Topology:
Use configuration from Multicast task #3 as initial configuration for this task.
Add two new interfaces to R1 - VLAN 111 and VLAN 122.
Requirements:
1. Only sources from VLAN 111 and VLAN 112 should be allowed to send multicast traffic.
2. Hosts on VLAN 10 should only be able to join groups from range 230.0.0.0 - 230.255.255.255
3. Hosts on VLAN 34 shoud only be able to joing group from range 231.0.0.0 - 231.255.255.255
4. Ensure that no additional PIM devices can be introduced on either VLAN 10 or VLAN 34.
Solution:
Highlight the text below to reveal the solution.
This task requires understanding of multicast security features - filtering IGMP, PIM neighbors, and PIM register messages.
Requirement #1 - on both RPs, configure " pim accept-register", and only allow R1 addresses. Optionally, set R1 register-source to loopback0 address, so filter only has to list single address.
Requirement #2 and 3 - configure "igmp access-group" on routers R3, R4 VLAN 34 interfaces, and routers R6 and R7 VLAN 10 interfaces. Allow only listed group ranges.
Requirement #4 - configure PIM neighbor filter to only allow the routers listed in the topology to form PIM neighbor relation with each other.
!
ip pim register-source Loopback0
router igmp
..
!
interface GigabitEthernet0/0/0/2
access-group IGMP_ACL
query-interval 20
!
version 2
!
router igmp
interface GigabitEthernet0/0/0/2
access-group IGMP_ACL
query-interval 20
query-max-response-time 10
!
version 2
!
This task requires understanding of multicast security features - filtering IGMP, PIM neighbors, and PIM register messages.
Requirement #1 - on both RPs, configure " pim accept-register", and only allow R1 addresses. Optionally, set R1 register-source to loopback0 address, so filter only has to list single address.
Requirement #2 and 3 - configure "igmp access-group" on routers R3, R4 VLAN 34 interfaces, and routers R6 and R7 VLAN 10 interfaces. Allow only listed group ranges.
Requirement #4 - configure PIM neighbor filter to only allow the routers listed in the topology to form PIM neighbor relation with each other.
R1:
!
ip pim register-source Loopback0
!
R3:
..
!
interface GigabitEthernet0/0/0/2
access-group IGMP_ACL
query-interval 20
!
version 2
!
ipv4 access-list IGMP_ACL
10 permit ipv4 231.0.0.0 0.255.255.255 any (105 matches)
!
R4:
router igmp
interface GigabitEthernet0/0/0/2
access-group IGMP_ACL
query-interval 20
query-max-response-time 10
!
version 2
!
router pim
address-family ipv4
rp-address 13.0.3.3
accept-register FILTER
interface Loopback0
enable
!
interface GigabitEthernet0/0/0/2
neighbor-filter VLAN34
!
bsr candidate-rp 13.0.4.4 priority 1 interval 60
!
!
!
ipv4 access-list VLAN34
10 permit ipv4 host 13.0.34.3 any
20 permit ipv4 host 13.0.34.4 any
!
ipv4 access-list IGMP_ACL
10 permit ipv4 231.0.0.0 0.255.255.255 any
!
R5:
!
ip pim accept-register list 100
!
access-list 100 permit ip host 13.0.1.1 any
!
R6:
!
interface Ethernet0/1
bandwidth 100
ip address 13.0.10.6 255.255.255.0
ip pim neighbor-filter 67
ip pim bsr-border
ip pim sparse-mode
ip igmp query-max-response-time 5
ip igmp access-group 10
ip igmp query-interval 10
!
!
access-list 10 permit 230.0.0.0 0.255.255.255
access-list 67 permit 13.0.10.6
access-list 67 permit 13.0.10.2
!
R7:
!
interface Ethernet0/0
bandwidth 100
ip address 13.0.10.2 255.255.255.0
ip pim neighbor-filter 67
ip pim bsr-border
ip pim sparse-mode
ip igmp access-group 10
!
!
access-list 10 permit 230.0.0.0 0.255.255.255
access-list 67 permit 13.0.10.2
access-list 67 permit 13.0.10.6
!
Can you share the GNS3 lab files as well?
ReplyDeleteDear Alafin,
DeleteI only use GNS3 to create the diagrams (cause it's fast, free and easy), but not for the labs.
Lab topologies are deliberately kept simple, and I try to reuse the same topology for multiple labs when possible, so it is easy to build in your home lab environment.
Remarkable article, it is particularly useful! I quietly began in this, and I'm becoming more acquainted with it better! Delights, keep doing more and extra impressive! wow classic boost
ReplyDelete