PIM Accept RP is a security feature on Cisco IOS routers that prevents unwanted rendezvous points or multicast groups to become activate in the PIM sparse mode domain. By default a RP will accept all multicast groups in the 224.0.0.0/4 range (the entire class D range) but if we want we can configure our router to allow only PIM join/prune messages towards the groups that we want.
Let me demonstrate this feature using a very simple topology:
Only 2 routers, R1 will be our rendezvous point. Let’s configure this network so that PIM sparse mode is enabled and R1 becomes the RP:
R1(config)#ip multicast-routing
R1(config)#ip pim rp-address 192.168.12.1
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip pim sparse-mode
R2(config)#ip multicast-routing
R2(config)#ip pim rp-address 192.168.12.1
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip pim sparse-mode
This is how we enable multicast routing, configure R1 as the RP and enable sparse mode. Let’s take a look what multicast groups R1 will serve:
R1#show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s): 224.0.0.0/4, Static
RP: 192.168.12.1 (?)
R2#show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s): 224.0.0.0/4, Static
RP: 192.168.12.1 (?)
Both routers agree that R1 is the RP for the entire multicast group range 224.0.0.0/4. Let’s change it so that it only accepts multicast group 239.1.1.1:
Hi Hans,
192.168.12.1 is the IP address of R1. I usually use subnets / IP addresses like this:
192.168.XY.X where X = R1 and Y = R2.
For loopbacks I use 1.1.1.1/32 for R1, 2.2.2.2/32 for R2 etc.
Rene
Hi Jam,
It doesn’t matter if you use a loopback or “regular” interface as the source as long the RPF check is correct. It’s difficult to tell what is wrong without seeing your config.
Hi Stefanita,
That’s right, thanks for letting us know. Just fixed this.
Rene
Hi Rene,
Your lab found at https://gns3vault.com/multicast/multicast-pim-accept-rp is a better example of this exercise. The difference here that you used a standard ACL with the word “GROUPS” as opposed to numbers. Either way, thank you for both examples.
Jay K.
We will also need to allow 224.0.1.40 address, as this is used for RP.
If not allowed below log is noticed.