmp
filters. If you're leaving 224/4 open, you will want to consider
control plane policing on your 4500 chassis to protect against floods
towards mcast-linklocal.
>
>> other problems, like preventing protocols like OSPF and VRRP, which use
>> mcast, from working. So you may want to allow just 224.0.0/24 to get
>> out.
>>
>
> And PIM itself uses multicast, so that's a good idea.
>
>> -)
>> -) I think you have to be careful where you do this. If it's at your
>> campus
>> -) edge, that should work. If it's on the net where the users are
>> because you
>> -) don't want that traffic in your core at all, you need to be careful.
>
> Yes. And it occurred to me that some campuses have multicast edges in
> non-obvious places (such as at the nearest
> Giga-POP). So, "edge" here is really at the PIM domain boundary, which
> may not be the same as the AS
> boundary.
>
>> -)
>> -) I was planning on using an ACL to block a specific group from
>> going out an
>> -) interface in order to keep traffic local to that net and mentioned
>> this to an
>> -) SE. He said he'd just had that come up elsewhere, and if I applied
>> that ACL
>> -) to that interface the router would drop it before processing the
>> IGMP and
>> -) then couldn't be the IGMP querier for that group (which I needed it
>> to be).
>> -) This is for Foundry gear, others may be different.
>> -)
>> -) Also what Bruce said below about IGMP for joins applies as well.
>> -)
>
> Regards
> Marshall
begin:vcard fn:john french n:french;john org:eastern michigan university;ict adr:eastern michigan university;;127 pray harrold;ypsilanti;mi;48197;usa email;internet: title:senior network engineer tel;work:(734) 487-6933 tel;fax:(734) 481-9290 version:2.1 end:vcard
- Firewall ruleset/ACL best practice, Bayly, Thomas G., 05/09/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/09/2007
- Re: Firewall ruleset/ACL best practice, Bruce Curtis, 05/09/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/09/2007
- Re: Firewall ruleset/ACL best practice, debbie fligor, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/10/2007
- Re: Firewall ruleset/ACL best practice, jf, 05/16/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/10/2007
- Re: Firewall ruleset/ACL best practice, debbie fligor, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/09/2007
Archive powered by MHonArc 2.6.16.