Setting Rules for Forwarding an SA Message

Procedure

1. Access the system view.

   system-view

2. Create an advanced ACL and access its view.

   acl [ number ] acl-number [ vpn-instance vpn-instance-name ]

3. Configure rules for the advanced ACL.

   rule [ rule-id ] { permit | deny } protocol [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } ] ^*

   Run the rule command, set the source parameter to the source address of SA messages, and set the destination parameter to a multicast group address.

4. Return to the system view.

   quit

5. Access the MSDP view.

   msdp [ vpn-instance vpn-instance-name ]

6. Set rules for filtering an SA message forwarded to a remote MSDP peer.

   peer peer-address sa-policy { import | export } [ acl advanced-acl-number ]

   peer-address: specifies the address of a remote MSDP peer.

   

   • If no ACL is configured, the local FW does not forward any SA messages to the MSDP peer specified by peer-address.
   • If an ACL is configured, the local FW uses configured ACL rules to determine whether to forward SA messages to MSDP peers.
     • If an SA message matches an ACL rule and the action is permit, the local FW forwards this SA message to the MSDP peer.
     • If an SA message matches an ACL rule and the action is deny, the local FW does not forward this SA message to the MSDP peer.
     • If an SA message does not match any ACL rule, the local FW does not forward this SA message to the MSDP peer.
     • If a specified ACL does not exist or does not contain rules, the local FW does not forward any SA messages to the MSDP peer specified by peer-address.