You want to use RFC 2365 administratively scoped multicast addressing to control how multicast traffic is distributed through your network.
To configure regions of multicast scope using addressing rather than TTL, using the ip multicast boundary interface command:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip multicast-routing Router1(config)#access-list 15 deny 220.127.116.11 0.0.255.255 Router1(config)#access-list 15 permit any Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip multicast boundary 15 Router1(config-if)#end Router1#
Note that the access-list uses a deny statement to specify which groups are to be dropped. Because access-lists have an implicit deny on all addresses not explicitly matched, you must include a permit ip any at the end of the access-list to allow all other multicast groups to pass normally.
RFC 2365 defined a new way of handling the problem of controlling the scope of multicast applications. The IETF realized that you can't count on applications to have the right initial TTL value. The other important reason that they give for avoiding TTL scoping has to do with pruning in dense mode multicast protocols such as PIM-DM or DVMRP.
The problem is that the router at the boundary is dropping all multicast packets, but it can't tell its upstream neighbors that it no longer wants to be a member of this SPT. And it isn't sufficient to simply discover the problem and prune the tree at the previous node because of the possibility that the packets will still reach the destination by another path. The result is that the routers at the TTL boundary become "sinks" that receive all multicast traffic but cannot process it. If there is a lot of multicast traffic, this can cause performance problems.
Another problem is caused by misconfigured multicast servers causing multicast applications to leak out of their domains. This problem can occur either accidentally or deliberately, and in either case the result is that multicast applications in neighboring network regions will not work properly. And a similar problem occurs when the routers at the boundary are not configured properly, allowing even well-behaved multicast applications to leak out of their domains. Clearly a better solution is required.
The alternative proposed in RFC 2365 is to set aside particular ranges of multicast group addresses for unregistered use, similar to the RFC 1918 system of unregistered IP addresses. The RFC takes the range from 18.104.22.168 to 22.214.171.124 for this purpose. It defines how to use particular ranges of these addresses for multicast applications with different scopes. These ranges are summarized in Table 23-3.
We note in passing that the IANA has registered several other multicast addresses for specific applications. The range from 126.96.36.199 through 188.8.131.52 is reserved for routing protocols and other network maintenance applications that are confined to the local network segment. The multicast addresses between 184.108.40.206 and 220.127.116.11 have been designated for Internetwork control applications such as Cisco's RP discovery protocol. And the range from 18.104.22.168 through 22.214.171.124 is set aside for miscellaneous well-known registered application purposes. Refer to the IANA web site, http://www.iana.org/assignments/multicast-addresses, for specific well-known addresses.
|Scope||Address range||Access list|
|Site local||126.96.36.199/16||access-list 15 deny 188.8.131.52 0.0.255.255|
|Expanding site local||184.108.40.206/16, 220.127.116.11/16, etc.||access-list 15 deny 18.104.22.168 0.0.255.255, access-list 15 deny 22.214.171.124 0.0.255.255, etc.|
|Organization local||126.96.36.199/14||access-list 15 deny 188.8.131.52 0.3.255.255|
|Expanding organization local||184.108.40.206/10, 220.127.116.11/10, 18.104.22.168/10||access-list 15 deny 22.214.171.124 0.63.255.255,access-list 15 deny 126.96.36.199 0.63.255.255,access-list 15 deny 188.8.131.52 0.63.255.255|
The configuration example shows a Site Local boundary. The ip multicast boundary command affects the packets sent and received on this interface. So you would configure this command on all interfaces that connect to other sites. For interfaces that connect to other organizations, the only difference is in the access-list, as shown in Table 23-3.
If you needed more multicast address space, you would add 184.108.40.206 first, then 220.127.116.11, and so forth.
In many organizations you will see both TTL (see Recipe 23.14) and Administratively Scoped Addressing used simultaneously to control the reach of multicast applications. The two methods work well together, which makes it relatively easy to accomplish a transition from one method to the other.
One final point is worth noting here. The ip multicast boundary command is not the same as simply putting an access list on the interface to block the exchange of packets. The actual multicast packets are not the only thing that you want to prevent from crossing this boundary. You also want to prevent PIM from joining any of these multicast distribution trees across the boundary. That is what this command does for you.
Router Configuration and File Management
User Access and Privilege Levels
Handling Queuing and Congestion
Tunnels and VPNs
NTP and Time
Router Interfaces and Media
Simple Network Management Protocol
First Hop Redundancy Protocols
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications