Do you really want to use these examples in your production network? You should NOT use these example configurations in your production network if any of the following are true:
This page is for people who aleady know what they are doing and are committed to actively maintaining multicast network configs on a very regular basis. You may experience and you may cause far fewer problems if you just leave your multicast configurations as simple as possible rather than deploying any of the example configurations documented here. This document is not for cool people it is for esoteric people who can afford to think about and support multicast all day, every day.
Certain Internet multicast configurations can expose a number of attack vectors that may not be immediately obvious to many network operators. While multicast protocols and deployed configurations do tend to steadily improve, particularly in minizing security risks, there is still a need to at least understand where the risks are. While this document is not a complete tutorial in multicast network risks, it provides example configurations that may help reduce some vulnerabilities in certain deployment scenarios. Please heed the warnings above before proceeding.
Configuring router software can vary from platform to platform, version to version and even from operator to operator dependent on form and style. Some of the examples here may be implemented differently on your platform. The goal here is to choose one method that is simple and clear to understand, but that may be in the eye of the beholder. If you have a simpler way to implement any of these examples, feel free to contact the editor of this document. Be sure to note the version of software you are using and indicate, if known, the minimum version required.
Specific configuration examples will be documented in-line using HTML's preformatted (<pre>) tags. Each configuration section will contain a brief description. In-line comments are included where they are most appropriate. Options that are site specific will be noted in brackets and italicized.
The best place to submit questions or feedback regarding any general configuration information in this text is to the Internet2 wg-multicast mailing list. For document editing or style comments, feel free to contact the document editor directly.
These configuration examples are based on JUNOS 7.x software.
Multicast scoping is used to prevent unwanted multicast destinations such as reserved, special use or undesriable groups from being forwarded past one or more interfaces. This list is based on a number of relatively well known group addresses that should generally not be seen on the public Internet multicast enabled network, including locally admin scoped addresses.
routing-options {
multicast {
scope-policy multicast-boundary-filter;
}
}
policy-options {
policy-statement multicast-boundary-filter {
/* TODO: review and update due by January 2006 */
term bad-groups {
from {
/* ntp */
route-filter 224.0.1.1/32 exact;
/* sgi-dogfight */
route-filter 224.0.1.2/32 exact;
/* rwhod */
route-filter 224.0.1.3/32 exact;
/* nis+ */
route-filter 224.0.1.8/32 exact;
/* srvloc */
route-filter 224.0.1.22/32 exact;
/* microsoft-ds */
route-filter 224.0.1.24/32 exact;
/* nbc-pro */
route-filter 224.0.1.25/32 exact;
/* srvloc-da */
route-filter 224.0.1.35/32 exact;
/* cisco-rp-announce */
route-filter 224.0.1.39/32 exact;
/* cisco-rp-discovery */
route-filter 224.0.1.40/32 exact;
/* hp-device-discovery */
route-filter 224.0.1.60/32 exact;
/* lucent-avaya-ap */
route-filter 224.0.1.76/32 exact;
/* rwho-group */
route-filter 224.0.2.1/32 exact;
/* sun-rpc */
route-filter 224.0.2.2/32 exact;
/* cisco-aironet-ap */
route-filter 224.1.0.1/32 exact;
/* retrospect */
route-filter 224.1.0.38/32 exact;
/* norton-ghost */
route-filter 224.77.0.0/16 orlonger;
/* igmp-control-224-128-0 */
route-filter 224.128.0.0/24 orlonger;
/* reserved-225 */
route-filter 225.0.0.0/8 orlonger;
/* reserved-226 */
route-filter 226.0.0.0/8 orlonger;
/* reserved-227 */
route-filter 227.0.0.0/8 orlonger;
/* reserved-228 */
route-filter 228.0.0.0/8 orlonger;
/* reserved-229 */
route-filter 229.0.0.0/8 orlonger;
/* reserved-230 */
route-filter 230.0.0.0/8 orlonger;
/* reserved-231 */
route-filter 231.0.0.0/8 orlonger;
/* igmp-control-232-0-0 */
route-filter 232.0.0.0/24 orlonger;
/* igmp-control-232-128-0 */
route-filter 232.128.0.0/24 orlonger;
/* igmp-control-233-0-0 */
route-filter 233.0.0.0/24 orlonger;
/* igmp-control-233-128-0 */
route-filter 233.128.0.0/24 orlonger;
/* reserved-234 */
route-filter 234.0.0.0/8 orlonger;
/* reserved-235 */
route-filter 235.0.0.0/8 orlonger;
/* reserved-236 */
route-filter 236.0.0.0/8 orlonger;
/* reserved-237 */
route-filter 237.0.0.0/8 orlonger;
/* reserved-238 */
route-filter 238.0.0.0/8 orlonger;
/* admin-scoped - possibly remove on intra-domain routers */
route-filter 239.0.0.0/8 orlonger;
}
then reject;
}
}
term accept-everything-else {
then accept;
}
}
}
Disable IGMP processing on interfaces that are not configured to support any multicast applications or protocols.
protocols {
igmp {
interface [interface] {
disable;
}
}
}
Limit the maximum global MSDP cache table using RED-based control of SAs. Limit per-peer SA count to 5000. Limit per-source SA count to 500. Disable MDSP data encapsulation. Remove reserved, special use, martian, undesirable and SSM groups from populating the MSDP cache. See the multicast-policy-filter and no-ssm policy prefix lists elsewhere in this document.
protocols {
msdp {
/* Global MSDP cache shielding using RED-based control of SAs */
active-source-limit {
maximum 26000;
threshold 25000;
}
group MSDP-peers {
peer [msdp-peer] {
active-source-limit {
maximum 15000;
threshold 14000;
}
}
}
source 0.0.0.0/0 {
active-source-limit {
maximum 500;
threshold 450;
}
}
data-encapsulation disable;
export [ multicast-policy-filter no-ssm ];
import [ multicast-policy-filter no-ssm ];
}
}
Remove any reserved, special use or bogon multicast group addresses from being imported into PIM state tables. Disable PIM processing on any interfaces that are not configured to support any multicast applications or protocols. See the multicast-policy-filter policy prefix list elsewhere in this document.
protocols {
pim {
import multicast-policy-filter;
interface [interface] {
disable;
}
}
}
Remove bootstrap messages. Accept only useable multicast netblocks for your environment. This example presumes only publicly assigned netblock space and the local admin scoped netblocks are valid. Adjust to suit your preferences and RP setup. See the no-bsr policy prefix list defined elsewhere in this document.
protocols {
pim {
rp {
bootstrap-import no-bsr;
bootstrap-export no-bsr;
local
family inet {
/* TODO: review and update due by January 2006 */
group-ranges {
/* control, adhoc, sap, assignments and IANA reserved */
224.0.0.0/8;
/* GLOP */
233.0.0.0/8;
/* administratively scoped */
239.0.0.0/8;
}
}
}
}
}
}
A firewall filter applied to the router's loopback address will limit the exposure of select multicast control protocols and applications that may talk directly to the router. There is an implicit accept all rule that is not shown at the end of this filter configuration.
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input [loopback-ingress];
}
}
}
}
}
firewall {
family inet {
filter [loopback-ingress] {
/* ... other control plane filter rules here ... */
term msdp {
from {
source-address {
/* all hosts */
0.0.0.0/0;
/* Allow configured MSDP peer(s) */
[MSDP peer address]/32 except;
}
protocol tcp;
port msdp;
}
then {
discard;
}
}
term sap {
from {
destination-address {
/* all hosts */
0.0.0.0/0;
/* SAPv1 announcements */
224.2.127.254/32 except;
}
protocol udp;
destination-port 9875;
}
then {
discard;
}
}
/* ... other control plane filter rules here ... */
}
}
}
The following section will limit the number of entries in the multicast forwarding cache to 100,000 entries. Once this limit is reached, new entries will not be added until the cache size drops to 99,000 entries or less. The Juniper multicast forwarding cache (inet.1) consists of PIM entries and MSDP SAs that contain encapsulated data.
