(Optional) Configuring the Filtering Rules for Receiving SA Request Messages
You can configure rules for filtering the Source Active (SA) Request messages received from the local FW on a specified remote MSDP peer. If the SA Request message passes the filtering, the peer immediately responds.
Context
In general, once receiving the SA Request message, the MSDP peer responds to the SA Request message with the required (S, G) information. If the "filtering rule of SA Request message" is configured on the remote MSDP peer, it checks the SA Request messages received from the specified peers and determines whether to respond according to the checking results.
Procedure
- Access the system view.
- Configure a basic ACL.
Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create a basic ACL and access its view.
Run the rule [ rule-id ] { deny | permit } source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } command to configure rules for the basic ACL.
Use parameter source to define the multicast group address.
- Return to the system view.
- Access the MSDP view.
msdp [ vpn-instance vpn-instance-name ]
- Set the filtering rules for receiving SA Request messages.
peer peer-address sa-request-policy [ acl basic-acl-number ]
peer-address: specifies the address of an MSDP peer that sends the SA Request message.
acl: specifies the filtering policy. If the ACL is not specified, all SA messages sent by a peer are ignored. If the ACL is specified, only the SA messages that match the ACL are received and other SA messages are discarded.
- If an SA Request message matches an ACL rule and the action is permit, the interface permits this message.
- If an SA Request message matches an ACL rule and the action is deny, the interface denies this message.
- If an SA Request message does not match any ACL rule, the device denies this message.
- If a specified ACL does not exist or does not contain rules, the device ignores all SA Request messages from this peer.