5.2.16 - PIM Accept RP Filtering

PIM Accept RP is a security feature used by IOS routers to prevent unwanted RPs or groups from becoming active in the PIM-SM multicast domain. When you configure ip pim accept-rp [rp-address | auto-rp] [access-list] , the local router will only accept (*,G) Join/Prune messages toward the RP-address specified in the command. Additionally, if the access-list parameter is specified, the router will only accept Join/Prune messages for groups matching this access-list. Note that regular SPT joins are not affected by this configuration.

To implement thorough security using this feature, you must configure every router on all potential paths to the RP, or simply configure your RP. Performing this on the RP alone, however, will allow illegal joins across the network, but they will eventually be dropped at the RP.

R1(config)# ip multicast-routing distributed
R1(config)# ip pim rp-address 150.1.5.5
R1(config)# ip access-list standard ALLOWED_GROUPS
R1(config-std-acl)# permit 224.10.10.10.10
R1(config-std-acl)# exit
R1(config)# ip pim accesp-rp 150.1.5.5 ALLOWED_GROUPS
R1(config)# exit

PIM Accept Register Filtering RPF Failure