WB1 8.17 Multicast Boundary

8.17 Multicast Boundary

• Configure R5’s connection to VLAN 58 so that traffic to the group range 232.0.0.0/5 cannot reach SW2.
• Filter the Auto-RP messages to remove the information about this group range.

-----------------------------------------------------------------------------------------------------------

The multicast boundary feature allows for setting administrative borders for
multicast traffic. This feature applies filtering to both the control plane traffic
(IGMP, PIM, AutoRP) and the data plane (installing multicast route states out of
the configured interface). It is much more flexible than using Auto-RP TTL
scoping and allows the application of finer and more granular access control.
Using this feature you may contain multicast traffic within the boundaries of your
administrative domain, without relying on TTL-based filtering.

When you apply the command ip multicast boundary <access-list>
[filter-autorp] to an interface, the following filtering rules apply.

1) If the access-list is a standard ACL, then any ingress IGMP or PIM messages
are inspected to see if the group being joined or tree being built has a match in
the access-list. This might be an (S,G) or (*,G) join. Additionally, the interface is
used as an outgoing interface to forward a group “G” only if the group matches
the access-list.

2) If the access-list is an extended ACL, then it specifies both multicast sources
and groups, using the format permit ip <src-ip> <src-wildcard>
<group-address> <group-mask>. Any incoming PIM/IGMP messages are
inspected, and if both the source and group are matched, they are permitted. At
the same time, the interface could be used as outgoing for multicast traffic
sourced off the IP addresses matching the extended access-list with the group
matching the same access-list entry. If you want to match only (*,G) shared tree
signaling, specify the source IP address of 0.0.0.0 – this will affect PIM
Join/Prune messages.

Keep in mind that unicast PIM Register messages are not affected by the
multicast-boundary configuration, and must be filtered using the respective
feature.

If you have specified the filter-autorp keyword, then the router will inspect
any Auto-RP messages (announces or discovery) and filter away those not
matching the access-list. Note that the access-list must be a standard ACL if you
use Auto-RP filtering. In order for the Auto-RP group range to be permitted, the
whole range must be covered by permit statements in the access-list. If any part
of the range’s group is not permitted, the whole range is removed from the
advertisement.

Starting with version 12.3(17)T you may use in or out options with the multicast
boundary command (this does not work with the filter-autorp option
though). When applied as an ingress filter, the command affects control plane
traffic – IGMP/PIM Joins and Auto-RP messages. When configured as an egress
filter, it will control the interface being added to the OIL for multicast groups,
allowing only the groups permitted by the access-list

-----------------------------------------------------------------------------------------------------------

R5:
ip access-list standard PERMITTED_GROUPS
deny 232.0.0.0 7.255.255.255
permit any
!
interface FastEthernet 0/0
ip multicast boundary PERMITTED_GROUPS filter-autorp