No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - IP Multicast 01

This is NE40E V800R010C10SPC500 Configuration Guide - IP Multicast
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPv6 PIM-SM Security

Example for Configuring IPv6 PIM-SM Security

This section provides an example for configuring filtering policies, including setting a valid source address range and a valid Candidate-Rendezvous Point (C-RP) address range, to prevent malicious packet attacks on an IPv6 PIM-SM network.

Networking Requirements

To improve the security of the network shown in Figure 11-5, configure filtering policies on the routers.

Figure 11-5 Configuring IPv6 PIM-SM security
NOTE:

Interfaces 1 through 4 in this example are GE 1/0/0, GE 2/0/0, GE 3/0/0, GE 1/0/1, respectively.



Precautions

When configuring IPv6 PIM security, note the following precautions:

  • IPv6 PIM-SM must be enabled before Multicast Listener Discovery (MLD) is enabled.

  • The multicast group range that each C-RP serves and the valid C-RP address range can be set only on Candidate-BootStrap Routers (C-BSRs).

  • Source address-based and BSR address-based filtering policies need to be configured on all routers.

  • Policies for filtering Register messages need to be configured on all C-RPs.

  • Policies for filtering Join/Prune messages are generally configured on the last-hop router.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IPv6 address for each router interface and an IPv6 unicast routing protocol.

  2. Enable IPv6 multicast routing on all routers.

  3. Enable IPv6 PIM-SM on all router interfaces.

  4. Enable MLD on interfaces that directly connect routers to hosts.

  5. Configure C-BSRs and C-RPs to elect an RP.

  6. Set the range of multicast groups that each C-RP serves on the C-BSR.

  7. Create a policy for filtering Register messages on the C-RP toprevent attacks of the Register messages carrying invalid multicast source information.

  8. Create source address-based filtering policies on all routers to deny all multicast packets from attack sources.

  9. Create BSR address-based filtering policies on all routers to prevent BSR spoofing.

Data Preparation

To complete the configuration, you need the following data:

  • Multicast group address

  • Multicast source address

  • ACL rules for defining filtering policies

Procedure

  1. Configure an IPv6 address for each router interface and an IPv6 unicast routing protocol. For configuration details, see Configuration Files in this section.
  2. Enable IPv6 multicast routing on all routers and IPv6 PIM-SM on each router interface.

    # Configure Device A.

    [~DeviceA] multicast ipv6 routing-enable
    [*DeviceA] interface gigabitethernet 1/0/0
    [*DeviceA-GigabitEthernet1/0/0] pim ipv6 sm
    [*DeviceA-GigabitEthernet1/0/0] quit
    [*DeviceA] interface GigabitEthernet 2/0/0
    [*DeviceA-GigabitEthernet2/0/0] pim ipv6 sm
    [*DeviceA-GigabitEthernet2/0/0] quit
    [*DeviceA] interface GigabitEthernet 3/0/0
    [*DeviceA-GigabitEthernet3/0/0] pim ipv6 sm
    [*DeviceE-GigabitEthernet3/0/0] commit
    [~DeviceA-GigabitEthernet3/0/0] quit

    The configurations of Device B, Device C, and Device D are similar to the configuration of Device A. For configuration details, see Configuration Files in this section.

  3. Enable MLD on the interfaces connected to hosts.

    # Configure Device B.

    [~DeviceB] interface gigabitethernet 2/0/0
    [~DeviceB-GigabitEthernet2/0/0] mld enable
    [*DeviceB-GigabitEthernet2/0/0] commit
    [~DeviceB-GigabitEthernet2/0/0] quit

    The configuration of Device C is similar to the configuration of Device B. For configuration details, see Configuration Files in this section.

  4. Configure C-BSRs and C-RPs.

    # Configure the locations of C-BSRs and C-RPs on Device D.

    [~DeviceD] pim-ipv6
    [*DeviceD-pim6] c-rp 2001:db8:3::2
    [*DeviceD-pim6] c-bsr 2001:db8:3::2
    [*DeviceD-pim6] commit
    [~DeviceD-pim6] quit

  5. Configure the range of multicast groups that each C-RP serves and the range of valid C-RP addresses on the C-BSRs.

    # On Device D, configure the range of multicast groups served by each C-RP to ff00::/8 and the range of valid C-RP addresses to 2001:db8:3::2/128.

