Configuring PIM Silent
After the interface is configured with PIM silent, do not receive or forward any PIM protocol packet. All PIM neighbors and PIM state machines on this interface are deleted. Then, this interface automatically becomes the Designated router (DR). IGMP on the interface is not affected.
Prerequisites
Before configuring PIM silent, complete the following tasks:
Configuring a unicast routing protocol to make the network reachable
Configuring PIM-DM
Configuring IGMP
Context
On the access layer, the interface directly connected to hosts needs to be enabled with PIM. You can set up the PIM neighbor relationship on the interface to process various PIM packets. However, when a host maliciously generates PIM Hello messages and sends many packets to a FW, the FW may fail.
To prevent the preceding case, you can set the status of the interface to PIM silent. When the interface is in the PIM silent state, the interface is prevented from receiving and forwarding any PIM packet. All PIM neighbor relationships and PIM state machines on the interface are deleted. At the same time, IGMP on the interface is not affected.
PIM silent is applicable only to the interface directly connected to the host network segment that is connected only to this FW.
If PIM silent is enabled on the interface connected to a FW, the PIM neighbor relationship cannot be established and a multicast fault may occur.
If the host network segment is connected to multiple FWs and PIM silent is enabled on multiple interfaces of the FWs, these interfaces do not send Assert messages. Therefore, multiple interfaces that forward multicast data exist in the user network segment. A multicast fault thus occurs.
Procedure
- Access the system view.
- Access the interface view.
interface interface-type interface-number
- Enable PIM silent.
After PIM silent is enabled, the Hello message attack of malicious hosts is effectively prevented, and the FW is protected.