routing-options {
multicast {
forwarding-cache {
threshold {
suppress 100000;
reuse 99000;
}
}
}
}
Interface specific input filters will remove unwanted multicast control and data packets from reaching the router or be forwarded by it. Note, if you use IP protocols other than IGMP, PIM and UDP that send to multicast destination addresses (e.g. OSPF), then be sure to include the necessary filter rule to allow those packets to be received on the interfaces where they are required. Also note that bogon source addresses can be blocked using packet filters, but we'll assume that is already being done for all traffic in the filter configuration. There is an implicit accept all rule not shown at the end of this filter configuration.
interfaces {
[multicast-enabled interface] {
unit [unit number] {
family inet {
filter {
input [standard-ingress];
}
}
}
}
}
firewall {
family inet {
filter [standard-ingress] {
/* ... other ingress filter rules here ... */
term pim-neighbors {
from {
source-address {
/* PIM neighbor(s) */
[PIM neighbor IP address]/32;
}
destination-address {
224.0.0.13/32;
}
protocol pim;
}
then accept;
}
term igmp-neighbors {
from {
source-address {
/* IGMP neighbor(s) */
[IGMP neighbor IP address]/32;
}
destination-address {
224.0.0.0/4;
}
protocol igmp;
}
then accept;
}
term multicast-data {
from {
destination-address {
224.0.0.0/4;
}
protocol-except udp;
}
then {
discard;
}
}
/* ... other ingress filter rules here ... */
}
}
}
This section details the statically configured policy prefix lists that are referenced in other areas of the router configuration. Many of the details listed here are subject to change over time and hence can result in an out-of-date config fairly quickly, negatively impacting service on your production network. These must be reviewed and updated regularly to NOT cause problems.
policy-options {
/* Reject all PIM bootstrap router (BSR) messages */
policy-statement no-bsr {
then reject;
}
/* TODO: review and update due by January 2006 */
policy-statement multicast-policy-filter {
term bad-groups {
from {
/* Network Time Protocol (NTP) */
route-filter 224.0.1.1/32 exact;
/* SGI dogfight */
route-filter 224.0.1.2/32 exact;
/* rwhod */
route-filter 224.0.1.3/32 exact;
/* Sun's NIS+ */
route-filter 224.0.1.8/32 exact;
/* srvloc */
route-filter 224.0.1.22/32 exact;
/* microsoft-ds */
route-filter 224.0.1.24/32 exact;
/* nbc-pro */
route-filter 224.0.1.25/32 exact;
/* srvloc-da */
route-filter 224.0.1.35/32 exact;
/* cisco-rp-announce */
route-filter 224.0.1.39/32 exact;
/* cisco-rp-discovery */
route-filter 224.0.1.40/32 exact;
/* hp-device-discovery */
route-filter 224.0.1.60/32 exact;
/* Lucent/Avaya AP */
route-filter 224.0.1.76/32 exact;
/* rwho group (BSD) */
route-filter 224.0.2.1/32 exact;
/* SUN RPC */
route-filter 224.0.2.2/32 exact;
/* Cisco/Aironet AP */
route-filter 224.1.0.1/32 exact;
/* Dantz Retrospect */
route-filter 224.1.0.38/32 exact;
/* norton-ghost */
route-filter 224.77.0.0/16 orlonger;
/* IGMP control */
route-filter 224.128.0.0/24 orlonger;
/* IANA reserved */
route-filter 225.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 226.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 227.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 228.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 229.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 230.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 231.0.0.0/8 orlonger;
/* IGMP control */
route-filter 232.0.0.0/24 orlonger;
/* IGMP control */
route-filter 232.128.0.0/24 orlonger;
/* IGMP control */
route-filter 233.0.0.0/24 orlonger;
/* IGMP control */
route-filter 233.128.0.0/24 orlonger;
/* IANA reserved */