    [~DeviceD] acl ipv6 number 3000
    [*DeviceD-acl6-advance-3000] rule permit source 2001:db8:3::2 128 destination ff00:: 8
    [*DeviceD-acl6-advance-3000] quit
    [*DeviceD] pim-ipv6
    [*DeviceD-pim6] crp-policy 3000
    [*DeviceD-pim6] commit
    [~DeviceD-pim6] quit

  6. Configure a policy for filtering Register messages on all the C-RPs.

    # On Device D, configure a policy for filtering Register messages, allowing an RP to receive only Register messages sent by multicast sources in the range of 2001:db8:5::5/64 to multicast groups in the range of ff0e::1/64.

    [~DeviceD] acl ipv6 number 3001
    [*DeviceD-acl6-advance-3001] rule permit source 2001:db8:5::5 64 destination ff0e::1 64
    [*DeviceD-acl6-advance-3001] quit
    [*DeviceD] pim-ipv6
    [*DeviceD-pim6] register-policy 3001
    [*DeviceD-pim6] commit
    [~DeviceD-pim6] quit

  7. Configure source address-based and BSR address-based filtering policies on all the routers.

    # Configure Device A.

    [~DeviceA] acl ipv6 number 2000
    [*DeviceA-acl6-basic-2000] rule permit source 2001:db8:5::5 64
    [*DeviceA-acl6-basic-2000] quit
    [*DeviceA] acl ipv6 number 2001
    [*DeviceA-acl6-basic-2001] rule permit source 2001:db8:3::2 64
    [*DeviceA-acl6-basic-2001] quit
    [*DeviceA] pim-ipv6
    [*DeviceA-pim6] source-policy 2000
    [*DeviceA-pim6] bsr-policy 2001
    [*DeviceA-pim6] commit
    [~DeviceA-pim6] quit

    The configurations of Device B, Device C, and Device D are similar to the configuration of Device A. For configuration details, see Configuration Files in this section.

  8. Verify the configuration.

    # Run the display pim ipv6 bsr-info command to check BSR information on each router. You can see that the BSR address-based filtering policy takes effect. The following example uses the command output on Device B and Device D.

    <DeviceB> display pim ipv6 bsr-info
    VPN-Instance: public net
     Elected AdminScope BSR Count: 0
     Elected BSR Address: 2001:db8:3::2
         Priority: 0
         Hash mask length: 126
         State: Accept Preferred
         Uptime: 00:04:22
         Expires: 00:01:46
         C-RP Count: 1
    <DeviceD> display pim ipv6 bsr-info
    VPN-Instance: public net
     Elected AdminScope BSR Count: 0
     Elected BSR Address: 2001:db8:3::2
         Priority: 0
         Hash mask length: 126
         State: Elected
         Uptime: 00:01:10
         Next BSR message scheduled at: 00:00:48
         C-RP Count: 1
     Candidate AdminScope BSR Count: 0
     Candidate BSR Address: 2001:db8:3::2
         Priority: 0
         Hash mask length: 126
         State: Elected
         Wait to be BSR: 0

    # Run the display pim ipv6 rp-info command to check RP information on each router. The following example uses the command output on Device B.

    <DeviceB> display pim ipv6 rp-info
    VPN-Instance: public net
     PIM-SM BSR RP information:
     Group/MaskLen: FF3E::1/64
         RP: 2001:db8:3::2
         Priority: 192
         Uptime: 00:05:19
         Expires: 00:02:11

    # Have the multicast source S (2001:db8:5::5) send multicast packets to multicast group FF15::1. The hosts can receive multicast data sent by the valid multicast source. Then, run the display pim ipv6 routing-table command to check the IPv6 PIM routing table on each router.

