I think when specifying an ACL with a RP announcement, the deny statements will create negative entries for groups. However a deny any at the end of the ACL will effectively make ALL groups negative, and hence dense mode, regardless of what’s configured. As an example:
ip pim send-rp-announce Loopback0 scope 15 group-list 12 interval 1 access-list 12 deny 224.110.110.110 access-list 12 permit 224.0.0.0 15.255.255.255 access-list 12 deny any Group(s) (-) 224.0.0.0/4 BR Tony On 25 March 2013 21:07, imad Abdallah <[email protected]> wrote: > Why did you use a deny clause in the access list (only allowing the required > groups should be enough)? > As I remember (i could be wrong); all groups denied in the access list will > be used in dense mode. > > >> Date: Mon, 25 Mar 2013 23:02:54 +0300 >> From: [email protected] >> To: [email protected] >> Subject: [OSL | CCIE_RS] MAPPING AGENT filtering RP's >> >> Hi all. >> >> i have a basic topology ... R3------R1 >> >> R3 is advertising himself as rp for complete block ... >> ip pim send-rp-announce lo 0 scope 10 interval 5 >> >> R1 the mapping agent ..wants to filter groups from R3 ...ie R3 sould >> only service 232.0.0.0 7.255.255.255 >> >> so here what i did on R1 the MA >> R1#conf t >> Enter configuration commands, one per line. End with CNTL/Z. >> >> R1(config)#access-list 2 deny 224.0.0.0 7.255.255.255 >> >> R1(config)#access-list 2 permit 232.0.0.0 7.255.255.255 >> R1(config)#exit >> >> >> ip pim autorp listener >> ip pim send-rp-discovery FastEthernet0/0 scope 10 >> ip pim rp-announce-filter rp-list 1 group-list 2 >> >> R1#show ip pim rp map >> >> PIM Group-to-RP Mappings >> This system is an RP-mapping agent (FastEthernet0/0) >> R1#show ip pim rp map >> >> PIM Group-to-RP Mappings >> This system is an RP-mapping agent (FastEthernet0/0) >> >> R1#show access-lists >> Standard IP access list 1 >> 10 permit 13.0.0.3 (140 matches) >> >> Standard IP access list 2 >> 10 deny 224.0.0.0, wildcard bits 7.255.255.255 (20 matches) >> 20 permit 232.0.0.0, wildcard bits 7.255.255.255 >> >> As you can see denying only a subset of 224.0.0.0 is making it >> deny complete block ... >> >> is this normal behavior ?? >> >> Can any one try the same requirmnet and see if it works >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
