How to protect a PIM-SM network from unauthorized pim routers and multicast sources?

Hi,
we're using pim sparse mode in a customer network with catalyst 2/3/4/6K switches, all multicast routers are redundant with pim dr running for access subnets. RPs are configured with anycast rp.
A) Is there any possiblity to prevent rogue pim routers/igmp queriers connected to host ports from getting connected to the legal pim routers and from getting involved in the local igmp traffic?
Maybe like DHCP Snooping used with DHCP. I read that in the latest Sup2T ios (http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/catalyst6500/ios/15-2SY/config_guide/sup2T/15_2_sy_swcg_2T.pdf) there is a feature called 'ipv4 router guard' which does exactly what we're looking for:
'When configured, the Router Guard feature makes the specified port a host port only. The port is prevented from becoming a router port, even if a multicast router control packets are received. In addition, any control packets normally received from multicast routers, such as IGMP queries and PIM joins, will also be discarded by this filter.'
Afaik, PIM authentication isn't supported in current catalyst ios versions.
Using a normal port ACL is not an option in our case because of a management decision.
B) Is there any possibility to prevent (on a per-subnet basis) rogue sources from sending multicast streams to legal multicast-groups?
Maybe, can I configure a svi of a host subnet or a host port to drop any incoming multicast stream while still accepting IGMP and sending out legal multicast streams?
Using 'ip pim accept-register' command on the rp is not an option because we've tons of legal sources which would end in an very huge error-prone acl
Unfortunately, a normal ACL is not an option here, too.
Best Regards
Thorsten

We use two pim routers in each host subnet for redundancy, they elect the PIM DR.
Does pim passive mode work here?
(Config Guide: If the ip pim passive command is configured on an interface enabled for IP multicast, the router will operate this interface in PIM passive mode, which means that the router will not send PIM messages on the interface nor will it accept PIM messages from other routers across this interface. The router will instead consider that it is the only PIM router on the network and thus act as the DR and also as the DF for all bidir-PIM group ranges. IGMP operations are unaffected by this command. ... The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces.)
ip pim neighbor-filter maybe would work to prevent rogue pim routers to connect to the legal pim routers but wouldn't rogue pim routers still be able to manipulate the layer2 switch to send all igmp traffic to them and not to the legal pim routers?

Similar Messages

  • How can I delete the guest network from my airport. It was fine until the last update. It says my whole name's guest network which I do not want everyone seeing. There is no guest network setting in my airport utility.

    How can I delete the guest network from my airport. It was not showing up until I recently upgraded the airport. It now says my name's guest network and I don't like my name showing on the available network list! I am using a Verizon wireless modem with the wireless feature off.

    Open AirPort Utility, go to the Wireless tab and remove the check from the guest network check box.

  • How can I delete a wireless network from my MacBoork Ai

    How can I delete a wireless network from my MacBoork Air.
    I had set up a WEP Network but I need to set up a WPA (personal) network now and i cant seem to change the WEP network to a WPA2 network.
    Thank you for any help you can provide me.
    LShaps

    The MacBook Air will autodetect WEP and WPA security changes and should allow you to reconnect again. If the password stored in the Mac is wrong, it will ask you to enter it again.
    With that said, to forget a network do the following:
    - Go to the Apple Menu and select System Preferences
    - Click on the Network icon
    - Highlight the Airport / WiFi entry (sepending on 10.6 vs 10.7)
    - Click the Advanced button at the bottom
    - Make sue the Airport / WiFi tab is selected
    - Click on the network name you want to forget
    - Press the minus button at the bottom of the list.
    You may also want to consider restarting if you are having this issue.

  • HT4259 How can I extend a wireless network from a 2Wire modem by usingan Airport Express? Years ago I could do this just by plugging in the (old) Airport Express. TIA Travelmonger

         How can I extend a wirelss network from a 2Wire modem using an Airport Express? Some years ago using the old Express I was able to do so simply by plugging on the Express witha minimum of tweaking. Still the same?
    TIA
    Travelmonger

    Still the same?
    Unfortunately, no.
    Apple's newer "Extend a wireless network" feature was designed to only work with other Apple products, so it would be extremely unlikely that it would work with a 2-Wire device if you plan to extend using wireless only.
    If you plan to connect the AirPort Express to the 2-Wire device using a wired Ethernet connection, the Express can be configured to provide more wireless coverage that way.

