Which of the following commands will show only the ip access lists configured on the router?

Placement of Access Lists

Often you have a few options about how to apply your access lists and stili achieve the same affect on the traffic flowing through the router, in the case of the previous example, access list 141 was applied outbound on the serial 0 interface. Because access list 141 was designed to only filter traffic originating from the 172.16.130.0 network, and not traffic from 172.17.0.0, this list could have been applied in the inbound direction on Ethernet 0. Both approaches will have the same affect on the traffic flowing through the router.

There is a minor difference between these two approaches, though. When the ACL is applied outbound on the Serial0 interface, the traffic enters the Ethernet0 interface and is processed against the routing table. The packet is then passed to the outbound interface, where it is checked against any outbound ACLs. If the outbound interface is Serial 0, it checks packets against access list 141 and will permit or deny the traffic based on the rules defined in that list.

When the ACL is applied inbound on the Ethernet0 interface, the traffic is permitted or denied before it is processed against the routing table. On a router under heavy traffic loads, this could make a considerable difference in the delay that is introduced because the router does not have to process packets that will be dropped by the outbound interface.

Although inbound filtering has the advantage with respect to route processing, that does not necessarily make it the better way to apply access lists. Under different circumstances, you may want to prevent access to an external subnet from both Ethernet interfaces. In this case, it may be easier to apply the access lists in the outbound direction of Serial0 because packets from both Ethernet interfaces will have to pass through Serial0 to get to the external subnet. In other words, you are applying the access list to the bottleneck in traffic. Otherwise, you will have to keep two separate access lists, one specific for Ethernet0 and the other specific for Ethernet1. If the router is under light traffic loads, it may be easier to maintain a single access list.

There is disagreement among network and security professionals about which approach is better, but neither approach should be considered better than the other in all cases. It is up to you to decide which is best for your situation.

Keywords permit or deny

A keyword permit or deny specifies to the router the action to be performed. For example, the keyword permit would allow the packet to exit or enter the interface, depending on whether you specify the filtering to be performed in or out. Again, this option provides the same function as in our standard access list. The last line of our extended access list example could have read as follows:

access-list 141 permit ip any any

Protocol

You have the option of filtering several different protocols using the extended access list. The protocol field in the IP header is an 8-bit number that defines what protocol is used inside the IP packet. TCP and UDP are only two of the possible protocols that can be filtered on, although they are most common. Other protocols, such as ICMP and EIGRP, have their own protocol numbers because they are not encapsulated inside TCP or UDP. If we use a question mark when defining an access list, we can see the protocol numbers that have been defined by name inside the router.

Router (config)#access-list 191 permit ?

 <0-255> An IP protocol number

 ahp Authentication Header Protocol

 eigrp Cisco's EIGRP routing protocol

 esp Encapsulation Security Payload

 gre Cisco's GRE tunneling

 icmp Internet Control Message Protocol

 igmp Internet Gateway Message Protocol

 igrp Cisco's IGRP routing protocol

 ip Any Internet Protocol

 ipinip IP in IP tunneling

 nos KA9Q NOS compatible IP over IP tunneling

 ospf OSPF routing protocol

 pcp Payload Compression Protocol

 pim Protocol Independent Multicast

 tcp Transmission Control Protocol

 udp User Datagram Protocol

Protocols not on the preceding list may also be filtered with extended access lists, but they must be referenced by their protocol number. A full list of assigned IP protocol numbers can be found at www.iana.org/assignments/protocol-numbers.

It is important to remember that the IP keyword in the protocol field matches all protocol numbers.You must use a systematic approach here when designing your access list. For example, if your first line in the access list permits IP for a specific address, and the second line denies UDP for the same address, the second statement would have no effect. The first line would permit IP, including all the above layers. An option here may be to reverse the order of the statements. With the statements reversed, UDP would be denied from that address and all other protocols would be permitted.

Source Address and Wildcard-mask

The source address and source wildcard-mask perform the same function here as in a standard IP access list. So, in the preceding example we could have used the wildcard mask instead of the host and any keywords. The access list would then look as follows:

access-list 141 permit ip 172.16.130.88 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.89 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.90 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.0 0.0.0.255 192.168.10.118 0.0.0.0

access-list 141 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

In the first three lines, we are permitting or allowing packets from individual hosts on subnet 172.16.130.0 to any host on network 10.0.0.0. In line 4, we are permitting packets with the source address that belongs to subnet 172.16.130.0 to the destination of host 192.168.10.118. Line 5 tells us that we are permitting all packets regardless of the source or destination address. Remember that standard IP access lists have a default mask of 0.0.0.0. This does not apply to extended access lists so we must specify one.

