Multicast MSDP SA (Source Active) Filtering

MSDP uses SA (Source Active) messages that contain S,G (Source Group) information for RPs (Rendezvous Points) in PIM sparse domains. Thanks to MSDP, RPs can learn about multicast sources in remote PIM sparse domains. With a default MSDP configuration, all SA messages are advertised and received between MSDP peers.

On your network, there are probably a couple of S,G states that should stay within your network and that don’t have to be advertised to MSDP peers on remote networks. For example:

• Local applications that use multicast and that are only used on the LAN.
• Multicast traffic that uses private addresses as the source.
• Multicast groups in the private 239.0.0.0/8.

By enabling MSDP SA filtering of some S,G states we:

• Reduce the number of MSDP SA messages that are exchanged between MSDP peers.
• Reduce the size of the MSDP SA cache.
• Don’t leak information about S,G state information that remote peers shouldn’t know about.

Configuration

To demonstrate MSDP SA filtering, I use this topology:

Here’s what we have:

• R1 and H1 are one LAN1, R2 and H2 are on LAN2.
• R1 and R2 are connected to each other with a private WAN connection.
• R1 is the RP in LAN1.
• R2 is the RP in LAN2.
• R1 and R2 are MSDP peers.
• H1 and H2 are only used to ping different multicast groups to trigger MSDP SA messages.

• Configurations
• H1
• H2
• R1
• R2

Want to take a look for yourself? Here you will find the startup configuration of each device.

Let’s take a look at our MSDP peering:

R1#show ip msdp peer 
MSDP Peer 12.12.12.2 (?), AS ?
  Connection status:
    State: Up, Resets: 0, Connection source: GigabitEthernet0/1 (12.12.12.1)
    Uptime(Downtime): 00:03:09, Messages sent/received: 4/4
    Output messages discarded: 0
    Connection and counters cleared 00:04:09 ago
  SA Filtering:
    Input (S,G) filter: none, route-map: none
    Input RP filter: none, route-map: none
    Output (S,G) filter: none, route-map: none
    Output RP filter: none, route-map: none
  SA-Requests: 
    Input filter: none
  Peer ttl threshold: 0
  SAs learned from this peer: 0
  Number of connection transitions to Established state: 1
    Input queue size: 0, Output queue size: 0
  MD5 signature protection on MSDP TCP connection: not enabled
  Message counters:
    RPF Failure count: 0
    SA Messages in/out: 0/0
    SA Requests in: 0
    SA Responses out: 0
    Data Packets in/out: 0/0

As you can see above, nothing is filtered at all. This means that all S,G state entries are exchanged through MSDP.  Let’s try a quick ping from H1 to see if this is true:

H1#ping 239.1.1.1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
.

The ping fails since there is no listener for this multicast group but it doesn’t matter. This adds an entry in the multicast routing table that will be exchanged through MSDP. Let’s check R2:

R2#show ip msdp sa-cache 
MSDP Source-Active Cache - 1 entries
(192.168.1.1, 239.1.1.1), RP 12.12.12.1, AS ?,00:00:23/00:05:41, Peer 12.12.12.1

Above, we see that R2 has received an entry for 239.1.1.1 with RP 1.1.1.1 in its MSDP SA cache.

Let’s try to filter some things. I’ll create the following access-list on both MSDP routers:

R1 & R2
(config)#ip access-list extended MSDP_SA_FILTER

Let’s look at some example of what we could filter now.

