No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - IP Multicast 01

This is NE40E V800R010C10SPC500 Configuration Guide - IP Multicast
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring PIM-SM Security

Example for Configuring PIM-SM Security

This section provides an example for configuring filtering policies, including setting a valid source address range and a valid Candidate-Rendezvous Point (C-RP) address range, to prevent malicious packet attacks on a PIM-SM network.

Networking Requirements

To improve the security of the network shown in Figure 4-11, configure filtering policies on the routers.

Figure 4-11 Configuring PIM-SM security

Device Interface IP Address Device Interface IP Address
Device A GE 1/0/0 192.168.9.1/24 Device D GE 1/0/0 192.168.4.2/24
GE 3/0/0 192.168.1.1/24 GE 2/0/0 192.168.1.2/24
GE 2/0/0 10.110.1.1/24 GE 3/0/0 10.110.5.1/24
Device B GE 1/0/0 192.168.2.1/24 Device E GE 1/0/0 192.168.3.2/24
GE 2/0/0 10.110.2.1/24 GE 2/0/0 192.168.2.2/24
Device C GE 2/0/0 192.168.3.1/24 GE 3/0/0 192.168.9.2/24
GE 1/0/0 10.110.2.2/24 GE 1/0/1 192.168.4.1/24

Precautions

When configuring PIM security, note the following precautions:

  • PIM-SM must be enabled before IGMP is enabled.

  • The multicast group range that each C-RP serves and the valid C-RP address range can be set only on Candidate-BootStrap Routers (C-BSRs).

  • Source address-based and BSR address-based filtering policies need to be configured on all routers.

  • Policies for filtering Register messages need to be configured on all C-RPs.

  • Policies for filtering Join/Prune messages are generally configured on the last-hop routers.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address for each router interface and configure a unicast routing protocol.

  2. Enable multicast routing on all multicast routers.

  3. Enable PIM-SM on all router interfaces.

  4. Enable IGMP on routers connected to hosts.

  5. Configure C-BSRs and C-RPs if a BSR RP needs to be used.

  6. Set the range of multicast groups that each C-RP serves on the C-BSR.

  7. Create a policy for filtering Register messages on the C-RP to prevent the attacks of Register messages carrying invalid multicast source information.

  8. Create source address-based filtering policies on all routers to deny all multicast packets from attack sources.

  9. Create BSR address-based filtering policies on all routers to prevent BSR spoofing.

Data Preparation

To complete the configuration, you need the following data:

  • Multicast group address

  • IP address of the multicast source

  • ACL rules for defining filtering policies

Procedure

  1. Configure an IP address for router each interface and a unicast routing protocol. For configuration details, see Configuration Files in this section.
  2. Enable multicast routing on each router and PIM-SM on each router interface.

    # Configure Device A.

    [~DeviceA] multicast routing-enable
    [*DeviceA] interface gigabitethernet 2/0/0
    [*DeviceA-GigabitEthernet2/0/0] pim sm
    [*DeviceA-GigabitEthernet2/0/0] quit
    [*DeviceA] interface gigabitEthernet 1/0/0
    [*DeviceA-GigabitEthernet1/0/0] pim sm
    [*DeviceA-GigabitEthernet1/0/0] quit
    [*DeviceA] interface gigabitEthernet 3/0/0
    [*DeviceA-GigabitEthernet3/0/0] pim sm
    [*DeviceA-GigabitEthernet3/0/0] commit
    [~DeviceA-GigabitEthernet3/0/0] quit

    Repeat this step for Device B, Device C, Device D, and Device E. For configuration details, see Configuration Files in this section.

  3. Enable IGMP on router interfaces that directly connect to hosts.

    # Configure Device A.

    [~DeviceA] interface gigabitethernet 2/0/0
    [~DeviceA-GigabitEthernet2/0/0] igmp enable
    [*DeviceA-GigabitEthernet2/0/0] igmp version 3
    [*DeviceA-GigabitEthernet2/0/0] commit
    [~DeviceA-GigabitEthernet2/0/0] quit

    Repeat this step for Device B and Device C. For configuration details, see Configuration Files in this section.

  4. Configure C-BSRs and C-RPs.

    # Configure a C-BSR and a C-RP on Device E.

    [~DeviceE] pim
    [*DeviceE-pim] c-bsr gigabitEthernet 2/0/0
    [*DeviceE-pim] c-rp gigabitEthernet 2/0/0
    [*DeviceE-pim] commit
    [~DeviceE-pim] quit

  5. Set the range of multicast groups that each C-RP serves and the valid C-RP address range on the C-BSR.

    # Configure Device E.

    [~DeviceE] acl number 3000
    [*DeviceE-acl4-advance-3000] rule permit ip source 192.168.2.2 0 destination 224.0.0.0 15.255.255.255
    [*DeviceE-acl4-advance-3000] quit
    [*DeviceE] pim
    [*DeviceE-pim] crp-policy 3000
    [*DeviceE-pim] commit
    [~DeviceE-pim] quit

  6. Create a policy for filtering Register messages on the C-RP.

    # Configure Device E.

    [~DeviceE] acl number 3001
    [*DeviceE-acl4-advance-3001] rule permit ip source 10.110.5.0 0.0.0.255 destination 225.1.1.0 0.0.0.255
    [*DeviceE-acl4-advance-3001] quit
    [*DeviceE] pim
    [*DeviceE-pim] register-policy 3001
    [*DeviceE-pim] commit
    [~DeviceE-pim] quit

  7. Configure source address-based and BSR address-based filtering policies on all the routers.

    # Configure Device E

    [~DeviceE] acl number 2000
    [*DeviceE-acl4-basic-2000] rule permit source 10.110.5.0 0.0.0.255
    [*DeviceE-acl4-basic-2000] quit
    [*DeviceE] acl number 2001
    [*DeviceE-acl4-basic-2001] rule permit source 192.168.2.0 0.0.0.255
    [*DeviceE-acl4-basic-2001] quit
    [*DeviceE] pim
    [*DeviceE-pim] source-policy 2000
    [*DeviceE-pim] bsr-policy 2001
    [*DeviceE-pim] commit
    [~DeviceE-pim] quit

    Repeat this step for Device A, Device B, Device C, and Device D. For configuration details, see Configuration Files in this section.