    <DeviceA> display pim ipv6 routing-table
    VPN-Instance: public net
     Total 0 (*, G) entry; 2 (S, G) entries
     (2001:db8:5::5, FF15::1)
         RP: 2001:db8:3::2
         Protocol: pim-sm, Flag: SPT LOC ACT
         UpTime: 00:02:15
         Upstream interface: GigabitEthernet1/0/0
             Upstream neighbor: NULL
             RPF prime neighbor: NULL
         Downstream interface(s) information:
         Total number of downstreams: 3
             1: Register
                 Protocol: pim-sm, UpTime: 00:02:15, Expires:  -
             2: GigabitEthernet2/0/0
                 Protocol: pim-sm, UpTime: 00:02:15, Expires: 00:03:15
             3: GigabitEthernet3/0/0
                 Protocol: pim-sm, UpTime: 00:02:15, Expires: 00:03:15
    <DeviceB> display pim ipv6 routing-table
    VPN-Instance: public net
     Total 1 (*, G) entry; 2 (S, G) entries
     (*, FF15::1)
         RP: 2001:db8:3::2
         Protocol: pim-sm, Flag: WC
         UpTime: 00:14:44
         Upstream interface: GigabitEthernet3/0/0
             Upstream neighbor: FE80::9D62:0:FDC5:2
             RPF prime neighbor: FE80::9D62:0:FDC5:2
         Downstream interface(s) information:
         Total number of downstreams: 1
             1: GigabitEthernet2/0/0
                 Protocol: mld, UpTime: 00:14:44, Expires: -
    (2001:db8:5::5, FF15::1)
         RP: 2001:db8:3::2
         Protocol: pim-sm, Flag: SPT ACT
         UpTime: 00:2:42
         Upstream interface: GigabitEthernet1/0/0
             Upstream neighbor: FE80::A01:10C:1
             RPF prime neighbor: FE80::A01:10C:1
         Downstream interface(s) information:
         Total number of downstreams: 1
             1: GigabitEthernet2/0/0
                 Protocol: pim-sm, UpTime: 00:14:44, Expires: -
    <DeviceC> display pim ipv6 routing-table
    VPN-Instance: public net
     Total 1 (*, G) entry; 1 (S, G) entry
     (*, FF15::1)
         RP: 2001:db8:3::2
         Protocol: pim-sm, Flag: WC
         UpTime: 00:14:44
         Upstream interface: GigabitEthernet1/0/0
             Upstream neighbor: FE80::7493:FE25:1
             RPF prime neighbor: FE80::7493:FE25:1
         Downstream interface(s) information:
         Total number of downstreams: 1
             1: GigabitEthernet2/0/0
                 Protocol: mld, UpTime: 00:14:43, Expires: -
    (2001:db8:5::5, FF15::1)
         RP: 2001:db8:3::2
         Protocol: pim-sm, Flag: WC
         UpTime: 00:2:42
          Upstream interface: GigabitEthernet1/0/0
             Upstream neighbor: FE80::7493:FE25:1
             RPF prime neighbor: FE80::7493:FE25:1
         Downstream interface(s) information:
         Total number of downstreams: 1
             1: GigabitEthernet2/0/0
                 Protocol: mld, UpTime: 00:02:14, Expires: -
    <DeviceD> display pim ipv6 routing-table
    VPN-Instance: public net
     Total 1 (*, G) entry; 1 (S, G) entry
     (*, FF15::1)
         RP: 2001:db8:3::2 (local)
         Protocol: pim-sm, Flag: WC
         UpTime: 00:16:56
         Upstream interface: Register
             Upstream neighbor: NULL
             RPF prime neighbor: NULL
         Downstream interface(s) information:
         Total number of downstreams: 2
             1: GigabitEthernet2/0/0
                 Protocol: pim-sm, UpTime: 00:16:56, Expires: 00:02:34
             2: GigabitEthernet3/0/0
                 Protocol: pim-sm, UpTime: 00:07:56, Expires: 00:02:35
     (2001:db8:5::5, FF15::1)
         RP: 2001:db8:3::2 (local)
         Protocol: pim-sm, Flag: SWT ACT
         UpTime: 00:02:54
         Upstream interface: GigabitEthernet1/0/0
             Upstream neighbor: FE81::659:10C:3
             RPF prime neighbor: FE81::659:10C:3
         Downstream interface(s) information:
         Total number of downstreams: 1
                1: GigabitEthernet3/0/0
                 Protocol: pim-sm, UpTime: 00:02:54, Expires: 00:02:36