Destination Address and Wildcard-mask

The destination address and wildcard-mask have the same effect and structure as the source address and wildcard-mask. So, here the keywords host and any are also available. You can utilize these keywords to specify any destination address as well as a specific destination without using the wildcard mask. Remember that extended access lists try a match on both source and destination. A common mistake here is trying to build an extended access list with the idea of only filtering the source address, and forgetting to specify the destination address.

Source and Destination Port Number

Many times, we don’t want to deny all access to a particular server. When you put a Web server out on the Internet, you want everyone to be able to access it on port 80 (WWW), but you don’t want to allow access to any other ports, because it gives hackers the opportunity to exploit other services you may not be aware of (although you should know of them in the first place). Restricting access to this level of detail is another benefit of extended ACLs. We have the option of specifying a source and destination port number in the access list. Let’s look at a simple example:

Router(config)# interface Serial 0

Router(config-if)# ip access-group 111 in

Router(config)#access-list 111 permit tcp any host 172.17.11.19 eq 25

Router(config)#access-list 111 permit tcp any host 172.17.11.19 eq 23

These commands are explained in Table 4.6.

Table 4.6. Router Commands

In line 1, we are permitting TCP packets from any source to the destination of host 172.22.11.19 if the destination port is 25 (SMTP). In line 2, we are permitting TCP packets from any source to the destination of host 172.22.11.19 if the destination port is 23 (Telnet). The implicit deny statement at the end of this access list will prevent all other traffic from making it into our network.

Let’s take a look at filtering with TCP and UDP. When using TCP, for example, the access list will examine the source and destination port numbers inside the TCP segment header. So, when using an extended access list, you have the capability to filter to and from a network address and also to and from a particular port number. You have several options when deciding which operator to use, such as:

eq equal to

neq not equal to

gt greater than

lt less than

range specifies an inclusive range or ports (Here, two port numbers are specified.)

Extended Access List Properties

The following list describes the different options you can configure to match traffic within the extended access list.

Virtual Router Access lists are configured at the VR level or below, so you must define what VR it will be a part of.

Sequence Number This allows you to define the placement of this statement within the access list you are creating. Since the access lists are evaluated top down, order is important.

Source IP Address / Netmask If you wish to match traffic on the source IP address, you can configure this component to match a host, or an entire subnet, depending on the subnet mask you specify.

Source Port This allows you to define a specific source port or range to match the traffic on.

Destination IP Address / Netmask This option allows you to match traffic based upon the destination IP address of the traffic. Depending on the subnet mask defined, you can match on a single host, or an entire subnet.

Destination Port You can configure a single destination port, or a range of destination ports to match upon.

Protocol This will match upon the actual protocol of the traffic since, technically, a port does not actually define which protocol travels over it. Without specifying which protocol you want to match, port 80 of TCP would be the same as port 80 UDP. For protocol, you can select TCP, UDP, ICMP, Any, or NULL.

IP-TOS You can define the traffic to match upon a predetermined IP-TOS value (1 to 255) of the traffic. The access list will check the packet to see if the bits are set, and then act accordingly.

Tip

Remember that you do not have to use all of the attributes in an access list. You can select to match on some attributes of a packet, and not on others. Also, since order is important within an access list, it is usually best to go from most specific to most general when ordering the statements.

Configuring an Extended Access List

Before you can begin to do policy-based routing, you must first configure the Extended Access List which will be used to match the traffic. In this example, we will match traffic that is from the source subnet 192.168.1.0/24, a destination subnet of 10.0.0.0/8, and a destination port 80 protocol TCP.

To configure this example via the Juniper WebUI:

Select Network | Routing | PBR | Access List Ext.

In the upper right-hand corner, select the VR you want to create this Access list for and click New.

Define an Extended ACL ID to reference the extended access list by.

Each statement in the access list must have a Sequence No. it can be identified by, which you must define. This sequence number is important because the access list gets evaluated from the top down.

If you want to match traffic based upon the source IP address, you can define the Source IP Address/Netmask.

You can match a single Source Port or a range by entering the values into the fields. If you would like to match a single port, enter it in both fields. If you would like to match a range, enter the low port in the first field, and the high port in the second field.

If you would like to match a destination host or subnet, you can do so by specifying the Destination IP Address/Netmask.

Just like the source port, you can match a single Destination Port, or a range or destination ports. Enter the same number in both fields to match a single port, or a low port number in the first field, and a high number in the second to match a range.