route-filter 234.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 235.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 236.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 237.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 238.0.0.0/8 orlonger;
/* admin scoped */
route-filter 239.0.0.0/8 orlonger;
}
then reject;
}
term bogon-sources {
/* IANA reserved and special use */
from {
source-address-filter 0.0.0.0/8 orlonger;
source-address-filter 1.0.0.0/8 orlonger;
source-address-filter 2.0.0.0/8 orlonger;
source-address-filter 5.0.0.0/8 orlonger;
source-address-filter 7.0.0.0/8 orlonger;
source-address-filter 10.0.0.0/8 orlonger;
source-address-filter 23.0.0.0/8 orlonger;
source-address-filter 27.0.0.0/8 orlonger;
source-address-filter 31.0.0.0/8 orlonger;
source-address-filter 36.0.0.0/8 orlonger;
source-address-filter 37.0.0.0/8 orlonger;
source-address-filter 39.0.0.0/8 orlonger;
source-address-filter 42.0.0.0/8 orlonger;
source-address-filter 49.0.0.0/8 orlonger;
source-address-filter 50.0.0.0/8 orlonger;
source-address-filter 77.0.0.0/8 orlonger;
source-address-filter 78.0.0.0/8 orlonger;
source-address-filter 79.0.0.0/8 orlonger;
source-address-filter 92.0.0.0/8 orlonger;
source-address-filter 93.0.0.0/8 orlonger;
source-address-filter 94.0.0.0/8 orlonger;
source-address-filter 95.0.0.0/8 orlonger;
source-address-filter 96.0.0.0/8 orlonger;
source-address-filter 97.0.0.0/8 orlonger;
source-address-filter 98.0.0.0/8 orlonger;
source-address-filter 99.0.0.0/8 orlonger;
source-address-filter 100.0.0.0/8 orlonger;
source-address-filter 101.0.0.0/8 orlonger;
source-address-filter 102.0.0.0/8 orlonger;
source-address-filter 103.0.0.0/8 orlonger;
source-address-filter 104.0.0.0/8 orlonger;
source-address-filter 105.0.0.0/8 orlonger;
source-address-filter 106.0.0.0/8 orlonger;
source-address-filter 107.0.0.0/8 orlonger;
source-address-filter 108.0.0.0/8 orlonger;
source-address-filter 109.0.0.0/8 orlonger;
source-address-filter 110.0.0.0/8 orlonger;
source-address-filter 111.0.0.0/8 orlonger;
source-address-filter 112.0.0.0/8 orlonger;
source-address-filter 113.0.0.0/8 orlonger;
source-address-filter 114.0.0.0/8 orlonger;
source-address-filter 115.0.0.0/8 orlonger;
source-address-filter 116.0.0.0/8 orlonger;
source-address-filter 117.0.0.0/8 orlonger;
source-address-filter 118.0.0.0/8 orlonger;
source-address-filter 119.0.0.0/8 orlonger;
source-address-filter 120.0.0.0/8 orlonger;
source-address-filter 121.0.0.0/8 orlonger;
source-address-filter 122.0.0.0/8 orlonger;
source-address-filter 123.0.0.0/8 orlonger;
source-address-filter 127.0.0.0/8 orlonger;
source-address-filter 169.254.0.0/16 orlonger;
source-address-filter 172.16.0.0/12 orlonger;
source-address-filter 173.0.0.0/8 orlonger;
source-address-filter 174.0.0.0/8 orlonger;
source-address-filter 175.0.0.0/8 orlonger;
source-address-filter 176.0.0.0/8 orlonger;
source-address-filter 177.0.0.0/8 orlonger;
source-address-filter 178.0.0.0/8 orlonger;
source-address-filter 179.0.0.0/8 orlonger;
source-address-filter 180.0.0.0/8 orlonger;
source-address-filter 181.0.0.0/8 orlonger;
source-address-filter 182.0.0.0/8 orlonger;
source-address-filter 183.0.0.0/8 orlonger;
source-address-filter 184.0.0.0/8 orlonger;
source-address-filter 185.0.0.0/8 orlonger;
source-address-filter 186.0.0.0/8 orlonger;
source-address-filter 187.0.0.0/8 orlonger;
source-address-filter 192.0.2.0/24 orlonger;
source-address-filter 192.168.0.0/16 orlonger;
source-address-filter 197.0.0.0/8 orlonger;
source-address-filter 223.0.0.0/8 orlonger;
source-address-filter 224.0.0.0/3 orlonger;
}
then reject;
}
term default {
then accept;
}
}
/* Reject all single source multicast (SSM) */
policy-statement no-ssm {
term ssm {
from {
route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
}
}
These configuration examples are based on a Cisco Catalyst 6509 running native IOS 12.2(18)SXE2.
