Setting Rules for Receiving an SA Message

Procedure

1. Access the system view.

   system-view

2. Create an advanced ACL and access its view.

   acl [ number ] acl-number [ vpn-instance vpn-instance-name ]

3. Configure rules for the advanced ACL.

   rule [ rule-id ] { permit | deny } protocol [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } ] ^*

   Run the rule command, set the source parameter to the source address of SA messages, and set the destination parameter to a multicast group address.

4. Return to the system view.

   quit

5. Access the MSDP view.

   msdp [ vpn-instance vpn-instance-name ]

6. Set rules for filtering an SA message received from a remote MSDP peer.

   peer peer-address sa-policy { import | export } [ acl advanced-acl-number ]

   The parameters of the command are explained as follows:

   • peer-address: specifies the address of a remote MSDP peer.

   • acl: specifies the advanced filtering list. Only the (S, G) information that passes the filtering of the ACL is received. The (S, G) information is contained in an SA message sent by the peer specified by peer-address.

   • If the peer peer-address sa-policy import command without acl is used, the FW does not receive any (S, G) information from the peer specified by peer-address.

   

   • If an SA message sent by the peer matches an ACL rule and the action is permit, the local FW permits this SA message.
   • If an SA message sent by the peer matches an ACL rule and the action is deny, the local FW denies this SA message.
   • If an SA message sent by the peer does not match any ACL rule, the local FW denies this SA message.
   • If a specified ACL does not exist or does not contain rules, the local FW denies all SA messages from the peer specified by peer-address.