If you would like to specify what Protocol to match the port on, you may specify either TCP, UDP, ICMP, or Any. If you do not match the port based upon protocol, you can leave it at Null.

If you would like to specify an IP-TOS value to match on packets, you can do that by defining the appropriate value.

Click OK.

In this example, we are using the following values:

To configure this example via the Juniper CLI:

To add an additional statement via the WebUI, go into the Extended Access List and click the Add Seq No. option. To add an additional statement via the CLI, all you have to do is define the next position with the entry <position> command at the end of the access-list statement.

Access Control Lists

Access Control Lists (ACLs) are an effective way to address the filtering problem mentioned earlier. ACLs are packet filters that can be implemented on routers and similar devices to control the source and destination IP addresses allowed to pass through the gateway. Standard access lists can filter on source address. Extended access lists can filter ICMP, IGMP, or IP protocols at the Network layer. ICMP can be filtered based on the specific message. IP filtering can include port numbers at the transport (TCP/UDP) layer to allow or disallow specific services between particular addresses. Access lists can also control other routed protocols such as AppleTalk or IPX, and they are your first and best way to eliminate inappropriate traffic.

Configuring & Implementing…

5.2.7.2.1 [no] mpls MLDP

MLDP is enabled by default, and this command disables the MLDP process. The “no” form of the command will appear in the running-config.

[no] mpls MLDP forwarding recursive MLDP has two ways to resolve the next-hop used for forwarding labeled packets. Without this command enabled MLDP resolves the outgoing interface based on the next-hop to the downstream LSR. If mpls MLDP forwarding recursive is configured, the outgoing interface is resolved by the MFI using P2P LSPs. Then MLDP uses recursive forwarding over a P2P LSP. That means a P2P LSP for the next-hop needs to be available in the MFI. This configuration needs to be enabled to make MLDP FRR back up over a TE tunnel when possible. Recursion will be enabled by default, and the no form of the command will appear in the running-config.

5.2.7.2.2 [no] mpls MLDP multipath upstream

If there are multiple paths available to reach the root of an MP-LSP, we use an algorithm to select a path such that we are load balancing different LSPs over the available paths. The algorithm used to influence the paths selection calculates a 32-bit CRC of the total FEC length of the LSP, and then does a “crc32_value mod number_of_paths.” The result of this calculation identifies the path. If this command is disabled the path with the highest next-hop IP address is used to reach the root.

5.2.7.2.3 [no] mpls MLDP multipath downstream

If there are multiple downstream paths to reach an LDP peer we load balance the branches of the LSPs over these paths. The assignment of the downstream paths to the LSPs is done in a circular way. If this command is disabled, the path with the highest next-hop IP address is used.

5.2.7.2.4 [no] ip(v6) multicast mpls MLDP range <acl>

This command enables transit IPv4 or IPv6 multicast over an MLDP built P2MP LSP. Using the <acl>, an access-list can be configured to enable transit service for a specific set of multicast stream(s). The ACL is a named or extended access-list that can be filter based on source and/or group. This command needs to be configured on the egress PE as well as the ingress PE, but the ACL only has an effect on those sources for which this PE is the egress.

5.2.7.2.5 [no] IP Multicast mpls Traffic-eng [Range <acl>]

This command enabled transit IP4 multicast over an RSVP-TE built P2MP LSP. Using the <acl>, an access-list can be configured to enable transit service for a specific set of multicast stream(s). The ACL is a named or extended access list that can filter based on source and/or group. This command needs to be configured only on the egress PE.

5.2.7.2.6 [no] IP Multicast vrf <vrf name> mpls MLDP Range <acl>

This command enables transit VPNv4 multicast over a P2MP LSP. Using the <acl>, an access-list can be configured to enable transit service for a specific set of multicast stream(s). The ACL is a named or extended access list that can filter based on source and/or group. This command needs to be configured on the egress PE as well as the ingress PE, but the ACL only has an effect for which sources this PE is the egress.

5.2.7.2.7 [no] IP(v6) pim mpls Source <interface>

For transit multicast service a virtual interface (LSP-VIF) is created as head- and tail-end of the tunnel to interact with PIM. This interface is created automatically on demand and is configured to be unnumbered with an interface on the router that is configured with an IPv4 or IPv6 address. This command is used to configure the interface that is used as an unnumbered interface for the virtual interface. Without this command a virtual interface will not be created. This command needs to be configured in combination with IP Multicast mpls MLDP and IP Multicast mpls traffic-eng.