Multicast scoping is used to prevent unwanted multicast destinations such as reserved, special use or undesriable groups from being forwarded past one or more interfaces. This list is based on a number of relatively well known groups that should generally not be seen on the public Internet multicast network, including locally admin scoped addresses.
interface [interface] ip multicast boundary boundary-filter ! ip access-list standard boundary-filter remark ntp deny 224.0.1.1 remark sgi-dogfight deny 224.0.1.2 remark rwhod deny 224.0.1.3 remark nis+ deny 224.0.1.8 remark srvloc deny 224.0.1.22 remark microsoft-ds deny 224.0.1.24 remark nbc-pro deny 224.0.1.25 remark srvloc-da deny 224.0.1.35 remark cisco-rp-announce deny 224.0.1.39 remark cisco-rp-discovery deny 224.0.1.40 remark hp-device-discovery deny 224.0.1.60 remark lucent-avaya-ap deny 224.0.1.76 remark rwho-group deny 224.0.2.1 remark sun-rpc deny 224.0.2.2 remark cisco-aironet-ap deny 224.1.0.1 remark retrospect deny 224.1.0.38 remark norton-ghost deny 224.77.0.0 0.0.255.255 remark igmp-control-224-128-0 deny 224.128.0.0 0.0.0.255 remark reserved-225 deny 225.0.0.0 0.255.255.255 remark reserved-226 deny 226.0.0.0 0.255.255.255 remark reserved-227 deny 227.0.0.0 0.255.255.255 remark reserved-228 deny 228.0.0.0 0.255.255.255 remark reserved-229 deny 229.0.0.0 0.255.255.255 remark reserved-230 deny 230.0.0.0 0.255.255.255 remark reserved-231 deny 231.0.0.0 0.255.255.255 remark igmp-control-232-0-0 deny 232.0.0.0 0.0.0.255 remark igmp-control-232-128-0 deny 232.128.0.0 0.0.0.255 remark igmp-control-233-0-0 deny 233.0.0.0 0.0.0.255 remark igmp-control-233-128-0 deny 233.128.0.0 0.0.0.255 remark reserved-234 deny 234.0.0.0 0.255.255.255 remark reserved-235 deny 235.0.0.0 0.255.255.255 remark reserved-236 deny 236.0.0.0 0.255.255.255 remark reserved-237 deny 237.0.0.0 0.255.255.255 remark reserved-238 deny 238.0.0.0 0.255.255.255 remark admin-scoped - REMOVE if you need these deny 239.0.0.0 0.255.255.255 remark 224/8 permit 224.0.0.0 0.255.255.255 remark SSM permit 232.0.0.0 0.255.255.255 remark GLOP permit 233.0.0.0 0.255.255.255 deny any
Limit total number of IGMP joins per an interface to a sane total. Filter out bad IGMP group reports. See the igmp-join-filter ACL elsewhere in this document.
interface interface ip igmp limit 1000 ip igmp access-group igmp-join-filter
Limit the maximum number of MSDP SAs from peers. Remove reserved, special use, martian, undesirable and SSM groups from populating the MSDP table. Restrict SA requests from peers. See msdp-filter elsewhere in this document.
