Configuration Note Understanding and using the "ip pim rp-announce-filter" command 11/2001 ------------------------------------------------------------------------------ [no] ip pim rp-announce-filter [rp-list ] [group-list ] This command allows you to configure policies on an AutoRP mapping agent defining which routers candidate RP announcements are to be filtered (ignored) by the mapping agent. You can use this command to make the mapping agent ignore the RP announcements messages from specific or unknown routers. You can filter RP announce messages from an RP for specific group prefixes, restricting that router to be only the candadate-RP for the ranges not filtered on the mapping agent. If you use more than one RP-mapping agent, you must configure the same filters on all mapping agents to avoid inconsistencies in AutoRP operations. If no "ip pim rp-announce-filter" commands are configured, a router enabled to be an AutoRP mapping agent (via "ip pim send-rp-discovery") will accept any candidate RP announcements from any routers. Configure one or more "ip pim rp-announce-filter" commands on the mapping agent(s) to filter (ignore) unwanted rp-announce messages. A received RP announce message from RP for group prefix is filtered by a configured command ip pim rp-announce-filter rp-list group-list if is permitted by and is denied by . If the argument "rp-list " is not configured, the command will permit all . If the argument "group-list " is not configured, the command will deny all . You can not configure "ip pim rp-announce-filter" without any arguments (this would mean to filter all received RP announce messages, which is equivalent to not configuring a mapping agent at all on the router). Note: in Cisco IOS images in which CSCdv69238 is not fixed, you must always use the "group-list " argument. Omitting this option will make the command to permit all groups - which makes the command not filter anything and thus render it useless. The order of "ip pim rp-announce-filter" commands in the configuration is insubstantial because each configured "ip pim rp-announce-filter" command will only filter received RP announce messages as explained above, but it will not by itself permit any received RP announce message. A received RP announce message is only then accepted if it not filtered by any of the configured "ip pim rp-announce-filter" commands! Negative entries (see "ip pim send-rp-announce") are filtered like normal RP announcements - "ip pim rp-announce-filter" does not differentiate between normal and negative entries. Likewise, the command does not allow to differentiate between sparse-mode and bidir-mode RP announements. [11.1] Example: [1] RPs 10.30.12.1 and 10.17.3.4 are the known and allowed RPs for the global scope range: ! RP 10.30.12.1 configuration (10.17.3.4 equivalent) ip pim send-rp-announce loopback 0 scope 127 group-list global-s interface loopback 0 ip address 10.30.12.1 255.255.255.0 ip pim sparse-dense-mode ip access-list standard global-s permit 224.0.0.0 15.255.255.255 [2] RPs 10.10.15.57 and 10.50.33.20 are the known and allowed RPs for the admin scope addres range (239.0.0.0 ...239.255.255.255), but they should not be allowed to be RPs for other group ranges. ! RP 10.10.15.57 configuration (10.50.33.20 equivalent) ip pim send-rp-announce loopback 0 scope 127 group-list admin-s interface loopback 0 ip address 10.10.15.57 255.255.255.0 ip pim sparse-dense-mode ip access-list standard admin-s permit 239.0.0.0 0.255.255.255 [3] Messages from other candidate RPs should be ignored except for the address range 239.192.0.0 that (for the purpose of this example) should be open to experiments. ! Mapping agent configuration ip pim send-rp-discovery loopback 0 scope 127 interface loopback 0 ip address 10.99.18.7 255.255.255.0 ip pim sparse-dense-mode ip pim rp-announce-filter rp-list globl-rps group-list globl-scp ![1] ip pim rp-announce-filter rp-list scope-rps group-list admin-scp ![2] ip pim rp-announce-filter rp-list other-rps group-list game-grps ![3] ip access-list standard globl-rps permit host 10.30.12.1 permit host 10.17.3.4 ip access-list standard globl-scp deny 239.0.0.0 0.255.255.255 permit 224.0.0.0 15.255.255.255 ip access-list standard scope-rps permit host 10.10.15.57 permit host 10.50.33.20 ip access-list standard admin-scp permit 239.0.0.0 0.255.255.255 ip access-list standard other-rps deny host 10.30.12.1 ! need to deny all known RPs here deny host 10.17.3.4 ! so that command [3] does not match them deny host 10.10.15.57 deny host 10.50.33.20 permit any ip access-list standard game-grps permit 239.192.0.0 0.0.255.255 ! deny any any - this is implicit at the end of each ! access list - for the normal case - deny ! all groups for the unknown RP this access ! list would simply need to be empty Note: The filtering rule [1] for the global scope RP is not particularily useful and is only shown for instructional purposes: Filtering admin scope range RP announcements for these RPs does at best protect against the misconfiguration case that either of these two RPs incorrectly announces 239.0.0.0/8 directly. Filtering in this case does not prevent for those two RPs to potentially become the RP for the admin scope range - when both admin scope RPs 10.10.15.57 and 10.50.33.20 fail, then the network will not see any RP announcement for 239.0.0.0/8 so that instead the shorter mask announcement 224.0.0.0/4 from the global RPs will also apply for the admin scope range. In general it is thus not possible to effectively filter an address subrange of a range that is allowed to be announced by a particular router. This is a limitation of AutoRP, not of this filtering command.