In this post we look at a sometimes misunderstood command, ip pim rp-announce-filter, and figure out how it is used to filter unwanted devices from becoming RPs. The topology for this example is very small, just two routers.

R1—R2

Requirements:

R1 = 1.1.1.1, R2 = 2.2.2.2

R1 is the Mapping Agent.

R1 should be the RP for 239.0.0.1.

No other router device should be allowed to be RP for any other group.

R1 is configured as the MA and RP while R2 is also configured as an RP, so we can test our filtering commands. After this initial configuration we have the following RP information:

R1#sho ip pim rp mapping

PIM Group-to-RP Mappings

This system is an RP (Auto-RP)

This system is an RP-mapping agent (Loopback1)

Group(s) 224.0.0.0/4

RP 2.2.2.2 (?), v2v1

Info source: 2.2.2.2 (?), elected via Auto-RP

Uptime: 00:01:49, expires: 00:02:08

RP 1.1.1.1 (?), v2v1

Info source: 1.1.1.1 (?), via Auto-RP

Uptime: 00:01:46, expires: 00:02:11

R2 has been elected as RP based on higher IP address. Let’s configure our initial filtering policy. An important thing to remember here is that we also have to put an ACL on the ip pim send-rp-announce command. If you announce yourself as RP for a block, the mapping agent cannot split that block up for you. For example, if you announce yourself as RP for 224.0.0.0/4, the mapping agent cannot filter you down to 239.0.0.1 by itself. So R1 must announce itself as RP for 239.0.0.1 in order for the MA to strictly allow only R1 to be RP for only that group. Here is the configuration:

R1(config)#access-list 1 permit 1.1.1.1 0.0.0.0

R1(config)#access-list 2 permit 239.0.0.1 0.0.0.0

R1(config)#ip pim send-rp-announce loopback 1 scope 10 group-list 2

R1(config)#ip pim rp-announce-filter rp-list 1 group-list 2

Wait a few minutes or clear the RP information with the clear ip pim rp-mapping and you should see the following:

R1#sho ip pim rp mapping

PIM Group-to-RP Mappings

This system is an RP (Auto-RP)

This system is an RP-mapping agent (Loopback1)

Group(s) 224.0.0.0/4

RP 2.2.2.2 (?), v2v1

Info source: 2.2.2.2 (?), elected via Auto-RP

Uptime: 00:00:44, expires: 00:02:13

Group(s) 239.0.0.1/32

RP 1.1.1.1 (?), v2v1

Info source: 1.1.1.1 (?), elected via Auto-RP

Uptime: 00:01:04, expires: 00:02:56

R1#

R1 is correctly elected as RP for 239.0.0.1. But notice that R2 is still being learned and elected as an RP for the remaining groups. The ip pim rp-announce-filter command does not filter any RPs that are denied by the RP-list ACL. Since ACL 1 only permits 1.1.1.1 (and implicitly denies the rest), no other RPs are actually filtered. To do this we create a couple more ACLs and apply them to a second ip pim rp-announce-filter command.

R1(config)#access-list 3 deny 1.1.1.1 0.0.0.0

R1(config)#access-list 3 permi any

R1(config)#access-list 4 deny 224.0.0.0 15.255.255.255

R1(config)#ip pim rp-announce-filter rp-list 3 group-list 4

Now we have a working filter that says any router permitted by ACL 3 will be denied from being an RP for any group (224.0.0./4 specified in ACL 4). Remember that we have to deny 1.1.1.1 in ACL 3, otherwise it would be blocked, even though we permit it in the first filter.

Wait a few minutes and verify:

R1#sho ip pim rp mapping

PIM Group-to-RP Mappings

This system is an RP (Auto-RP)

This system is an RP-mapping agent (Loopback1)

Group(s) 239.0.0.1/32

RP 1.1.1.1 (?), v2v1

Info source: 1.1.1.1 (?), elected via Auto-RP

Uptime: 00:03:09, expires: 00:02:49

Hope that explains it. Leave any comments or questions below.

Good luck!

Bryan Bartik
CCIE #23707 (R&S, SP), CCNP
Sr. Support Engineer – IPexpert, Inc.