ip msdp sa-filter in [msdp-peer] list msdp-filter ip msdp sa-filter out [msdp-peer] list msdp-filter ip msdp filter-sa-request [msdp-peer] list msdp-filter ip msdp sa-limit [msdp-peer] 15000 ip msdp redistribute list msdp-filter
Permit only specific PIM neighbors to talk PIM to this router. See the pim-filter ACL elsewhere in this document.
interface [interface] ip pim neighbor-filter pim-filter
Accept only useable multicast netblocks for your environment. This example presumes only publicly assigned netblock space and the local admin scoped netblocks are valid. Adjust to suite your preferences and RP setup. See the rp-filter, rp-registers and numbered ACLs defined elsewhere in this document.
ip pim rp-address [pim rp] rp-filter override ip pim accept-rp [pim rp] rp-filter ip pim rp-announce-filter rp-list 2 group-list 1 ip pim register-rate-limit 10 ip pim accept-register list rp-registers
Cisco control plane filtering can done using Cisco's Control Plane Policing implementation to limit the exposure of select multicast control protocols and applications that may talk directly to the router. Rather than detail it here, please review my separate Cisco Control Plane Policing Implementation Report page for details and nuances on how to set this up. You will likely want to apply filters like the Juniper config example above for IGMP, PIM and MSDP messages.
Interface specific input filters will remove unwanted multicast control and data packets from reaching the router or be forwarded by it. Note, if you use IP protocols other than IGMP, PIM and UDP that send to multicast destination addresses (e.g. OSPF), then be sure to include the necessary filter rule to allow those packets to be received on the interfaces where they are requird. Also note that bogon source addresses can be blocked using packet filters, but we'll assume that is already being done for all traffic in the filter configuration. There is an implicit permit any rule not show at the end of this filter configuration.
ip access-list extended [standard-ingress] ! ... remark PIM neighbors permit pim host [PIM neighbor IP address] host 224.0.0.13 remark IGMP messages permit igmp host [IGMP neighbor IP address] 224.0.0.0 15.255.255.255 remark multicast data permit udp any 224.0.0.0 15.255.255.255 deny ip any 224.0.0.0 15.255.255.255 ! ...
This section details the statically configured access lists (ACLs) that are referenced in other areas of the router configuration. Many of the details listed here are subject to change over time and hence make your configurations out-of-date, negatively impacting service on your production network. These must be reviewed and updated regularly to NOT cause problems.
access-list 1 remark utility ACL to block everything access-list 1 deny any access-list 2 remark utility ACL to allow everything access-list 2 permit any ip access-list standard pim-filter remark PIM neighbor permit [PIM neighbor IP address] deny any ip access-list standard igmp-join-filter deny 224.0.1.1 deny 224.0.1.2 deny 224.0.1.3 deny 224.0.1.8 deny 224.0.1.22 deny 224.0.1.24 deny 224.0.1.25 deny 224.0.1.35 deny 224.0.1.39 deny 224.0.1.40 deny 224.0.1.60 deny 224.0.1.76 deny 224.0.2.1 deny 224.0.2.2 deny 224.1.0.1 deny 224.1.0.38 deny 224.77.0.0 