Configuring a bsr, Configuring a c-bsr, Displaying and maintaining mld snooping – H3C Technologies H3C S12500-X Series Switches User Manual

162

Configuring a BSR

You must configure a BSR if C-RPs are configured to dynamically select the RP. In a network with a static

RP, this configuration task is unnecessary.
An IPv6 PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be
configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising RP

information in the IPv6 PIM-SM domain.

Configuring a C-BSR

C-BSRs should be configured on routers on the backbone network. The BSR election process is

summarized as follows:

1.

Initially, each C-BSR regards itself as the BSR of the IPv6 PIM-SM domain and sends BSMs to other

routers in the domain.

2.

When a C-BSR receives the BSM from another C-BSR, it compares its own priority with the priority
carried in the message. The C-BSR with a higher priority wins the BSR election. If a tie exists in the

priority, the C-BSR with a higher IPv6 address wins. The loser uses the winner's BSR address to

replace its own BSR address and no longer regards itself as the BSR, and the winner retains its own

BSR address and continues to regard itself as the BSR.

In an IPv6 PIM-SM domain, the BSR collects C-RP information from the received advertisement messages

from the C-RPs, encapsulates the C-RP information in the RP-set information, and distributes the RP-set

information to all routers in the IPv6 PIM-SM domain. All routers use the same hash algorithm to get an

RP for a specific IPv6 multicast group.
Configuring a legal BSR address range enables filtering of BSMs based on the address range, thereby
preventing a maliciously configured host from masquerading as a BSR. The same configuration must be

made on all routers in the IPv6 PIM-SM domain. The following describes the typical BSR spoofing cases

and the corresponding preventive measures:

•

Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings. Such
attacks often occur on border routers. Because a BSR is inside the network whereas hosts are
outside the network, you can protect a BSR against attacks from external hosts by enabling the

border routers to perform neighbor checks and RPF checks on BSMs and to discard unwanted

messages.

•

When an attacker controls a router in the network or when an illegal router is present in the network,
the attacker can configure the router as a C-BSR and make it win the BSR election to advertise RP

information in the network. After a router is configured as a C-BSR, it automatically floods the
network with BSMs. Because a BSM has a hop limit value of 1, the whole network will not be

affected as long as the neighbor router discards these BSMs. Therefore, with a legal BSR address

range configured on all routers in the network, all these routers can discard BSMs from out of the

legal address range.

These preventive measures can partially protect the BSR in a network. However, if an attacker controls a

legal BSR, the problem still exists.
When you configure a C-BSR, reserve a relatively large bandwidth between the C-BSR and the other

devices in the IPv6 PIM-SM domain.
To configure a C-BSR:

Step Command

Remarks

1.

Enter system view.

system-view

N/A