[Xorp-users] Multicast without PIM on internal interface while PIM on external

Pavlin Radoslavov pavlin@icir.org
Wed, 15 Jun 2005 00:14:35 -0700


> 	I have simple configuration - FreeBSD 4.11 with PIM support; one 
> interface (vlan31) connected to ISP supporting PIM-SM; second interface 
> (vlan666) is local network which contain no routers - end-user stations 
> only.
> 
> 	I don't want misconfigured user station interfere with multicast 
> routing, so I don't want to run the multicast routing protocol on 
> internal interface.

Is your concern that a misconfigured user station will start
transmitting PIM-SM control messages that will interfere with your
XORP router?
It is extremely unlikely that even a badly misconfigured end-user
station will somehow originate PIM-SM messages. Unless, of course,
it was misconfigured to run a PIM-SM daemon or other program that is
capable of transmitting PIM-SM messages.

> 	The native way seems to be don't run PIM on it, e.g. set
> protocols.pimsm4.interface vlan666.vif vlan666.disable to true
> 
> 	Unfortunatelly, it isn't possible. The IGMP messages received from 
> internal network may trigger NOCACHE kernel message comming from 
> internal message. Althought the message is not created by PIM routing 
> protocol event, the "disable" option apply. Kernel message is rejected 
> because the source interface isn't PIM-UP.

FYI, the NOCACHE kernel messasges should be triggered by multicast
data packets seen on interfaces enabled for multicast routing.

> 
> 	On the other side, when I enable the PIM on vlan666 it sends and 
> accepts PIM-HELLO and do other PIM related tasks including elections.
> 
> 	Is there an option to enable multicast routing on the interface but 
> without PIM enabled on it ?

Not at this time. Ideally, we should have multicast routing policy,
and one of the policy options would be to disable the receiving of
all (or a subset of) PIM control messages per interface.
I think that in Juniper for example you can apply policy rules to
disable PIM Join/Prune or Bootstrap messages per interface, but I
don't know whether you can disable the PIM Hello and Assert messages
as well.
Have in mind that it is very dangerous to disregard legitimate PIM
Assert messages from a neighbor. Hence if there was an option to
disable the receiving of all PIM control messages on an interface,
and if you misuse that option between two legitimate PIM neighboring
routers, then bad things can happen to your network.

> 	Well, I can use firewall to block PIM-ROUTERS.MCAST.NET packets on 
> vlan666 but it's a workaround only, not clean way ...

First we need to look into what the multicast routing policy
solution should be, and only after we design and implement it there
may be an option to do exactly what you need.
Unfortunately, the multicast routing policy is not on our radar yet,
so in the mean time you would have to use the above workaround.

Pavlin