0.0.255.255 deny 224.128.0.0 0.0.0.255 deny 225.0.0.0 0.255.255.255 deny 226.0.0.0 0.255.255.255 deny 227.0.0.0 0.255.255.255 deny 228.0.0.0 0.255.255.255 deny 229.0.0.0 0.255.255.255 deny 230.0.0.0 0.255.255.255 deny 231.0.0.0 0.255.255.255 deny 232.0.0.0 0.0.0.255 deny 232.128.0.0 0.0.0.255 deny 233.0.0.0 0.0.0.255 deny 233.128.0.0 0.0.0.255 deny 234.0.0.0 0.255.255.255 deny 235.0.0.0 0.255.255.255 deny 236.0.0.0 0.255.255.255 deny 237.0.0.0 0.255.255.255 deny 238.0.0.0 0.255.255.255 deny 239.0.0.0 0.255.255.255 permit any ip access-list extended msdp-filter remark ntp deny ip any host 224.0.1.1 remark sgi-dogfight deny ip any host 224.0.1.2 remark rwhod deny ip any host 224.0.1.3 remark nis+ deny ip any host 224.0.1.8 remark srvloc deny ip any host 224.0.1.22 remark microsoft-ds deny ip any host 224.0.1.24 remark nbc-pro deny ip any host 224.0.1.25 remark srvloc-da deny ip any host 224.0.1.35 remark cisco-rp-announce deny ip any host 224.0.1.39 remark cisco-rp-discovery deny ip any host 224.0.1.40 remark hp-device-discovery deny ip any host 224.0.1.60 remark lucent-avaya-ap deny ip any host 224.0.1.76 remark rwho-group deny ip any host 224.0.2.1 remark sun-rpc deny ip any host 224.0.2.2 remark cisco-aironet-ap deny ip any host 224.1.0.1 remark retrospect deny ip any host 224.1.0.38 remark norton-ghost deny ip any 224.77.0.0 0.0.255.255 remark igmp-control-224-128-0 deny ip any 224.128.0.0 0.0.0.255 remark igmp-control-233-0-0 deny ip any 233.0.0.0 0.0.0.255 remark igmp-control-233-128-0 deny ip any 233.128.0.0 0.0.0.255 remark 224/8 permit ip any 224.0.0.0 0.255.255.255 remark 233/8 permit ip any 233.0.0.0 0.255.255.255 deny ip any any ip access-list standard rp-filter deny 224.0.1.1 deny 224.0.1.2 deny 224.0.1.3 deny 224.0.1.8 deny 224.0.1.22 deny 224.0.1.24 deny 224.0.1.25 deny 224.0.1.35 deny 224.0.1.39 deny 224.0.1.40 deny 224.0.1.60 deny 224.0.1.76 deny 224.0.2.1 deny 224.0.2.2 deny 224.1.0.1 deny 224.1.0.38 deny 224.77.0.0 0.0.255.255 deny 224.128.0.0 0.0.0.255 deny 233.0.0.0 0.0.0.255 deny 233.128.0.0 0.0.0.255 permit 224.0.0.0 0.255.255.255 permit 233.0.0.0 0.255.255.255 deny any ip access-list extended rp-registers remark ntp deny ip any host 224.0.1.1 remark sgi-dogfight deny ip any host 224.0.1.2 remark rwhod deny ip any host 224.0.1.3 remark nis+ deny ip any host 224.0.1.8 remark srvloc deny ip any host 224.0.1.22 remark microsoft-ds deny ip any host 224.0.1.24 remark nbc-pro deny ip any host 224.0.1.25 remark srvloc-da deny ip any host 224.0.1.35 remark cisco-rp-announce deny ip any host 224.0.1.39 remark cisco-rp-discovery deny ip any host 224.0.1.40 remark hp-device-discovery deny ip any host 224.0.1.60 remark lucent-avaya-ap deny ip any host 224.0.1.76 remark rwho-group deny ip any host 224.0.2.1 remark sun-rpc deny ip any host 224.0.2.2 remark cisco-aironet-ap deny ip any host 224.1.0.1 remark retrospect deny ip any host 224.1.0.38 remark norton-ghost deny ip any 224.77.0.0 0.0.255.255 remark igmp-control-224-128-0 deny ip any 224.128.0.0 0.0.0.255 remark igmp-control-233-0-0 deny ip any 233.0.0.0 0.0.0.255 remark igmp-control-233-128-0 deny ip any 233.128.0.0 0.0.0.255 remark 224/8 permit ip any 224.0.0.0 0.255.255.255 remark 233/8 permit ip any 233.0.0.0 0.255.255.255 deny ip any any