マルチキャストはL2機能でも、ある程度の制御ができます。IGMPを覗き見し、特定のマルチキャストグループのみ参加を許したり、レシーバーの数を制限したりする事ができます。
概要
Layer 2機器において、Multicastをfilterする技術についてまとめます。
コマンド一覧
このシナリオで重要なコマンド一覧は以下の通りです。
Switch(config)#ip igmp profile <profile_number>
Switch(config-igmp-profile)# { permit | deny }
Switch(config-igmp-profile)# range <low_addr> <high_addr>
Switch(config)# interface <interface>
Switch(config-if)# ip igmp filter <profile_number>
Switch(config-if)# ip igmp max-groups <num>
Switch(config-if)# ip igmp max-groups action { deny | replace }
構成図
以下の環境で行います。
f0/0 f0/13
+--------+.1 f0/1+------+f0/13 .8+--------+
| R1 +----------+ +----------+ SW2 |
+--------+ | | +--------+
f0/0 | | f0/13
+--------+.3 f0/3| |f0/16 .9+--------+
| R3 +----------+ SW1 +----------+ SW3 |
+--------+ | | +--------+
f0/0 | | f0/13
+--------+.5 f0/5 | |f0/19 .10+--------+
| R5 +----------+ +----------+ SW4 |
+--------+ +------+ +--------+
192.168.100.0/24 VLAN_100
[R1]
ip multicast-routing
!
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
ip pim dense-mode
[R3]
interface FastEthernet0/0
ip address 192.168.100.3 255.255.255.0
[R5]
interface FastEthernet0/0
ip address 192.168.100.5 255.255.255.0
[SW2]
interface FastEthernet0/13
no switchport
ip address 192.168.100.8 255.255.255.0
[SW3]
interface FastEthernet0/13
no switchport
ip address 192.168.100.9 255.255.255.0
[SW4]
interface FastEthernet0/13
no switchport
ip address 192.168.100.10 255.255.255.0
設定全文は下記ファイルです。詳細設定は下記を参照ください。
R1
!
! Last configuration change at 03:16:49 UTC Sat May 4 2013
! NVRAM config last updated at 03:20:51 UTC Sat May 4 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip multicast-routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
ip pim dense-mode
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
!
!
end
R3
!
! Last configuration change at 03:20:19 UTC Sat May 4 2013
! NVRAM config last updated at 03:20:20 UTC Sat May 4 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.100.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
!
!
end
R5
!
! Last configuration change at 03:20:20 UTC Sat May 4 2013
! NVRAM config last updated at 03:20:22 UTC Sat May 4 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.100.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
SW1
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
SW2
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
no switchport
ip address 192.168.100.8 255.255.255.0
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
SW3
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW3
!
!
no aaa new-model
ip subnet-zero
!
vtp file vlan.dat
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
no switchport
ip address 192.168.100.9 255.255.255.0
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
SW4
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW4
!
!
no aaa new-model
ip subnet-zero
!
vtp file vlan.dat
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
no switchport
ip address 192.168.100.10 255.255.255.0
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
仕様説明
IGMP filter
以下のコマンドで特定のmulticast groupに対するIGMP joinのみを転送するようにする事ができます。permitまたはdenyで、許可するmulticast groupを定義するか拒否するmulticast groupを定義するのかを指定する事ができます。
Switch(config)#ip igmp profile <profile_number>
Switch(config-igmp-profile)# { permit | deny }
Switch(config-igmp-profile)# range <low_addr> <high_addr>
上記コマンドで定義したigmp profileは、以下のようなip igmp filterコマンドでinterfaceに適用する事ができます。
Switch(config)# interface <interface>
Switch(config-if)# ip igmp filter <profile_number>
IGMP max-group
以下のコマンドで、igmp joinについて転送するmulticast group数の上限を定義する事ができます。
Switch(config)# interface <interface>
Switch(config-if)# ip igmp max-groups <num>
IGMP max-group action
igmp max-groupで定義した上限に達した場合の挙動をip igmp max-groups actionで定義する事ができます。デフォルト設定はdenyで、上限に達した場合は新たなigmp join messageはdropされます。一方のreplaceは、許可したmulticast groupのうち最も古いエントリを新しいエントリに置き換え、igmp join messageは転送されます。
Switch(config)# interface <interface>
Switch(config-if)# ip igmp max-groups <num>
Switch(config-if)# ip igmp max-groups action { deny | replace }
IGMP filter
設定投入
SW1のR3に接続されたポートについて、229.9.9.0/24のIGMP joinのみを許可するように設定します。
[SW1]
ip igmp profile 4
permit
range 229.9.9.0 229.9.9.255
!
interface FastEthernet0/3
ip igmp filter 4
動作確認
R3からR1に対して、以下2つのIGMP join messageを送信します。
[R3]
interface FastEthernet0/0
ip igmp join-group 228.8.8.8
ip igmp join-group 229.9.9.9
228.8.8.8のIGMPはフィルタされ、229.9.9.9のIGMPはR1からR3へ到達した事が分かります。
[R1]
R1#show ip igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter Group Accounted
229.9.9.9 FastEthernet0/0 00:00:38 00:02:21 192.168.100.3
224.0.1.40 FastEthernet0/0 00:09:57 00:02:58 192.168.100.1
R1#
max-groups
設定投入
SW1のR5に接続されたポートについて、最大3つまでのIGMP joinを許可するようにします。
[SW1]
interface FastEthernet0/5
ip igmp max-groups 3
ip igmp filter 4
動作確認
R5からR1に対して、以下5つのIGMP join messageを送信します。
[R5]
interface FastEthernet0/0
ip igmp join-group 229.9.9.1
ip igmp join-group 229.9.9.2
ip igmp join-group 229.9.9.3
ip igmp join-group 229.9.9.4
ip igmp join-group 229.9.9.5
5つのIGMP messageのうち、3つが届いている事が分かります。
[R1]
R1#show ip igmp groups | include 192.168.100.5
229.9.9.1 FastEthernet0/0 00:00:22 00:02:37 192.168.100.5
229.9.9.3 FastEthernet0/0 00:00:22 00:02:37 192.168.100.5
229.9.9.2 FastEthernet0/0 00:00:22 00:02:37 192.168.100.5
R1#
max-groups
設定投入
SW1のSW2に接続されたポートについて、最大3つまでのIGMP joinを許可するようにします。さらに、許可されたIGMP joinのリストについて、古いエントリは新しいエントリで書き換えられる事を許可します。
[SW1]
interface FastEthernet0/13
ip igmp max-groups 3
ip igmp max-groups action replace
ip igmp filter 4
動作確認
SW2からR1に対して、以下5つのIGMP join messageを送信します。
[SW2]
interface FastEthernet0/13
ip igmp join-group 229.9.9.1
ip igmp join-group 229.9.9.2
ip igmp join-group 229.9.9.3
ip igmp join-group 229.9.9.4
ip igmp join-group 229.9.9.5
全てのIGMP messageが届いている事を確認します。
[R1]
R1#show ip igmp groups | include 192.168.100.8
229.9.9.1 FastEthernet0/0 00:02:03 00:02:49 192.168.100.8
229.9.9.3 FastEthernet0/0 00:02:03 00:02:48 192.168.100.8
229.9.9.2 FastEthernet0/0 00:02:03 00:02:47 192.168.100.8
229.9.9.5 FastEthernet0/0 00:00:07 00:00:01 192.168.100.8
229.9.9.4 FastEthernet0/0 00:00:09 00:02:59 192.168.100.8
R1#