(Optional) Configuring the Range of Valid C-RP Addresses

Procedure

1. Access the system view.

   system-view

2. Create an advanced ACL and access its view.

   acl [ number ] acl-number [ vpn-instance vpn-instance-name ]

3. Configure rules for the advanced ACL.

   rule [ rule-id ] { permit | deny } protocol [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } ] ^*

   Run the rule command, set the source parameter to a valid C-RP source address range, and set the destination parameter to a multicast group address range to be served by C-RPs.

4. Return to the system view.

   quit

5. Access the PIM view.

   pim [ vpn-instance vpn-instance-name ]

6. Specify the range of the valid C-RP addresses and the range of the multicast group addresses that a FW serves.

   crp-policy advanced-acl-number

   When receiving an Advertisement message, the FW checks the C-RP address and the addresses of the groups that the C-RP serves in the message. The C-RP address and the addresses of the groups that the C-RP serves are added to the RP-Set only when they are in the valid address range. The C-RP spoofing can thus be prevented.

   advanced-acl-number specifies the advanced ACL. The ACL defines the filtering policy for the C-RP address range and the address range of the groups that a C-RP serves.

   

   • If an Advertisement message from a C-RP matches an ACL rule and the action is permit, the BSR permits this message.
   • If an Advertisement message from a C-RP matches an ACL rule and the action is deny, the BSR denies this message.
   • If an Advertisement message from a C-RP does not match any ACL rule, the BSR denies this message.
   • If a specified ACL does not exist or does not contain rules, the BSR denies all messages from any C-RP.