5.2.7.2.8 [no] mdt Default mpls MLDP <ip-address-of-root>

This command specifies that the Default MDT should be constructed using MLDP. By default MLDP uses an MP2MP LSP to build the default MDT. An IP address must be given that specifies the root of the MP2MP tree.

Multiple commands such as these may be entered for the same VPN and FEC-ID but with different Root addresses. When multiple commands such as these are configured, MLDP automatically uses root node redundancy procedure for this MP2MP LSP.

5.2.7.2.9 [no] mdt Data mpls MLDP <# data-mdts> Threshold <kbps>

The existing mdt data CLI is extended to take the mpls MLDP keyword. When specified it indicates that the Data MDTs for the VRF should be signaled via MLDP. In addition, by default Data MDTs are P2MP Trees rooted at the tree that initiates the MDT switchover. The user also configures the number of Data MDTs that he or she wants the VPN to use. The threshold keyword is used to supply a rate in kilobits per second. If the traffic rate for a given stream is above the threshold rate, it is switched over to use a Data MDT.

5.2.7.2.10 [no] mdt Preference [pim] [MLDP]

For MVPN migration strategy we allow PIM MDTs to be configured parallel to MLDP MDTs. To influence the path selection in the mroute table we can use this command to give preference to a certain tree type. If this command is not configured then PIM is preferred over MLDP. The order in which the keywords “pim” and “MLDP” are entered gives the preference. The first keyword has the higher preference.

5.2.7.2.11 show mpls MLDP database

This command shows the MLDP database. It also shows the FEC, the opaque value of the FEC decoded (if the router understands it), and the replication clients associated with it.

5.2.7.2.12 show mpls MLDP database id <LSD ID>

This command shows an entry in the MLDP database using the hexadecimal LSM system ID.

5.2.7.2.13 show mpls MLDP database id opaque_type <Type>

This command shows an entry in the MLDP database using the opaque type, which can consist of multiple fields that can be used to refine the selection. Supported types include:

IPv4 <source> <group>

IPv6 <source> <group>

mdt <VPN ID> <MDT number>

VPNv4 <source> <group> <RD>

<Type number>

5.2.7.2.14 show mpls MLDP neighbors

This command displays the MLDP Peers known to the router. It displays the identity address, which is the address used to create the LDP TCP peering. It also displays information about next-hop, interface, LDP graceful restart status, and uptime.

5.2.7.2.15 show mpls MLDP label release

This command displays labels that are withdrawn and pending to be released to the system.

5.2.7.2.16 show mpls MLDP root

This command displays the root data structure. The root is a common entry between multiple LSPs.

5.2.7.2.17 show IP Multicast mpls vif

This command shows the virtual interfaces that are created on the router. Interfaces are identified by an addrtype address.

5.2.7.2.18 show IP Multicast mpls mrib-client [ipv4] [ipv6] and show IP Multicast vrf <vrf-name> mrib-client [ipv4] [ipv6]

These commands display the routes, which the MLDP PE function has learned from the IPv4 MRIBs. These are the routes for which MLDP Multipoint LSPs are set up. Also these routes are signaled via MLDP in-band signaling.

3.11.1 IPTV Bandwidth Requirements

A standard-definition IP video stream that is carried as an MPEG4 SPTS stream uses about 2 to 2.75 Mbps of bandwidth. A high-definition IP video stream using the same type of compression and transport uses about 8 to 9 Mbps of bandwidth. These bandwidth requirements mean that the access infrastructure that is designed for real-time video transport must be capable of carrying significantly more bandwidth than what is needed for VoIP and Internet access services. For example, assuming that the access infrastructure is DSL based, the DSL line itself is typically constrained to carrying only one or two video streams simultaneously. The result is that video-over-DSL service offerings must limit the service to one or two simultaneous broadcast channels per household. Since broadcast video services use multicast, the amount of bandwidth required in the access and distribution networks scales with the number of channels offered. For example, a broadcast video service that uses MPEG4 compression and offers 100 channels of standard-definition content requires around 1 Gbps of capacity in the SP distribution network to handle worst-case usage patterns.

Multicast Admission Control mechanisms can also be used to limit or control bandwidth usage, as discussed in the following section.

3.11.2 IPTV Latency Jitter and Loss Requirements

To be considered optimal, IPTV (broadcast video) needs to achieve a latency of <150 ms one way. From a jitter standpoint, a value of <50 ms is required to provide consistent quality and a favorable user experience.