Local Multicast Traffic

There are applications we use on the LAN and that use multicast traffic but never leave the LAN. Here are two examples:

• Microsoft Directory Services: this is something Windows uses for resource (files/printers) sharing on Windows 2000, XP, 2003, etc. It uses multicast group address 224.0.1.24
• HP Device Discovery: this is used to find HP printers on your local subnet. It uses multicast group address 224.0.1.60

We can filter applications like this with the following permit statements:

(config-ext-nacl)#deny ip any host 224.0.1.24
(config-ext-nacl)#deny ip any host 224.0.1.60

Auto RP Groups

Auto RP uses multicast addresses 224.0.1.39 and 224.0.1.40. We don’t need to exchange these between remote MSDP peers so let’s filter them:

(config-ext-nacl)#deny ip any host 224.0.1.39
(config-ext-nacl)#deny ip any host 224.0.1.40

Administratively Scoped

239.0.0.0/8 is the administratively scoped multicast range (private range). It’s used for your LAN and not between different sites. Let’s make sure this entire range is not advertised between MSDP peers:

(config-ext-nacl)#deny ip any 239.0.0.0 0.255.255.255

Private Addresses

Perhaps you want to filter anything that comes from certain private source IP addresses? Here is an example where we filter all private IP addresses:

(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any
(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any
(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any

SSM (Source Specific Multicast)

We don’t need to exchange S,G states for SSM (Source Specific Multicast) so let’s get rid of it:

(config-ext-nacl)#deny ip any 232.0.0.0 0.255.255.255

Permit Default

Don’t forget to create a “permit ip any any” at the end:

(config-ext-nacl)#permit ip any any

MSDP SA-Filter

Last but not least, let’s enable the filter. I will enable it in both directions on both MSDP routers:

R1(config)#ip msdp sa-filter in 12.12.12.2 list MSDP_SA_FILTER 
R1(config)#ip msdp sa-filter out 12.12.12.2 list MSDP_SA_FILTER

R2(config)#ip msdp sa-filter in 12.12.12.1 list MSDP_SA_FILTER 
R2(config)#ip msdp sa-filter out 12.12.12.1 list MSDP_SA_FILTER

Verification

Everything we filtered won’t show up in the MSDP SA cache anymore. Let’s try to ping some multicast addresses:

R1#ping 239.1.1.1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
.

R1#ping 224.1.1.1 
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.1.1.1, timeout is 2 seconds:
.

The 239.1.1.1 address is a private multicast address and I filtered this. The second address (224.1.1.1) should work. Let’s take a look at the SA cache:

R2#show ip msdp sa-cache 
MSDP Source-Active Cache - 1 entries
(1.1.1.1, 224.1.1.1), RP 12.12.12.1, AS ?,00:00:16/00:05:43, Peer 12.12.12.1
Learned from peer 12.12.12.1, RPF peer 12.12.12.1, 
SAs received: 1, Encapsulated data received: 1

This is looking good, we only find the entry for 224.1.1.1. That’s all there is to it!

Table of Content

---

Unit 1. Introduction to Multicast

• Introduction to Multicast
• Multicast IP Addresses Overview
• Multicast MAC to IP Address mapping

Unit 2: IGMP (Internet Group Management Protocol)

• Multicast IGMP Version 1
• Multicast IGMP Version 2
• Multicast IGMP Version 3
• Multicast IGMP Filter
• Multicast IGMP Proxy

Unit 3: Multicast L2

• Multicast IGMP Snooping
• IGMP Snooping without Router
• Multicast CGMP (Cisco Group Management Protocol)

Unit 4: Multicast L3

• Multicast Routing
• Multicast PIM Dense Mode
• Multicast PIM Sparse Mode
• Multicast PIM Sparse-Dense Mode
• Multicast PIM Auto RP
• Multicast PIM BSR (Bootstrap)
• RPF (Reverse Path Forwarding)
• Multicast Tunnel RPF Failure
• PIM Designated Router
• PIM Assert
• Multicast PIM Prune Override
• Multicast PIM Register Message
• Anycast RP
• Multicast MSDP SA Filtering
• Multicast Bidirectional PIM
• Multicast Stub Routing and IGMP Helper
• Source Specific Multicast
• Multicast PIM Accept RP
• Multicast PIM Accept Register
• Multicast Auto-RP Mapping agent behind Spoke
• PIM NBMA Mode
• Multicast Boundary Filtering
• Multicast PIM Snooping

Unit 5:  IPv6 Multicast

• IPv6 Multicast BSR and RP
• Embedded RP for IPv6