< Home

Configuring Join Information Filtering

A Join/Prune message received by an interface may contain both join information and prune information. You can configure the interface to filter join information based on ACL rules. The device then creates PIM entries for only the join information matching ACL rules.

Context

ACL rules can be configured on interfaces to filter received Join packets. This can prevent attacks that are conducted through malicious Join packets. When there are a large number of malicious Join packets, configure rules on interfaces so that the interfaces allow only specified Join packets and discard malicious Join packets.

Procedure

  • Perform the following steps on the FW enabled with PIM-SM:
    1. Access the system view.

      system-view

    2. Configure a basic or an advanced ACL as needed.

      • Configure a basic ACL.

        1. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create a basic ACL and access its view.

        2. Run the rule [ rule-id ] { deny | permit } source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } command to configure rules for the basic ACL.

      • Configure an advanced ACL.

        1. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create an advanced ACL and access its view.

        2. Run the rule [ rule-id ] { permit | deny } protocol [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } ] * command to configure rules for the advanced ACL.

    3. Return to the system view.

      quit

    4. Access the interface view.

      interface interface-type interface-number

    5. Configure Join information filtering.

      pim join-policy { asm basic-acl-number | ssm advanced-acl-number | advanced-acl-number }

      If asm is specified, run the rule command in the basic ACL view and set the source parameter to the multicast group address range of join information.

      If ssm is specified, run the rule command in the advanced ACL view, set the source parameter to the multicast source address range of join information, and set the destination parameter to the multicast group address range of join information.

      • If a Join message's join information matches an ACL rule and the action is permit, the device permits this message.
      • If a Join message's join information matches an ACL rule and the action is deny, the device denies this message.
      • If a Join message's join information does not match any ACL rule, the device denies this message.
      • If a specified ACL does not exist or does not contain rules, the device denies all Join messages that contain join information.

Parent Topic: Adjusting Control Parameters for Forwarding
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >