This lesson covers how to secure your multicast implementation. You may want to take a victory lap after getting things working, but a lot can happen if you don't take the time to secure what you built.

1. David Hedley’s
Tuesday Tech Talks
Multicast Part 8 Securing Multicast
Turning networking on it’s head
© 2018-2020 David M. Hedley All Rights Reserved.

2. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Cisco Certified Network Professional: Enterprise, Routing & Switching
• Cisco Certified Design Professional
• Cisco Certified Specialist: Enterprise Core, Enterprise Design, Wireless
Design, Wireless Implementation, Advanced Infrastructure
Implementation.
• Cisco Certified Network Associate: Routing & Switching, Wireless, Data
Center, Security
• Cisco Certified Design Associate
• ITIL v4 Foundations
• CompTIA A+
• https://www.youracclaim.com/users/david-hedley/badges
© 2018-2020 David M. Hedley All Rights Reserved.

3. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Specific brands and models are for illustration purposes only.
• They do not imply any endorsement by the vendor, in any way.
• This talk does not represent the business process of any employer or
client, past or present, this is based on my own work and study.
• I only include equipment that I have experience with.
• At the time of writing, I have not received any compensation, or
inducement from any vendor.
© 2018-2020 David M. Hedley All Rights Reserved.

4. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Definition
• In computer networking, multicast is group communication[1] where data
transmission is addressed to a group of destination computers
simultaneously. Wikipedia https://en.wikipedia.org/wiki/Multicast retrieved July 5,2018
• Originally defined in RFC 966 (1985)
© 2018-2020 David M. Hedley All Rights Reserved.

5. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Purpose: We’ve got it working, maybe too well!
• Question: What risks am I introducing and how to I mitigate them?
© 2018-2020 David M. Hedley All Rights Reserved.

6. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Triple Constraints
• Time
• Quality or Scope
• Money or Budget
© 2018-2020 David M. Hedley All Rights Reserved.

7. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Unicast vs. Multicast
© 2018-2020 David M. Hedley All Rights Reserved.

8. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Multicast Advantages
• Eliminates Traffic Redundancy = Less Bandwidth
© 2018-2020 David M. Hedley All Rights Reserved.
0
2
4
6
8
10
12
1
4
7
10
13
16
19
22
25
28
31
34
37
40
43
46
49
52
55
58
61
64
67
70
73
76
79
82
85
88
91
94
97
100
Unicast vs Multicast
Mulicast Unicast

9. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Multicast Addressing (IPv4) Layer 3
• Source (Class A, B, C) 1.0.0.0 – 223.255.255.255
• Destination (Class D) 224.0.0.0 – 239.255.255.255
• 232.0.0.0 – 232.255.255.255 Source Specific Range
• 239.0.0.0 – 239.255.255.255 Administratively Scoped Addresses
• SOURCE CAN NEVER BE CLASS D GROUP ADDRESS!!!!
© 2018-2020 David M. Hedley All Rights Reserved.

10. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• IP Multicast MAC Address Mapping Layer 2
• In IPv4, all multicast address start with bits 1110, so the last 28 bits
differentiate the different multicast addresses
• Each Multicast MAC begins with 0x01005e with a zero in the 25th bit
• The last 23 bits are taken from the group address
• Example
• 239.200.128.1 = 11101111 11001000 10000000 00000001
• Mac 0000001 00000000 01011111 01001000 10000000 00000001 (01-00-5e-48-80-01)
• 224.72.128.1 = 11100000 01001000 10000000 00000001
• Mac 00000001 00000000 0101111 01001000 10000000 00000001 (01-00-5e-48-80-01)
• 32:1 Address Overlap!
© 2018-2020 David M. Hedley All Rights Reserved.

11. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Host-Router – Internet Group Management Protocol (IGMP) Layer 2/3
• Hosts tells routers about group membership.
• Routers solicit group membership from hosts.
• IGMP v. 1 RFC 1112 (1989) https://www.rfc-editor.org/rfc/rfc1112.txt
• IGMP v. 2 RFC 2236 (1997) https://www.rfc-editor.org/rfc/rfc2236.txt
• IGMP v. 3 RFC 3376 (2002) https://www.rfc-editor.org/rfc/rfc3376.txt
• For IPv6 Multicast Listener Discovery (MLD) v.1 is equivalent to IGMP v. 2
• MLD v. 2 is the IPv6 equivalent for IGMP v. 3.
© 2018-2020 David M. Hedley All Rights Reserved.

12. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Securing Multicast
• By default, as long as we enable PIM on an interface, and provide an RP for
the group, or range of groups, multicast traffic is allowed by default.
• Poor choice of groups can introduce lots of traffic.
• Ex: advertising 224.0.0.0/4 or advertising 239.255.0.0/16
• SSDP: 239.255.255.252
• Enabling all user interfaces can have traffic which isn’t needed or may not
even work.
• Some of the zero config protocols use multicast vs broadcast, but have a TTL of 1, so
won’t router, but multicast will try to connect (and fail)
• Users can do illegal of malicious actions such as streaming movies to internal staff.
© 2018-2020 David M. Hedley All Rights Reserved.

13. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Securing Multicast
• Solutions:
• 1. Limit RP advertisements to only groups you want.
• 239.200.128.5 vs 239.200.0.0/16
• 2. Use boundary statements at the edge or turn off PIM at the edge if not needed.
• 3. Only turn on PIM for interfaces which will need to route multicast traffic.
• Avoid user VLANs, if you can.
• Be very selective in which Wireless VLANs you enable PIM.
• 4. Use igmp filters at SVI’s to further limit which groups are accepted.
• Recall that on a multilayer switch, even without an RP advertising the group, the switch can router
between SVIs on the same switch.
• ip igmp access-group access-list
• Be careful not to block neighbors, if needed
© 2018-2020 David M. Hedley All Rights Reserved.

14. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Securing Multicast
• Solutions:
• 5. Use priorities in BSR to control which is the BSR and which is the RP.
• Lowest for the BSR, with default of 0, and RP, highest
• 6. If you cannot control other business units on the network, you may find it necessary to block
advertisements of certain RP’s.
• ip pim [ vrf vrf-name ] rp-announce-filter { group-list access-list | rp-list access-list [ group-list
access-list ] }
• group-list access-list
• Specifies the number or name of a standard access list that defines the multicast groups
to be permitted or denied from RP announcements sent by C-RPs to the RP mapping
agent.
• rp-list access-list
• Specifies the number or name of a standard access list that defines the IP addresses of C-
RPs whose RP announcements are to be permitted or denied by the RP mapping agent.
• https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr-
book/imc_i3.html#wp1565018604
© 2018-2020 David M. Hedley All Rights Reserved.

15. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Components
© 2018-2020 David M. Hedley All Rights Reserved.

16. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Tech Talk #2
• To do list!
• What do I need?
• Do I really need PIM on that VLAN?
• Can I limited the groups allowed on that SVI?
• How can I limit my RP announcements to cover only the groups I need, and not leave
additional groups enabled?
• Is the RP placed so I can used boundaries to contain the traffic?
© 2018-2020 David M. Hedley All Rights Reserved.

17. David Hedley's Tuesday Tech Talks – Multicast Pt. 8
• Thanks for watching!
• You can subscribe to my YouTube Channel
https://www.youtube.com/channel/UCZ3pcIh5Zmbp3rdjhfR7BOg
• Or connect with me on Linkedin https://www.linkedin.com/in/david-
hedley-541985/
• You can suggest topics in the comments!
© 2018-2020 David M. Hedley All Rights Reserved.