Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Securing from the users, Secure EIGRP/PIM/OSFP

I have been experimenting with ACLs on users VLANs in order to protect the network. ACLs to prevent IP spoofing, and preventing destination addresses like and

I also would to take means to prevent users from even conversing over multicast destined for EIGRP/OSPF/PIM seem to use a number of addresses in this range. Yea, I know all about passive interface and deploy it already, but who knows what the next EIGRP unauthenticated vulnerability will reveal.

As far as I can tell, users only need to send to (IGMP Leave Requests).

Anyone know of other legitimate addresses which users would be sending to? Or, can anyone supply reasons for not even pursuing this task?


Re: Securing from the users, Secure EIGRP/PIM/OSFP

PIX Firewall software version 6.2 enables you to statically configure multicast routes or use an Internet Group Management Protocol (IGMP) helper address for forwarding IGMP reports and leave announcements.

This list summarizes multicast support in this release.

Access list filters can be applied to multicast traffic to permit or deny specific protocols and ports.

Network Address Translation (NAT) and Port Address Translation (PAT) can be performed on the multicast packet source addresses only.

Multicast data packets with destination addresses in the address range are not forwarded. However, everything else in the address range is forwarded.

IGMP packets for address groups within the through range are not forwarded because these addresses are reserved for protocol use.

NAT is not performed on IGMP packets. When IGMP forwarding is configured, the PIX forwards the IGMP packets (report and leave) with the IP address of the helper interface as the source IP address.

New Member

Re: Securing from the users, Secure EIGRP/PIM/OSFP

Well, I'm talking about securing multicast from internal user's nasty tendencies, not a border point. My organization doesn't seem take MAC/IP source address spoofing seriously, but I do.

I am also interested in finding out what others are doing to prevent malicious activity in regards to multicast.

I simply can not buy, deploy and manage a PIX for every user VLAN (logical network) across 100 unique physically separated sites, thanks.

Since users have done a number of things I would consider malicious, like spoofing server's production IPs at their workstations (even though they are on a different logical network), their nasty tendencies may flow to multicast, particularly the network. This one seems to be the reserved for administrative uses.

Anyone at all doing anything at all here?

New Member

Re: Securing from the users, Secure EIGRP/PIM/OSFP

Enable "ip verify unicast reverse-path" at the closest L3 interface to your users. That should take care of most of your spoofed source problems (not sure if this works for the multicast range of addresses or not).

Re: Securing from the users, Secure EIGRP/PIM/OSFP


in case you are troubled by the possibility of users "attacking" your EIGRP/OSPF/PIM, why not just secure those protocols by passwords?

You can secure each OSPF interface by

interface Ethernet0

ip address

ip ospf message-digest-key 1 md5 MyKey


router ospf 10

network area 0

area 0 authentication message-digest

You can secure EIGRP by

interface Ethernet0

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 MyChain

key chain MyChain

key 1

key-string MyKey

On switches you could also setup MAC access-lists denying the multicast MAC addresses on access ports.

Hope this helps


P.S.: please rate all posts