Filter
Top Products
PIM-SM Overview 345
Perform the following configuration in PIM view.
If an entry of a source group is denied by the ACL, or the ACL does not define
operation to it, or there is no ACL defined, the RP will send RegisterStop messages to
the DR to prevent the register process of the multicast data stream.
Only the register messages matching the ACL
permit clause can be accepted by the
RP. Specifying an undefined ACL will make the RP to deny all register messages.
Limiting the Range of Legal BSR
In the PIM SM network using BSR (bootstrap router) mechanism, every router can set
itself as C-BSR (candidate BSR) and take the authority to advertise RP information in
the network once it wins in the contention. To prevent malicious BSR proofing in the
network, the following two measures need to be taken:
■ Prevent the router from being spoofed by hosts though faking legal BSR messages
to modify RP mapping. BSR messages are of multicast type and their TTL is 1, so
this type of attacks often hit edge routers. Fortunately, BSRs are inside the
network, while assaulting hosts are outside, therefore neighbor and RPF checks
can be used to stop this type of attack.
■ If a router in the network is manipulated by an attacker, or an illegal router is
accessed into the network, the attacker may set itself as C-BSR and try to win the
contention and gain authority to advertise RP information among the network.
Since the router configured as C-BSR shall propagate BSR messages, which are
multicast messages sent hop by hop with TTL as 1, among the network, then the
network cannot be affected as long as the peer routers do not receive these BSR
messages. One way is to configure
bsr-policy on each router to limit legal BSR
range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can be BSR, thus the routers
cannot receive or forward BSR messages other than these two. Even legal BSRs
cannot contest with them.
Perform the following configuration in PIM View.
For detailed information of
bsr-policy, please refer to the command manual.
Limiting the Range of Legal C-RP
In the PIM-SM network using BSR mechanism, every router can set itself as C-RP
(candidate rendezvous point) servicing particular groups. If elected, a C-RP becomes
the RP servicing the current group.
Table 357 Configuring RP to filter the register messages sent by DR
Operation Command
Configure RP to filter the register messages sent by DR register-policy acl_number
Cancel the configured filter of messages undo register-policy
Table 358 Limiting the range of legal BSR
Operation Command
Set the legal BSR range limit bsr-policy acl_number
Restore to the default setting undo bsr-policy