Multicast Boundary ACL to filter traffic from an interface

Multicast traffic can be filtered with specific command that does not apply to unicast traffic. A Multicast boundary access list selects specific multicast traffic and separates the domains of that multicast traffic not to cross that interface.

Further you can use Multicast Boundary ACL also to filter incoming AutoRP announcements and to define the scope of RP election (“ip multicast boundary <access-list> filter-autorp” with the keyword filter-autorp).
For example let’s impose RT6 as the Discovery and RT1 as Candidate.

RT2 needs not to map any RP anymore.
RT2(config)no ip pim send-rp-discovery scope 15
RT6(config)ip pim send-rp-discovery scope 15
RT1(config)access-list 2 deny 224.0.1.0 0.0.0.255
RT1(config)access-list 2 permit any
RT1(config)interface serial0
RT1(config-if)ip multicast boundary 2 filter-autorp <<<<<<< with autorp keyword also AutoRP
will be analyzed and if applic. removed
RT8(config)access-list 1 deny 224.0.1.0 0.0.0.255
RT8(config)access-list 1 permit any
RT8(config)int eth1
RT8(config-if)ip multicast boundary 1 filter-autorp
RT2sh ip mroute count
IP Multicast Statistics
5 routes using 2642 bytes of memory
4 groups, 0.25 average sources per group
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Group: 239.255.1.1, Source count: 0, Group pkt count: 0
Group: 239.255.255.250, Source count: 0, Group pkt count: 0
Group: 224.0.1.39, Source count: 0, Group pkt count: 0
Group: 224.0.1.40, Source count: 1, Group pkt count: 42
Source: 10.1.23.2/32, Forwarding: 42/0/48/0, Other: 42/0/0

RT2sh ip pim rp
(Empty)
RT8sh ip pim rp
Group: 239.255.1.1, RP: 138.1.15.11, v2, v1, uptime 00:06:12, expires 00:02:41
Group: 239.255.255.250, RP: 138.1.15.11, v2, v1, uptime 00:06:12, expires 00:02:41

RT1sh ip pim rp
Group: 239.255.1.1, RP: 138.1.15.11, v2, v1, next RP-reachable in 00:00:59
Group: 239.255.255.250, RP: 138.1.15.11, v2, v1, next RP-reachable in 00:00:59

Mcast Security: Completely disabling flow of unauthorized Groups in SM

– In Sparse Mode a possible trick to locally stop (black whole) flooding of specific unauthorized groups is the configuration of a last resort RP to a local interface. Groups which are not defined in other RP configuration (Anycast RP or AutoRP/BSR) will be assigned to the black hole RP local loopback interface which will cause the unauthorized stream to end at the local router.

interface Loopback 1000
description * Local Blackhole for unauthorized groups *
ip pim sparse-mode
!
ip pim rp-address loopback 100 10
access-list 10 permit 224.2.0.0 0.0.255.255
access-list 10 permit 225.0.0.0 0.255.255.255
access-list 10 permit 226.0.0.0 1.255.255.255
access-list 10 permit 228.0.0.0 3.255.255.255

– On newer IOS (12.4T !!!): ” ip multicast-routing group range 10 “

Mcast Security: unauthorized Neighbors and Sources

– On all PIM routers Neighbor filters (only allow known PIM neighbors):
ip pim neighbor-filter

– On RP: Filter on (S, G):
ip pim accept-register

– MAX Mroute table size:
ip multicast route-limit <routes>

– ip igmp access-group:
To control the multicast groups that hosts on the subnet serviced by an interface can join.
ip igmp access-group <ACL>

Multicast TTL threshold boundary

To configure the time-to-live (TTL) threshold of packets being forwarded out an interface, use the “ip multicast ttl-threshold <value>” command in interface configuration mode. Only multicast packets with a TTL value greater than the threshold are forwarded out the interface. The default TTL value is 0, which means that all multicast packets are forwarded out the interface.
You should configure the TTL threshold only on border routers. Conversely, routers on which you configure a TTL threshold value automatically become border routers.

Multicast Rate Limitation

To control the rate a sender from the “source” list can send to a multicast group in the group list, use the “ip multicast rate-limit” command in interface configuration mode. The interface will accepts (receive, in) or queue (send, out) only packets at the rate of the kbps value or slower.
By defaults there is no rate limit, but if this command is configured, the kbps value defaults to 0, meaning that no traffic is permitted. Therefore configure a positive kbps value when using this command.
Syntax:
ip multicast rate-limit {in | out}

[group-list <ACL>] [source-list <ACL>] <kbps>

Where:
<video> (Optional) Performs rate limiting based on the User Datagram Protocol (UDP) port number used by video traffic. Video traffic is identified by consulting the Session Announcement Protocol (SAP) cache.
<whiteboard> (Optional) Performs rate limiting based on the UDP port number used by whiteboard traffic. Whiteboard traffic is identified by consulting the SAP cache.
group-list <ACL> (Optional) Specifies the access list number or name that controls which multicast groups are subject to the rate limit.
source-list <ACL> (Optional) Specifies the access list number or name that controls which senders are subject to the rate limit.
<kbps> Transmission rate (in kbps). Any packets sent at greater than this value are silently discarded. The default value is 0, meaning that no traffic is permitted. Therefore, set this to a positive value.

NOTE: For the video or whiteboard keyword to work, the ip sap listen command must be enabled so that the port number can be obtained from the SAP cache. If the ip sap listen command is not enabled, or the group address is not in the SAP cache, no rate-limiting is done for the group.

Example:
interface serial 0
ip multicast rate-limit out group-list 1 source-list 2 64
!
access-list 1 permit 0.0.0.0 255.255.255.255
access-list 2 permit 172.16.0.0 0.0.255.255