Coming to packet loss, the packet-loss ratio (PLR) should be well within the <10−6 mark. To elaborate on this a little further, when broadcast and on-demand video (VoD, detailed in the next section) is carried over an IP network, there is an assumption that the video quality the subscriber experienced is comparable to that experienced by people watching MPEG4 video carried by cable and satellite networks today. To ensure that any degradation in video quality resulting from the IP transport network is negligible from a subscriber’s point of view, most SPs allow only one visible degradation in video quality roughly every two hours. Though this allowance is similar to what is allowed for VoIP services, the resulting allowed packet-drop requirement for an IP transport network designed for video services is much more stringent. There are two reasons for this:

Video is much more highly compressed, so losing a packet may result in the loss of more valuable encoded video information. If the network drops a single video packet, there is a visible degradation of video quality of anywhere from a single frame up to a loss of 1 second of video, depending on the kind of encoded information that is lost.

The receiving decoders, such as the STBs, generally do not have loss-concealment algorithms, whereas VoIP phones and gateways typically support algorithms that conceal dropouts in the voice signal caused by lost packets. In the VoIP case, the network can drop a single voice packet without the listener perceiving any degradation in voice quality—unlike the case for video.

The DiffServ architecture needs to ensure that video flows meet the required 10−6 drop rate, even when links are congested. Packet drops due to bit errors on physical links must be addressed on a link-by-link basis. The link-layer technologies used in video networks employ cyclic redundancy check (CRC) algorithms to ensure that packets with errors are not delivered. This means that a single bit error in a video packet results in that packet being dropped when a CRC is performed. VoIP is typically carried in packets of approximately 1400 bytes. If bit errors are assumed to be distributed randomly, the resulting requirement for transport links is to ensure a bit-error rate (BER) less than 10−10.

The BER on optical links can be engineered to 10−14 or less by ensuring a high signal-to-noise ratio (SNR) on those links. If optical connectivity is used in the access and distribution networks, degradation in video quality resulting from bit errors on these links should not be an issue. However, packet drops due to bit errors on links such as DSL can have a significant effect on video quality. The SNR on a DSL line varies as a result of many factors, including loop length, proximity to noise sources, and other factors. In addition, the SNR can vary over time because of factors such as corrosion at connection points, moisture, and so on. Consequently, it might be difficult to qualify a DSL line at the time of installation to ensure a BER of less than 10−10 over the life of the video service.

3.11.3 Classifying and Queuing Broadcast Video/IPTV

Broadcast video uses DSCP class selector CS3 as the classification criterion, as per the Cisco modified RFC-4594 model. However, due to the fact that Cisco marks Call Signaling traffic to CS3, the Cisco modified RFC-4594 model swaps Call Signaling with broadcast video, as mentioned in the earlier sections. Hence IPTV traffic is classified using CS5 instead of CS3.

Broadcast video needs to be assigned to a second EF queue (LLQ) on Cisco platforms that support dual-priority queues due to the strict latency, jitter, and packet-loss requirements. Alternately, on platforms that do not support dual-priority queues, broadcast video can be assigned to a dedicated class for video traffic. Some of the characteristics needed for this class are as follows:

The Broadcast Video queue should never be oversubscribed. Oversubscription has the potential to drop traffic during congestion, which would have a negative impact on many channels of video traffic.

Broadcast video traffic should not be combined with data traffic and hence needs a dedicated QoS queue. Other video applications such as Video on Demand (described in the next section) could optionally be combined with this traffic type.

WRED should not be configured for broadcast video traffic.

3.11.4 Configurations and Recommendations

Figure 3.14 illustrates a configuration for the Broadcast Video class. In this illustration, the traffic is assigned to a strict priority/LLQ, since the platform in this case supports dual-priority queues.

Table 3.3 illustrates the recommended characteristics for broadcast video traffic.

Table 3.3. Recommendations for Broadcast Video Traffic

In Figure 3.15, the traffic within the Broadcast Video class is assigned to a nonstrict-priority queue with adequate guarantees. Here we see that the queue has adequate bandwidth guarantees and does not have any WRED (early packet drop), which can impact IPTV and other types of broadcast video applications.

NOTE 3.4

Broadcast and Real-Time Interactive Video

It is very common for SPs to combine both real-time interactive and broadcast video into a single VIDEO queue. In fact, this can be considered a recommended practice. Video on Demand, discussed in the following section, is also a potential candidate for this VIDEO queue, which helps in the consolidation of video applications with near to similar QoS requirements.

