firewall l2-multicast packet-filter enable

By default, Layer-2 IP multicast packets are not subject to security policies.

Configuration Impact

• After you run the firewall l2-multicast packet-filter enable command, the security policy takes effect for all Layer-2 IP multicast packets except for Layer-2 ND multicast packets, including the Layer-2 IP multicast packets that traverse or are sent by the FW. You can specify the MAC address, IP address, protocol type, or port number as a matching rule of security policy rules to filter Layer-2 IP multicast packets. The security policy does not implement content security check for Layer-2 IP multicast packets, such as IPS, antivirus, application identification, and URL filtering. If the security policy is not set, the default policy is used to filter Layer-2 IP multicast packets. For details on how to configure security policies, see Configuring a Security Policy Using the CLI.

• After this function is enabled, the FW searches for the outbound interface based on the VLAN broadcast domain of the first Layer 2 IP multicast packet and creates an independent 5-tuple session. Then, the FW performs security policy check on each outbound interface and adds information about the interface on which packets are permitted to the outbound interface list. If a subsequent packet matches the session table, the FW directly forwards it based on the outbound interface list. If a subsequent packet does not match the session table, the FW searches for an outbound interface, checks the packet based on security policies, and takes the action specified in the matched policy.

  You can run the following commands to view or clear sessions for Layer 2 IP multicast packets:

  • display firewall l2-multicast session table
  • reset firewall l2-multicast session table

• After running the firewall l2-multicast packet-filter enable command, you can run the display firewall statistics system discard command to view the statistics on discarded Layer-2 IP multicast packets according to the Multicast filter packets discarded field.

Precautions

• When the MAC address is configured as a policy matching rule on the FW, the rule does not take effect for IPv6 Layer-2 IP multicast packets.
• If the destination MAC address of a multicast packet is 01-80-C2-00-00-01, the multicast packet is processed as a pause frame and is directly discarded, without being subject to the security policy.
• After this function is enabled, the device checks only the first fragment of a fragmented packet based on security policies and directly forwards the subsequent fragments.
• If an IPv6 packet has multiple extension headers, this function parses only the first extension header and matches the IPv6 packet with security policies based on the parsing result.