Tuesday, January 12, 2016

Multicast task #4. Multicast security.

Topology:



Use configuration from Multicast task #3 as initial configuration for this task.
Add two new interfaces to R1 - VLAN 111 and VLAN 122. 

Requirements: 

1. Only sources from VLAN 111 and VLAN 112 should be allowed to send multicast traffic.
2. Hosts on VLAN 10 should only be able to join groups from range 230.0.0.0 - 230.255.255.255
3. Hosts on VLAN 34 shoud only be able to joing group from range 231.0.0.0 - 231.255.255.255
4. Ensure that no additional PIM devices can be introduced on either VLAN 10 or VLAN 34. 

Solution:

Highlight the text below to reveal the solution.


This task requires understanding of multicast security features - filtering IGMP, PIM neighbors, and PIM register messages. 

Requirement #1 - on both RPs, configure " pim accept-register", and only allow R1 addresses.                                          Optionally, set R1 register-source to loopback0 address, so filter only has to list                                    single address. 


Requirement #2 and 3 - configure "igmp access-group" on routers R3, R4 VLAN 34 interfaces, and routers R6 and R7 VLAN 10 interfaces. Allow only listed group ranges. 


Requirement #4 - configure PIM neighbor filter to only allow the routers listed in the topology to form PIM neighbor relation with each other. 



R1:


!
ip pim register-source Loopback0
!

R3:



router igmp
 ..
 !
 interface GigabitEthernet0/0/0/2
  access-group IGMP_ACL
  query-interval 20
 !
 version 2
!
ipv4 access-list IGMP_ACL
 10 permit ipv4 231.0.0.0 0.255.255.255 any (105 matches)
!

R4:


router igmp
 interface GigabitEthernet0/0/0/2
  access-group IGMP_ACL
  query-interval 20
  query-max-response-time 10
 !
 version 2
!
router pim
 address-family ipv4
  rp-address 13.0.3.3
  accept-register FILTER
  interface Loopback0
   enable
  !
  interface GigabitEthernet0/0/0/2
   neighbor-filter VLAN34
  !
  bsr candidate-rp 13.0.4.4 priority 1 interval 60
 !
!
!
ipv4 access-list VLAN34
 10 permit ipv4 host 13.0.34.3 any
 20 permit ipv4 host 13.0.34.4 any
!
ipv4 access-list IGMP_ACL
 10 permit ipv4 231.0.0.0 0.255.255.255 any
!

R5:

!
ip pim accept-register list 100
!
access-list 100 permit ip host 13.0.1.1 any
!

R6:


!
interface Ethernet0/1
 bandwidth 100
 ip address 13.0.10.6 255.255.255.0
 ip pim neighbor-filter 67
 ip pim bsr-border
 ip pim sparse-mode
 ip igmp query-max-response-time 5
 ip igmp access-group 10
 ip igmp query-interval 10
!
!
access-list 10 permit 230.0.0.0 0.255.255.255
access-list 67 permit 13.0.10.6
access-list 67 permit 13.0.10.2
!


R7:


!
interface Ethernet0/0
 bandwidth 100
 ip address 13.0.10.2 255.255.255.0
 ip pim neighbor-filter 67
 ip pim bsr-border
 ip pim sparse-mode
 ip igmp access-group 10
!
!
access-list 10 permit 230.0.0.0 0.255.255.255
access-list 67 permit 13.0.10.2
access-list 67 permit 13.0.10.6
!





Verification:


2 comments:

  1. Can you share the GNS3 lab files as well?

    ReplyDelete
    Replies
    1. Dear Alafin,

      I only use GNS3 to create the diagrams (cause it's fast, free and easy), but not for the labs.
      Lab topologies are deliberately kept simple, and I try to reuse the same topology for multiple labs when possible, so it is easy to build in your home lab environment.


      Delete