3Com 3.01.01 Switch User Manual


 
Configuring PIM-SM 199
Configuring the Filtering of Multicast Source/Group
See “Configuring PIM-DM” on page 187.
Configuring the Filtering of PIM Neighbor
See “Configuring PIM-DM” on page 187.
Configuring the Maximum Number of PIM Neighbor on an Interface
See “Configuring PIM-DM” on page 187.
Configuring RP to Filter the Register Messages Sent by DR
In the PIM-SM network, the register message filtering mechanism can control
which sources to send messages to, which groups on the RP, i.e., RP can filter the
register messages sent by DR to accept specified messages only.
Perform the following configuration in PIM view.
If an entry of a source group is denied by the ACL, or the ACL does not define
operation to it, or there is no ACL defined, the RP will send RegisterStop messages
to the DR to prevent the register process of the multicast data stream.
Only the register messages matching the ACL permit clause can be accepted by
the RP. Specifying an undefined ACL will make the RP deny all register messages.
Limiting the Range of Legal BSR
In a PIM SM network that uses a bootstrap router (BSR), every router can set itself
as a candidate BSR (C-BSR) and take the authority to advertise RP information in
the network when it wins in the contention. To prevent malicious BSR spoofing in
the network, the following two measures need to be taken:
Prevent the router from being spoofed by hosts using a stolen identity from
legal BSR messages to modify RP mapping. BSR messages are of multicast type
and their TTL is 1, so these types of attacks often hit edge routers. Fortunately,
BSRs are inside the network, while assaulting hosts are outside, therefore
neighbor and RPF checks can be used to stop these types of attacks.
If a router in the network is manipulated by an attacker, or an illegal router is
accessed into the network, the attacker may set itself as C-BSR and try to win
the contention and gain authority to advertise RP information among the
network. Since the router configured as C-BSR shall propagate BSR messages,
which are multicast messages sent hop by hop with TTL as 1, among the
network, then the network cannot be affected as long as the peer routers do
not receive these BSR messages. One way is to configure bsr-policy on each
router to limit legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can
be BSR, thus the routers cannot receive or forward BSR messages other than
these two. Even legal BSRs cannot contest with them.
Table 40 Configuring RP to Filter the Register Messages Sent by DR
Operation Command
Configure RP to filter the register messages
sent by DR
register-policy acl-number
Cancel the configured filter of messages undo register-policy