The crp-policy limits the range of legal Candidate-Rendezvous Point (C-RP) addresses and the range of the multicast addresses serviced by a C-RP. The BootStrap router (BSR) drops the C-RP whose address is not within the range of legal C-RP addresses. The legal C-RP is therefore protected.
The undo crp-policy command restores the default configuration.
| Parameter | Description | Value |
|---|---|---|
| advanced-acl-number | Specifies the number of the advanced ACL. The ACL defines the filtering policy for the range of the C-RP addresses and the range of the group addresses served by a C-RP. | The value is an integer that ranges from 3000 to 3999. |
By default, the range of legal C-RP addresses and the range of the multicast groups serviced by a C-RP are not limited. The BSR considers all the received C-RPs as legal ones.
Usage Scenario
In a PIM SM network that applies to the BSR mechanism, you can configure any FW as a C-RP to serve the multicast groups in a specified address range. Each C-RP sends its information to the BSR in the unicast mode. The BSR summarizes all received C-RP information as the RP-set, and floods it through BSR messages in the entire network. The local FW then works out the RP to which a specific multicast group address range corresponds according to the Rendezvous Point (RP)-Set.
To protect legal C-RP from being spoofed, configure crp-policy on BSR FWs to limit the range of legal C-RP addresses and the range of multicast group addresses served by a C-RP. Configure the same filtering rule on each Candidate-BootStrap Router (C-BSR) because any C-BSR can become the BSR.
Prerequisites
The multicast routing-enable command has been run.
Related ACL rules have been configured.
Configuration Impact
If the crp-policy command is run several times, the latest configuration overrides the previous one.
If an ACL rule is specified but no C-RP address range is set, all C-RP messages are denied.
Precautions
The crp-policy command and the acl command are used together. In the ACL view, you can set the valid source address range for the C-RP by specifying the source parameter in the rule command. You can set the address range of multicast groups that are serviced by specifying the destination parameter in the rule command.
A received C-RP message matches the configured filtering policy only when the C-RP address carried by the message matches source and the group address range carried by the message is a subset of the group address range defined in the ACL.
# Configure the C-RP policy on a C-BSR, configure the FW with the address of 1.1.1.1/32 to act as the C-RP, and then configure the FW to serve only the multicast group with the address of 225.1.0.0/16.
<sysname> system-view [sysname] acl number 3100 [sysname-acl-adv-3100] rule permit ip source 1.1.1.1 0 destination 225.1.0.0 0.0.255.255 [sysname-acl-adv-3100] quit [sysname] multicast routing-enable [sysname] pim [sysname-pim] crp-policy 3100