Configuring PIM Neighbor Filtering

To prevent some unknown devices from being involved in PIM, filtering PIM neighbors is required. An interface sets up neighbor relationships with only the addresses matching the filtering rules and deletes the neighbors unmatched with the filtering rules.

Context

ACL rules can be configured on interfaces to filter received Hello packets. Neighbor relationships can be established only after packet filtering. When there are a large number of malicious Hello packets, configure rules on interfaces so that the interfaces allow only specified Hello packets and discard malicious Hello packets.

Procedure

Perform the following steps on the FW enabled with PIM-SM:
1. Access the system view.
  system-view
2. Create a basic ACL and access its view.
  acl [ number ] acl-number [ vpn-instance vpn-instance-name ]
3. Configure rules for the basic ACL.
  rule [ rule-id ] { deny | permit } source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any }
4. Return to the system view.
  quit
5. Access the interface view.
  interface interface-type interface-number
6. Configure PIM neighbor filtering.
  pim neighbor-policy basic-acl-number
  
  When configuring the neighbor filtering function on the interface, you must also configure the neighbor filtering function correspondingly on the FW that sets up the neighbor relationship with the interface.
  - If a peer matches an ACL and the action is permit, the local FW sets up a neighbor relationship with this peer.
  - If a peer matches an ACL and the action is deny, the local FW does not set up a neighbor relationship with this peer.
  - If a peer does not match any ACL rule, the local FW does not set up a neighbor relationship with this peer.
  - If a specified ACL does not exist or does not contain rules, the local FW does not set up neighbor relationships with any peers.