Configuring Source Address-based IGMP Message Filtering

Source address-based IGMP message filtering is a security policy used for filtering IGMP message on the FW's interface connected to user hosts.

Prerequisites

Before configuring source address-based IGMP message filtering, complete the following task:

Configuring a unicast routing protocol
Configuring Basic IGMP Functions

Context

By default, no source address-based IGMP message filtering is configured on the FW's interface connected to user hosts.

After you configure source address-based IGMP message filtering on the FW's interface connected to user hosts, the interface filters IGMP messages based on the access control list (ACL) configuration.

Perform the following operations on the FW's interface connected to user hosts.

Procedure

Configure source address-based IGMP Report or Leave message filtering.
1. Access the system view.
  system-view
2. Configure a basic ACL.
  1. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create a basic ACL and access its view.
  2. Run the rule [ rule-id ] { deny | permit } source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } command to configure rules for the basic ACL.
3. Return to the system view.
  quit
4. Access the interface view.
  interface interface-type interface-number
5. Configure source address-based IGMP Report or Leave message filtering.
  igmp ip-source-policy [ basic-acl-number ]
- If an ACL is not configured in this command, the device permits an IGMP Report or Leave message if the message's source address is 0.0.0.0 or if the message's source address is on the same network segment as the address of the interface that receives the message, but discards the message if the message's source address is on a different network segment from the address of the interface that receives the message.
- If an ACL is configured on an interface, the interface uses configured ACL rules to filter source addresses in IGMP Report or Leave messages.
  - If an IGMP Report or Leave message matches an ACL rule and the action is permit, the interface permits this message.
  - If an IGMP Report or Leave message matches an ACL rule and the action is deny, the interface denies this message.
  - If an IGMP Report or Leave message does not match any ACL rule, the interface denies this message.
  - If a specified ACL does not exist or does not contain rules, the interface denies all IGMP Report and Leave messages.
Configure source address-based IGMP Query message filtering.
1. Access the system view.
  system-view
2. Configure a basic ACL.
  1. Run the
    acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create a basic ACL and access its view.
  2. Run the
    rule [ rule-id ] { deny | permit } source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } command to configure rules for the basic ACL.
3. Return to the system view.
  quit
4. Access the interface view.
  interface interface-type interface-number
5. Configure source address-based IGMP Query message filtering to control querier election.
  igmp query ip-source-policy basic-acl-number
  - If an IGMP Query message matches an ACL rule and the action is permit, the interface permits this message.
  - If an IGMP Query message matches an ACL rule and the action is deny, the interface denies this message.
  - If an IGMP Query message does not match any ACL rule, the interface denies this message.
  - If a specified ACL does not exist or does not contain rules, the interface denies all IGMP Query messages.