Configuration Files

  • Device A configuration file

    #
    sysname DeviceA
    #
    multicast ipv6 routing-enable
    #
    acl ipv6 number 2000
     rule 5 permit source 2001:db8:5::5 64
    #
    acl ipv6 number 2001
     rule 5 permit source 2001:db8:3::2 64
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:5::1/64
     pim ipv6 sm
     ospfv3 1 area 0.0.0.0
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:1::1/64
     pim ipv6 sm
     ospfv3 1 area 0.0.0.0
    #
    interface GigabitEthernet3/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:2::1/64
     pim ipv6 sm
     ospfv3 1 area 0.0.0.0
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:6::1/64
     pim ipv6 bsr-boundary 
     pim ipv6 sm
     ospfv3 1 area 0.0.0.0
    #
    ospfv3 1
     router-id 1.1.1.1
     area 0.0.0.0
    #
    pim-ipv6
     bsr-policy 2001
     source-policy 2000
    #
    return
  • Device B configuration file

    #
    sysname DeviceB
    #
    multicast ipv6 routing-enable
    #
    acl ipv6 number 2000
     rule 5 permit source 2001:db8:5::5 64
    #
    acl ipv6 number 2001
     rule 5 permit source 2001:db8:3::2 64
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:1::2/64
     pim ipv6 sm
     ospfv3 1 area 0.0.0.0
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:7::1/64
     pim ipv6 sm
     mld enable
     ospfv3 1 area 0.0.0.0
    #
    interface GigabitEthernet3/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:3::1/64
     pim ipv6 sm
     ospfv3 1 area 0.0.0.0
    #
    ospfv3 1
     router-id 2.2.2.2
     area 0.0.0.0
    #
    pim-ipv6
     bsr-policy 2001
     source-policy 2000
    #
    return
  • Device C configuration file

    #
    sysname DeviceC
    #
    multicast ipv6 routing-enable
    #
    acl ipv6 number 2000
     rule 5 permit source 2001:db8:5::5 64
    #
    acl ipv6 number 2001
     rule 5 permit source 2001:db8:3::2 64
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:4::2/64
     pim ipv6 sm
     ospfv3 1 area 0.0.0.0
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:8::1/64
     pim ipv6 sm
     mld enable
     ospfv3 1 area 0.0.0.0
    #
    ospfv3 1
     router-id 3.3.3.3
     area 0.0.0.0
    #
    pim-ipv6
     bsr-policy 2001
     source-policy 2000
    #
    return
  • Device D configuration file

    #
     sysname DeviceD
    #
     ipv6
    #
     multicast ipv6 routing-enable
    #
    acl ipv6 number 2000
     rule 5 permit source 2001:db8:5::5 64
    #
    acl ipv6 number 2001
     rule 5 permit source 2001:db8:3::2 64
    #
    acl ipv6 number 3000
     rule 5 permit ipv6 source 2001:db8:3::2 128 destination ff00:: 8
    #
    acl ipv6 number 3001
     rule 5 permit ipv6 source 2001:db8:5::5 64 destination ff0e::1 64
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:2::2/64
     ospfv3 1 area 0.0.0.0
     pim ipv6 sm
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:3::2/64
     ospfv3 1 area 0.0.0.0
     pim ipv6 sm
    #
    interface GigabitEthernet3/0/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:4::1/64
     ospfv3 1 area 0.0.0.0
     pim ipv6 sm
    #
    ospfv3 1
     router-id 4.4.4.4
     area 0.0.0.0
    #
    pim-ipv6
     bsr-policy 2001
     register-policy 3001
     source-policy 2000
     c-bsr 2001:db8:3::2
     crp-policy 3000
     c-rp 2001:db8:3::2
    #
    return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055017

Views: 43249

Downloads: 97

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next