(Optional) Configuring the BSR Address Range

ACL-based policies can be set on all devices to filter Candidate-BSR (C-BSR) addresses. The devices then receive only the Bootstrap messages with the source addresses being in the valid C-BSR address range. Therefore, BootStrap router (BSR) spoofing is avoided.

Prerequisites

Before configuring the BSR address range, complete the following tasks:

Configuring a unicast routing protocol
Configuring Basic PIM-SM Functions

Context

Perform the following steps on all FWs in the PIM-SM domain:

By default, all BSR packets are received without the BSR source address check.

Procedure

Access the system view.
system-view
Create a basic ACL and access its view.
acl [ number ] acl-number [ vpn-instance vpn-instance-name ]
Configure rules for the basic ACL.
rule [ rule-id ] { deny | permit } source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any }

Use parameter source to define the source address range of the multicast packets.
Return to the system view.
quit
Access the PIM view.
pim [ vpn-instance vpn-instance-name ]
Set the legal range of BSR addresses.
bsr-policy basic-acl-number

After receiving a BSR message, the FW checks the source address of the message. If the source address is not within the range of legal addresses, the message is discarded. BSR spoofing is thus prevented.

basic-acl-number specifies the basic ACL. The ACL defines the filtering policy for the source address range of the BSR messages.
- If a BSR message matches an ACL rule and the action is permit, the device permits this message.
- If a BSR message matches an ACL rule and the action is deny, the device denies this message.
- If a BSR message does not match any ACL rule, the device denies this message.
- If a specified ACL does not exist or does not contain rules, the device denies all BSR messages.