Routing
Highlighted
Routing

Firewall Filter vs Auto-RP (announce/discovery)

‎03-26-2017 05:03 PM

Hello,

I am trying to open a strict firewall filter for Auto-RP.

I have successfully opened PIM for neighbor connectivity.....and IGMP for source/receivers.

 

But I am not able to open the filter for Auto-RP through Junos:

  • 224.0.1.39  announce (by RP)
  • 224.0.1.40  discovery (by MappingAgent)

 

Without the filter, I get this interface monitoring output:

In IP 123.104.104.104.pim-rp-disc > 224.0.1.40.pim-rp-discauto-rp mapping Hold 3m1s RP 123.104.104.104 PIMv1+2 228.0.0.0/8
In IP 123.104.104.104.pim-rp-disc > 224.0.1.39.pim-rp-disc:  auto-rp candidate-advert Hold 3m1s RP 123.104.104.104 PIMv1+2 228.0.0.0/8

 

I have tried these three different things (no luck):

ACCEPT on destination-address 224.0.1.39/32 (and 224.0.1.40/32)

ACCEPT on UDP port 496

ACCEPT on protocol PIM only brings up the neighbors. Auto-RP does not pass, because it is UDP/496 (not pim)

 

 

Your help is very much appreciated.  Just a Cisco guy learning a Juniper way.

2 REPLIES 2
Highlighted
Routing

Re: Firewall Filter vs Auto-RP (announce/discovery)

‎03-26-2017 08:12 PM

Hi Folks,

Please find few pointers...

 

The type of traffic we do need to allow in the filters attached for input to lo0.x

 

pim protocol traffic to the ALL PIM ROUTERS multicast address?

 

Rendevous Point Discovery traffic (protocol UDP, source port 496, dest port 496)?

-If the auto-rp is used by customer, you may need to allow 224.1.0.39 and 224.1.0.40 with udp port 496.

 

PIM Joins (protocol UDP, source port 3232, dest port 3232, dest address ALL PIM ROUTERS multicast address)

-yes, if the data mdt is used. This port is used for mdt dynamic tunnel built up

 

For igmp you need to allow 224.0.0.1 and 224.0.0.2, 224.0.0.22 fro IGMPv3.

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Highlighted
Routing

Re: Firewall Filter vs Auto-RP (announce/discovery)

‎03-26-2017 10:38 PM

Hi Python,

I am aware of the PIM/Auto-RP parameters.  My issue is with how to construct the firewall filter.

I believe that I have solved it, but I am interested in whether I can improve on the solution.

Thanks in advance.

 

BEFORE - not working:

set firewall family inet filter FILTER-TEST term TEST from destination-address 224.0.1.39/32
set firewall family inet filter FILTER-TEST term TEST from destination-address 224.0.1.40/32
set firewall family inet filter FILTER-TEST term TEST from protocol pim
set firewall family inet filter FILTER-TEST term TEST from protocol igmp
set firewall family inet filter FILTER-TEST term TEST then accept


AFTER - SUCCESS (by separating out autorp addresses into their own term)

 

set firewall family inet filter FILTER-TEST term TEST-AUTORP from destination-address 224.0.1.39/32
set firewall family inet filter FILTER-TEST term TEST-AUTORP from destination-address 224.0.1.40/32
set firewall family inet filter FILTER-TEST term TEST-AUTORP then accept

set firewall family inet filter FILTER-TEST term TEST from protocol pim
set firewall family inet filter FILTER-TEST term TEST from protocol igmp
set firewall family inet filter FILTER-TEST term TEST then accept

 

 

 

NOTE - this combination did not work for Auto-RP:

set firewall family inet filter FILTER-TEST term TEST-mcb-AUTORP from destination-address 224.0.1.39/32
set firewall family inet filter FILTER-TEST term TEST-mcb-AUTORP from destination-address 224.0.1.40/32
set firewall family inet filter FILTER-TEST term TEST-mcb-AUTORP from protocol udp
set firewall family inet filter FILTER-TEST term TEST-mcb-AUTORP from destination-port 469
set firewall family inet filter FILTER-TEST term TEST-mcb-AUTORP then accept

Feedback