1.1.5.1 IGMP Limit

A Service Provider can enforce a maximum broadcast bandwidth limit by limiting the number of IGMP joins on the ranges of multicast addresses associated with broadcast video to a configured maximum on the aggregation links that the router controls. Once again, we look at a Cisco IOS configuration for illustrative purposes. The ip igmp limit command can be used to configure a limit on the number of IGMP states resulting from IGMP membership reports on a per-system or per-interface basis. It controls the maximum number of IGMP states allowed on a router or interface. Membership reports sent after the configured limits have been exceeded are not entered in the IGMP cache, and traffic for the excess membership reports is not forwarded. Per-interface and per-system limits operate independently of each other and can enforce different configured limits. A membership state will be ignored if it exceeds either the per-interface limit or global limit. If you do not configure the except access-list keyword and argument, all IGMP states resulting from IGMP are counted toward the configured cache limit on an interface. The except access-list keyword and argument exclude particular groups or channels from counting toward the IGMP cache limit. An IGMP membership report is counted against the per-interface limit if it is permitted by the extended access list specified by the except access-list keyword and argument.

!

ip igmp limit <number> [except access-list] (Enables per-system IGMP limit)

!

interface GigE x/y (Enables per-interface IGMP limit. DSLAM-facing intf)

 ip igmp limit <number> [except access-list]

!

1.1.5.2 IP Mroute Limit

The per interface mroute state limit feature provides the ability to limit the number of mroute states on an interface for different ACL-classified sets of multicast traffic. This feature can be used to prevent DoS attacks, or to provide a multicast CAC mechanism when all of the multicast flows roughly utilize the same amount of bandwidth.

The per interface mroute state limit feature essentially is a complete superset of the IGMP State Limit feature (except that it does not support a global limit). Moreover, it is more flexible and powerful (albeit more complex) than the IGMP State Limit feature, but it is not intended to be a replacement for it because there are applications that suit both features.

The per interface mroute state limit feature can be used in conjunction with the IGMP State Limit feature. If both the per interface mroute state limit feature and IGMP State Limit feature are configured on an interface, routers generally enforce both limits.

The main differences between the per interface mroute state limit feature and the IGMP Limit feature are

The per interface mroute state limit feature allows multiple limits to be configured on an interface, whereas the IGMP state limit feature allows only one limit to be configured on an interface. The per interface mroute state limit feature, thus, is more flexible than the IGMP State Limit feature because it allows multiple limits to be configured for different sets of multicast traffic on an interface.

The per interface mroute state limit feature can be used to limit both IGMP and PIM joins, whereas the IGMP State Limit feature can only be used to limit IGMP joins. The IGMP State Limit feature, thus, is more limited in application because it is best suited to be configured on an edge router to limit the number of groups that receivers can join on an outgoing interface. The per interface mroute state limit feature has a wider application because it can be configured to limit IGMP joins on an outgoing interface, to limit PIM joins (for ASM groups or SSM channels) on an outgoing interface connected to other routers, to limit sources behind an incoming interface from sending multicast traffic, or to limit sources directly connected to an incoming interface from sending multicast traffic.

Although the PIM Interface Mroute State Limit feature allows you to limit both IGMP and PIM joins, it does not provide the ability to limit PIM or IGMP joins separately because it does not take into account whether a state is created as a result of an IGMP or PIM join. As such, the IGMP State Limit feature is more specific in application because it specifically limits IGMP joins.

The per interface mroute state limit feature allows you to specify limits according to the direction of traffic; that is, it allows you to specify limits for outgoing interfaces, incoming interfaces, and for incoming interfaces having directly connected multicast sources. The IGMP State Limit feature, however, can only be used to limit outgoing interfaces. The Per Interface State Mroute State Limit feature, thus, is wider in scope because it can be used to limit mroute states for both incoming and outgoing interfaces from both sources and receivers. The IGMP State Limit feature is narrower in scope because it can only be used to limit mroute states for receivers on a LAN by limiting the number of IGMP joins on an outgoing interface.

Both the IGMP State Limit and the per interface mroute state limit features provide a rudimentary multicast CAC mechanism that can be used to provision bandwidth utilization on an interface when all multicast flows roughly utilize the same amount of bandwidth. The Bandwidth-based CAC for IP Multicast feature, however, offers a more flexible and powerful alternative for providing multicast CAC in network environments where IP Multicast flows utilize different amounts of bandwidth.

