Configuring an ipv6 multicast data filter, Configuring a hello message filter – H3C Technologies H3C SecPath F1000-E User Manual

Page 890

865

•

Determine the maximum size of join/prune messages.

•

Determine the maximum number of (S, G) entries in a join/prune message.

Configuring an IPv6 multicast data filter

No matter in an IPv6 PIM-DM domain or an IPv6 PIM-SM domain, routers can check passing-by IPv6

multicast data based on the configured filtering rules and determine whether to continue forwarding the

IPv6 multicast data. In other words, IPv6 PIM routers can act as IPv6 multicast data filters. These filters can
help implement traffic control on one hand, and control the information available to downstream

receivers to enhance data security on the other hand.
To configure an IPv6 multicast data filter:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enter IPv6 PIM view.

pim ipv6

N/A

Configure an IPv6 multicast
group filter.

source-policy acl6-number

No IPv6 multicast data filter by
default

NOTE:
•

Generally, a smaller distance from the filter to the IPv6 multicast source results in a more remarkable
filtering effect.

•

This filter works not only on independent IPv6 multicast data but also on IPv6 multicast data
encapsulated in register messages.

Configuring a hello message filter

Along with the wide applications of IPv6 PIM, the security requirement for the protocol is becoming

increasingly demanding. The establishment of correct IPv6 PIM neighboring relationships is a

prerequisite for secure application of IPv6 PIM. To guard against IPv6 PIM message attacks, you can
configure a legal source address range for hello messages on interfaces of routers to ensure the correct

IPv6 PIM neighboring relationships.
To configure a hello message filter:

Step Command

Remarks

Enter system view.

system-view

N/A

Enter interface view.

interface interface-type
interface-number

N/A

Configure a hello message

filter.

pim ipv6 neighbor-policy
acl6-number

No hello message filter by default

NOTE:

With the hello message filter configured, if hello messages of an existing IPv6 PIM neighbor fail to pass the
filter, the IPv6 PIM neighbor will be removed automatically when it times out.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer