Prerequisites: CCNP level skills.
Topology
Pic. 1 - Topology Diagram.
Note!
Routers and switches are already configured as per the topology diagram.
Task 1
In order to prevent IGMP DoS attacks do not allow R3 to accept more than 10 IGMP states that can be joined to a router from IGMP on its Fa0/0 interface. Also, configure filtering so that R3 allows multicast clients only from the group 224.1.1.0/24.Routers and switches are already configured as per the topology diagram.
Task 1
Solution
Task 1
In order to prevent IGMP DoS attacks do not allow R3 to accept more than 10 IGMP states that can be joined to a router from IGMP on its Fa0/0 interface. Also, configure filtering so that R3 allows multicast clients only from the group 224.1.1.0/24.
R3 Configuration:
!
access-list 1 permit 224.1.1.0 0.0.0.255
!
interface FastEthernet0/0
ip address 10.1.30.3 255.255.255.0
ip pim sparse-mode
ip igmp access-group 1
ip igmp limit 10
speed 100
full-duplex
ip address 10.1.30.3 255.255.255.0
ip pim sparse-mode
ip igmp access-group 1
ip igmp limit 10
speed 100
full-duplex
!
Note!
The 'ip igmp limit' command can be used either globally or on per interface basis.
Verification:
Pic. 2 - R3 Fa0/0 IGMP Limit.
S2 Configuration :
!
interface Vlan30
ip address 10.1.30.12 255.255.255.0
ip igmp join-group 224.1.1.1
ip igmp join-group 224.1.1.2
ip igmp join-group 224.3.3.3
ip address 10.1.30.12 255.255.255.0
ip igmp join-group 224.1.1.1
ip igmp join-group 224.1.1.2
ip igmp join-group 224.3.3.3
!
Note!
There are three multicast group joins. The third one is not allowed as per the ACL 1 on R3 (224.3.3.3). It does not get registered.
Pic. 3 - Multicast Groups Registered on R3.
IGMP State Limit