1.1.5.3 Bandwidth-Based Multicast CAC

The Bandwidth-based CAC for IP Multicast features enhances the per interface mroute state limit feature by implementing a way to count per interface mroute state limiters using cost multipliers. This feature can be used to provide Bandwidth-based multicast CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth. Once again referring to a Cisco IOS-based implementation/configuration: Bandwidth-based CAC policies are configured using the ip multicast limit cost command in global configuration mode. The syntax of the ip multicast limit cost command is as follows:

!

ip multicast limit cost access-list cost-multiplier

!

ACLs are used with this command to define the IP Multicast traffic for which to apply a cost. Standard ACLs can be used to define the (*, G) state. Extended ACLs can be used to define the (S, G) state. Extended ACLs also can be used to define the (*, G) state by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.

1.1.5.3.2 Case Study 1

The following example shows how to configure mroute state limiters on interfaces to provide multicast CAC in a network environment where all the multicast flows roughly utilize the same amount of bandwidth. The case study uses a Cisco IOS configuration shown in Figure 1.21. In this example, a service provider is offering 300 Standard Definition (SD) TV channels. The SD channels are offered to customers in three service bundles (Basic, Premium, and Gold), which are available to customers on a subscription basis. Each bundle offers 100 channels to subscribers, and each channel utilizes approximately 4 Mbps of bandwidth. The service provider must provision the Gigabit Ethernet interfaces on the provider edge (PE) router connected to Digital Subscriber Line Access Multiplexers (DSLAMs) as follows: 50% of the link’s bandwidth (500 Mbps) must be available to subscribers of their Internet, voice, and video on demand (VoD) service offerings while the remaining 50% (500 Mbps) of the link’s bandwidth must be available to subscribers of their SD channel bundle service offerings. For the 500 Mbps of the link’s bandwidth that must always be available to (but must never be exceeded by) the subscribers of the SD channel bundles, the interface must be further provisioned as follows:

Figure 1.21.

•

60% of the bandwidth must be available to subscribers of the basic service (300 Mbps).

•

20% of the bandwidth must be available to subscribers of the premium service (100 Mbps).

•

20% of the bandwidth must be available to subscribers of the gold service (100 Mbps).

Because each SD channel utilizes the same amount of bandwidth (4 Mbps), the per interface mroute state limit feature can be used to provide the necessary CAC to provision the services offered by the service provider. To determine the required CAC needed per interface, the number of channels for each bundle is divided by 4 (because each channel utilizes 4 Mbps of bandwidth). The required CAC needed per interface, therefore, is as follows:

•

Basic Services: 300/4=75

•

Premium Services: 100/4=25

•

Gold Services: 100/4=25

Three ACLs are created for each of the mroute state limiters in the following way and applied to the interface (GigE in this case):

•

An mroute state limit of 75 for the SD channels that match acl-basic.

•

An mroute state limit of 25 for the SD channels that match acl-premium.

•

An mroute state limit of 25 for the SD channels that match acl-gold.

!

interface GigabitEthernet X/y

 description — Interface towards the DSLAM—

 .

 .

 ip multicast limit out 75 acl-basic

 ip multicast limit out 25 acl-premium

 ip multicast limit out 25 acl-gold

!

!

1.1.5.3.3 Case Study 2

The following example shows how to configure per interface mroute state limiters with Bandwidth-based CAC policies to provide multicast CAC in a network environment where the multicast flows utilize the different amounts of bandwidth. The case study uses a Cisco IOS configuration for illustrative purposes (see Figure 1.22). In this example, three content providers are providing TV services across a service provider core. The content providers are broadcasting TV channels that utilize different amounts of bandwidth:

Figure 1.22.

•

MPEG-2 SDTV channels—4 Mbps per channel

•

MPEG-2 HDTV channels—18 Mbps per channel

•

MPEG-4 SDTV channels—1.6 Mbps per channel

•

MPEG-4 HDTV channels—6 Mbps per channel

The Service Provider needs to provision the fair sharing of bandwidth between these three content providers to its subscribers across Gigabit Ethernet interfaces. The Service Provider, thus, determines that it needs to provision each Gigabit Ethernet interface on the PE router connected to the DSLAMs as follows:

•

250 Mbps per content provider

•

250 Mbps for Internet, voice, and VoD services

The Service Provider then configures three ACLs:

•

acl-CP1-channels: Defines the channels being offered by the content provider CP1

•

acl-CP2-channels: Defines the channels being offered by the content provider CP2

•

acl-CP3-channels: Defines the channels being offered by the content provider CP3

Because the Content Providers are broadcasting TV channels that utilize different amounts of bandwidth, the Service Provider needs to determine the values that need to be configured for the mroute state limiters and Bandwidth-based CAC policies to provide the fair sharing of bandwidth required between the Content Providers.