  • How do i create a little network with my i-mac and macbook

    how do i create a little network with my i-mac and macbook

    Hello:
    To give a sensible answer, a little more information is needed.
    I am guessing that you want to set up a wireless network as you have both a desktop and laptop.
    There are some pretty good tutorials/articles in the knowledge base articles.
    Barry

  • How can i disable the credit card from that stolen acc and register to my new account

    Hello everywone i have a big problem.. Somewone stole my apple id and changed everything (email , secret question). In that account was my credit card registered. how can i disable the credit card from that stolen acc and register to my new account ?? thanks for help

    Is it an IMAP or POP account?
    For POP accounts, you can select remove from server under the advanced tab of the account.
    Apple support article with information on receiving a message more than once:
    Mail Problems

  • How do I remove my old iMac from my App Store and iTunes Store accounts?

    Before I sold my friend my old iMac, I used the Migration Assistant to transfer all her files from her MacBook Pro to the iMac. I then deleted all my files. My old iMac and her MacBook Pro were both upgrated to Mavericks before the Migration.
    Now, she is being prompted to download and install the updates for Numbers and Pages on what used to be my iMac, but the App Store displays my account identification and asks for my password.
    (1) How can I delete my old iMac from my App Store and iTunes Store accounts?
    (2) How can she access the App Store and iTunes Store using her own accounts?
    Thanks in advance.

    That isn't how to prepare a Mac to sell or give away. You should deauthorize your iTunes account on the Mac. Call Apple Care and have the Mac disassociated from your Apple ID. Then erase the Mac and install the latest version of OS X that shipped installed on the Mac using the Install DVD or OS X Recovery, depending on what version shipped on the Mac. Until you do this, the Mac, OS X and the iLife apps belong to you. She will need to buy the iWork apps for herself, using her own account. You cannot pass any apps that you bought on to her, that would be piracy.

  • My old computer crashed and needed replaced, how do i get my library back from the old one and put on the new one?i had xp now windows 7

    my old computer crashed, it was xp i replaced it with windows 7 how do i get my library back from the old computer and put on the new one?

    iDevices are not backup devices.
    Use the backup of the computer to put everything back.

  • I just synced my iPhone and lost all the info in notes from my phone. It was replaced with whT was on my iMac how do you make the sync go from phone to desktop and not the other way around

    I Just synced my iPhone and lost all the info in notes I had on the phone. How do you have the info sync from phone to desktop and not the other way around as I usually make contact changes etc on my phone. I would then like to be able to sync that info from desktop to ipad thanks

    It does make sense.  The iPhone is a one-person device and just syncs to one computer.
    The way it should work is as follows:
    Old computer content ---> New computer
    New computer <---> syncs to iPhone
    But the way you are trying to operate sounds like:
    Old computer content ---> iPhone
    ... and ...
    New computer content <---> iPhone
    So simply move your old stuff (either directly from iTunes, or from a computer backup) to the new computer, have it all there, then sync your iPhone to the new machine.

  • How do I remove my apple id from my sons ipod and give him his own??

    How do i remove my appl id from my sons ipod and give him his own

    Create an Apple ID for your son...
    Sign out of your account and get him to sign in with his new account...
    Bear in mind that any Apps Purchased with your ID will not be able to be Updated with his ID...
    The Apps are locked to your ID...
    Apple ID FAQ
    http://support.apple.com/kb/HE37

  • How do I send my BMP info from logic to pedals and keys?

    How do I send my BMP info from logic to pedals and keys?
    Is it possible to sync my logic bmp with my microkorg so that my korg automatic will sync with the BMP from logic?

