Configuring an ipv6 multicast user control policy – H3C Technologies H3C S10500 Series Switches User Manual
Page 293
278
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter VLAN view
vlan vlan-id
—
Configure 802.1p precedence for
MLD Messages
mld-snooping dot1p-priority
priority-number
Required
The default 802.1p precedence for
MLD messages is 0.
Configuring an IPv6 multicast user control policy
IPv6 multicast user control policies are configured on access switches to allow only authorized users to
receive requested IPv6 multicast flows. This helps restrict users from ordering certain multicast-on-demand
programs.
In practice, a device first needs to perform authentication (802.1X authentication for example) on
connected hosts through a RADIUS server. Then, the device uses the configured multicast user control
policy to perform multicast access control on authenticated users as follows.
•
After receiving an MLD report from a host, the access switch matches the IPv6 multicast group
address and multicast source address carried in the report with the configured policies. If a match
is found, the user is allowed to join the multicast group. Otherwise, the join report is dropped by the
access switch.
•
After receiving a done message from a host, the access switch matches the IPv6 multicast group and
source addresses against the policies. If a match is found, the host is allowed to leave the group.
Otherwise, the done message is dropped by the access switch.
Follow these steps to configure a multicast user control policy
To do...
Use the command...
Remarks
Enter system view
system-view
—
Create a user profile and enter its
view
user-profile profile-name
—
Configure a multicast user control
policy
mld-snooping access-policy
acl6-number
Required
No policy is configured by default.
That is, a host can join or leave a
valid multicast group at any time.
Return to system view
quit
—
Enable the created user profile
user-profile profile-name enable
Required
Not enabled by default.
NOTE:
•
For more information about the user-profile and user-profile enable commands, see
Security
Command Reference.
•
An IPv6 multicast user control policy is functionally similar to an IPv6 multicast group filter. A difference
lies in that a control policy can control both multicast joining and leaving of users based on
authentication and authorization, but a multicast group filter is configured on a port to control only
multicast joining but not leaving of users without authentication or authorization.