Configuring a multicast data filter, Configuring a hello message filter – H3C Technologies H3C SecPath F1000-E User Manual
Page 126
30
•
Maximum size of join/prune messages
•
Maximum number of (S, G) entries in a join/prune message
Configuring a Multicast Data Filter
No matter in a PIM-DM domain or a PIM-SM domain, routers can check passing-by multicast data based
on the configured filtering rules and determine whether to continue forwarding the multicast data. In
other words, PIM routers can act as multicast data filters. These filters can help implement traffic control
on one hand, and control the information available to receivers downstream to enhance data security on
the other hand.
Follow these steps to configure a multicast data filter:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter public network PIM view
pim
—
Configure a multicast group filter
source-policy acl-number
Required
No multicast data filter by default
NOTE:
•
Generally, a smaller distance from the filter to the multicast source results in a more remarkable
filtering effect.
•
This filter works not only on independent multicast data but also on multicast data encapsulated
in register messages.
Configuring a Hello Message Filter
Along with the wide applications of PIM, the security requirement for the protocol is becoming more and
more demanding. The establishment of correct PIM neighboring relationships is the prerequisite for
secure application of PIM. You can configure a legal source address range for hello messages on
interfaces of routers to ensure the correct PIM neighboring relationships, and thus to guard against PIM
message attacks.
Follow these steps to configure a hello message filter:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Configure a hello message filter
pim neighbor-policy
acl-number
Required
No hello message filter by default.
NOTE:
With the hello message filter configured, if hello messages of an existing PIM neighbor fail to pass
the filter, the PIM neighbor will be removed automatically when it times out.