Friday, November 18, 2011

Lab 163 - IGMP Filtering

Prerequisites: CCNP level skills.



Topology

Pic. 1 - Topology Diagram.


Note!
Routers and switches are already configured as per the topology diagram. 

Task 1
In order to prevent IGMP DoS attacks do not allow R3 to accept more than 10 IGMP states that can be joined to a router from IGMP on its Fa0/0 interface. Also, configure filtering so that R3 allows multicast clients only from the group 224.1.1.0/24.

Solution


Task 1
In order to prevent IGMP DoS attacks do not allow R3 to accept more than 10 IGMP states that can be joined to a router from IGMP on its Fa0/0 interface. Also, configure filtering so that R3 allows multicast clients only from the group 224.1.1.0/24.


R3 Configuration:

!
access-list 1 permit 224.1.1.0 0.0.0.255
!
interface FastEthernet0/0
 ip address 10.1.30.3 255.255.255.0
 ip pim sparse-mode
 ip igmp access-group 1
 ip igmp limit 10
 speed 100
 full-duplex
!

Note!
The 'ip igmp limit' command can be used either globally or on per interface basis.

Verification:
Pic. 2 - R3 Fa0/0 IGMP Limit.

S2 Configuration :

!
interface Vlan30
 ip address 10.1.30.12 255.255.255.0
 ip igmp join-group 224.1.1.1
 ip igmp join-group 224.1.1.2
 ip igmp join-group 224.3.3.3
!

Note!
There are three multicast group joins. The third one is not allowed as per the ACL 1 on R3 (224.3.3.3). It does not get registered.

Pic. 3 - Multicast Groups Registered on R3.

IGMP State Limit