Prior to the introduction of the Bandwidth-Based CAC for IP Multicast feature, the mroute state limiters were based strictly on the number of flows. The introduction of cost multipliers by the Bandwidth-Based CAC for IP Multicast feature expands how mroute state limiters can be defined. Instead of defining the mroute state limiters based on the number of multicast flows, the service provider looks for a common unit of measure and decides to represent the mroute state limiters in Kbps. The service provider then configures three mroute states, one mroute state limiter per Content Provider. Because the link is a Gigabit, the service provider sets each limit to 250,000 (because 250,000 Kbps equals 250 Mbps, the number of bits that the service provider needs to provision per content provider).

The service provider needs to further provision the fair sharing of bandwidth between the content providers, which can be achieved by configuring Bandwidth-based CAC policies. The Service Provider decides to create four Bandwidth-based CAC policies, one policy per channel based on bandwidth. For these policies, the Service Provider configures the following ACLs:

•

acl-MP2SD-channels: Defines all the MPEG-2 SD channels offered by the three Content Providers.

•

acl-MP2HD-channels: Defines all the MPEG-2 HD channels offered by the three Content Providers.

•

acl-MP4SD-channels: Defines all the MPEG-4 SD channels offered by the three Content Providers.

•

acl-MP4HD-channels: Defines all the MPEG-4 HD channels offered by the three Content Providers.

For each policy, a cost multiplier (represented in Kbps) is defined for each ACL based on the bandwidth of the channels defined in the ACL:

•

4000—represents the 4 Mbps MPEG-2 SD channels

•

18000—represents the 18 Mbps MPEG-2 HD channels

•

1600—represents the 1.6 Mbps MPEG-4 SD channels

•

6000—Represents the 6 Mbps MPEG-4 HD channels

The following configuration example shows how the Service Provider used mroute state limiters with Bandwidth-based CAC policies to provision Gigabit Ethernet interface for the fair sharing of bandwidth required between the three content providers:

!

ip multicast limit cost acl-MP2SD-channels 4000

ip multicast limit cost acl-MP2HD-channels 18000

ip multicast limit cost acl-MP4SD-channels 1600

ip multicast limit cost acl-MP4HD-channels 6000

!

.

!

interface GigabitEthernet X/y

 ip multicast limit out acl-CP1-channels 250000

 ip multicast limit out acl-CP2-channels 250000

 ip multicast limit out acl-CP3-channels 250000

!

SSH on Cisco Network Devices

Many of the clients for whom I have conducted computer network assessments have given me reasons for not using SSH to remotely log in to their routers and switches. I can understand not using SSH when the client plans to upgrade their equipment to support the IOS feature set. Along those lines, many times I have indicated to folks that they will reap the benefits of network defense by purchasing and adding an IOS feature set to their arsenal of equipment. And I have never been able to understand it when these users still do not make an attempt to use SSH to configure their routers or switches.

If you're one of these people, I will now demonstrate how easy SSH is to set up. The first step involves making sure your router platform supports SSH for logins. (Not all of them do. The 2524 router depicted in this chapter cannot use SSH or other secure management systems.) To set a router to do exclusive SSH without any Telnet access and to set a two-minute timeout, use the following code:

Router#configure terminal

Router(config)#hostname ACMERTR

ACMERTR(config)#ip domin-name mycorp.com

ACMERTR(config)#crypto key generate rsa

The name for the keys will be: ACMERTR

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes

How many bits in the modulus [512] 2048

Generating RSA keys …

[OK]

ACMERTR(config)#ip ssh time-out 120

ACMERTR(config)#ip ssh authentication-retires 2

ACMERTR(config)#service tcp-keepalives-in

ACMERTR(config)#line vty 0 4

ACMERTR(config-line)#transport input ssh

ACMERTR(config-line)#CTRL-Z

ACMERTR# copy running-config startup-config

To configure the router to handle both SSH and Telnet through the virtual terminal lines, use the following command:

ACMERTR(config-line)# transport input ssh telnet

What's behind the transport command tells IOS where to expect interactive command data and in what form or protocol. A number of protocols can be used, such as rlogin or PAD, but the most common ones you can expect to see are the SSH (port 22) and Telnet protocols (using port 23). When you specify a transport input statement in the config-line subcommand, you are telling the router how to handle the input and what port should be used to communicate. In this day and age, legacy routers that don't support SSH should be replaced, but in a pinch where replacement is impractical, you can use ACLs to help secure Telnet access, especially if you log both successful and unsuccessful login attempts.