    I'm not faniliar with the Micro, but logic outputs mtc and midi clock. The serttings are under project settings/synchronization. You'll have to set the Micro to external sync and be sending midi info from your computer to the Micro. Then if you hit play or record in Logic, the micro will chase it.

  • How do I sun all my messaging from phone, iPad mini, and macbook pro?

    How do I sun all my messaging from phone, iPad mini and MacBook Pro? I want to be able to see all my messages from any device? Thank you for the help in advance.

    Read this kb article for detailed instructions on how you can do this. I sync all of my messages from my iPhone, iPod Touch, iPad, and MacBook Pro.
    iOS and OS X: Link your phone number and Apple ID for use with FaceTime and iMessage

  • How do you remove the SIM card from one iPhone 5 and place it in another?

    how do you remove the SIM card from one iPhone 5 and place it in another?

    With a paper clip?  Refer to the User Guide.

  • How much is the price of upgrading from CS5.5 Design and Web Premium to CS6 Design and Web Premium?

    How much is the price of upgrading from CS5.5 Design and Web Premium to CS6 Design and Web Premium? 
    And why is this price not on the Web site?
    And when will this price be added to the Web site?  It's long overdue.

    Sorry.  After downloading required Adobe CS6 Design and Web Premium files and attempting to install, the error message "
    The file archive part of Adobe CS6 Design and Web Premium is missing. You need all parts in the same folder in order to extract Adobe CS6 Design and Web Premium. Please download all parts" appears.  Using Window 8.  This happens on the Adobe Design and Web Premium CS6 installer file.

  • How do I delete old wifi networks from appearing in the wifi icon in the menu bar.

    Just bought a new Airport Time Capsule and is up and running OK.
    When I click on the wifi icon in the menu bar all my old wifi networks appear 
    which are then viewable by neighbours although the networks themselves are PW protected.
    In system preferences>network>advanced I have deleted all my old N/Works allowing only
    my new one to appear.
    How can I delete the old networks I no longer use from re-appearing in the list under the wifi icon?
    Alan

    When you delete old networks in System Preferences > Network > WiFi > Advanced, be sure to click the OK button, then click the Apply button in the next window that appears.
    You also need to delete the old networks in KeyChain Access as follows:
    Open Macintosh HD > Applications > Utilities > KeyChain Access
    Click on the name of an old wireless network to highlight it
    Click the Delete key on your Mac
    Do the same for other old wireless networks that you no longer use, then restart your Mac.

Maybe you are looking for

  • Saved Tiffs will not open in CS2 and generate a "Could not complete your request because of a program error".

    this was supplied by Ann Shelbourne. Saved Tiffs will not open in CS2 and generate a "Could not complete your request because of a program error". These files will often open in Photoshop 7.0.1 or in CS1 but not in CS2. The trouble may be caused by b

  • "sent messages" folder on my iPhone 4s

    Emails sent from my mac are not showing up on my iPhone 4s. I am using an email address hosted by godaddy and it's an IMAP account. In settings / mail / accounts / advanced / sent mailbox: I see the "sent messages" folder and it is checked (on the se

  • Has anyone had problems synching contacts from iPad?

    I have a new iPad, wi-fi only, that I use at my office to add contacts, birthdays, reminders, notes, and calendar items. I do not have wi-fi at my office so I come home to wi-fi so that my day's work will synch to my iPhone and iCloud. Everything syn

  • How to Deploy Primavera Adapter on 7.1 WAS

    Hi SDNers We have PI System 7.10. We want to deploy the PrimaveraAdapter.sca file on PI server  . 1) SDM option is not available in 7.1 Systems, so how should i deploy it? 2) Initially i want to undeploy previously deployed Primavera Adapter too, but

  • Probs with adding network and topology themes

    Hallo everybody, I wanted to add my network and topology data with the following sql-code INSERT INTO USER_SDO_THEMES VALUES( 'THEME_DEMO_NETWORK', 'Stromnetz Netzwerkmodell', 'STROMNETZ_NW_LINK$', 'TOPO_GEOMETRY', '<?xml version="1.0" standalone="ye