  8. Verify the configuration.

    # Run the display pim bsr-info command to view information about the BSR on the router. The BSR address matches the filtering rule. The following examples use the command outputs on Device D andDevice E.

    <DeviceD> display pim bsr-info
     VPN-Instance: public net
     Elected AdminScope BSR Count: 0
     Elected BSR Address: 192.168.2.2
         Priority: 0
         Hash mask length: 30
         State: Accept Preferred
         Scope: Not scoped
         Uptime: 21:56:56
         Expires: 00:02:01
         C-RP Count: 1
    <DeviceE> display pim bsr-info
     VPN-Instance: public net
     Elected AdminScope BSR Count: 0
     Elected BSR Address: 192.168.2.2
         Priority: 0
         Hash mask length: 30
         State: Elected
         Scope: Not scoped
         Uptime: 21:57:15
         Next BSR message scheduled at: 00:00:14
         C-RP Count: 1
     Candidate AdminScope BSR Count: 0
     Candidate BSR Address: 192.168.2.2
         Priority: 0
         Hash mask length: 30
         State: Elected
         Scope: Not scoped
         Wait to be BSR: 0

    # Run the display pim rp-info command to view information about the RPs on the routers. The RP address matches the filtering rule. The following examples use the command outputs on Device D andDevice E.

    <DeviceD> display pim rp-info
     VPN-Instance: public net
     PIM-SM BSR RP infomation:
     Group/MaskLen: 224.0.0.0/4
         RP: 192.168.2.2
         Priority: 0
         Uptime: 01:27:21
         Expires: 00:02:11
    <DeviceE> display pim rp-info
     VPN-Instance: public net
     PIM-SM BSR RP infomation:
     Group/MaskLen: 224.0.0.0/4
         RP: 192.168.2.2 (local)
         Priority: 0
         Uptime: 01:29:10
         Expires: 00:02:20

    # Have hosts receive multicast data from a valid multicast source. Have multicast source 10.110.5.100 send multicast data, have Host A receive the data for multicast group 225.1.1.1/24, and have Host B receive the data for group 225.1.1.2/24. Run the display pim routing-table command to view information about the PIM routing table on each router. The following examples use the command outputs on Device D andDevice E.

    <DeviceD> display pim routing-table
     VPN-Instance: public net
     Total 0 (*, G) entry; 2 (S, G) entries
    
     (10.110.5.100, 225.1.1.1)
         RP: 192.168.2.2
         Protocol: pim-sm, Flag: SPT ACT
         UpTime: 00:57:20
         Upstream interface: GigabitEthernet3/0/0
             Upstream neighbor: 10.110.5.100
             RPF prime neighbor: 10.110.5.100
         Downstream interface(s) information:
         Total number of downstreams: 1
            1: GigabitEthernet2/0/0
                 Protocol:  pim-sm, UpTime: 00:57:20, Expires: 00:03:02
    
     (10.110.5.100, 225.1.1.2)
         RP: 192.168.2.2
         Protocol: pim-sm, Flag: SPT ACT
         UpTime: 01:56:45
         Upstream interface: GigabitEthernet3/0/0
             Upstream neighbor: 10.110.5.100
             RPF prime neighbor: 10.110.5.100
         Downstream interface(s) information:
         Total number of downstreams: 1
            1: GigabitEthernet1/0/0
                 Protocol:  pim-sm, UpTime: 01:56:45, Expires: 00:02:43
    <DeviceE> display pim routing-table
     VPN-Instance: public net
     Total 2 (*, G) entries; 1 (S, G) entry
    
     (*, 225.1.1.1)
         RP: 192.168.2.2 (local)
         Protocol: pim-sm, Flag: WC
         UpTime: 00:21:40
         Upstream interface: register
             Upstream neighbor: 192.168.4.2
             RPF prime neighbor: 192.168.4.2
         Downstream interface(s) information:
         Total number of downstreams: 1
            1: GigabitEthernet3/0/0
                 Protocol:  pim-sm, UpTime: 00:21:40, Expires: 00:02:43
    
     (*, 225.1.1.2)
         RP: 192.168.2.2 (local)
         Protocol: pim-sm, Flag: WC
         UpTime: 00:21:40
         Upstream interface: register
             Upstream neighbor: 192.168.4.2
             RPF prime neighbor: 192.168.4.2
         Downstream interface(s) information:
         Total number of downstreams: 1
            1: GigabitEthernet1/0/0
                 Protocol:  pim-sm, UpTime: 00:21:40, Expires: 00:02:43
    
     (10.110.5.100, 225.1.1.2)
         RP: 192.168.2.2
         Protocol: pim-sm, Flag: SPT ACT
         UpTime: 01:56:45
         Upstream interface: GigabitEthernet3/0/0
             Upstream neighbor: 192.168.4.2
             RPF prime neighbor: 192.168.4.2
         Downstream interface(s) information:
         Total number of downstreams: 1
            1: GigabitEthernet1/0/0
                 Protocol:  pim-sm, UpTime: 01:56:45, Expires: 00:02:43
    

Configuration Files

  • Device A configuration file

    #
    sysname DeviceA
    #
    multicast routing-enable
    #
    acl number 2000
     rule 5 permit source 10.110.5.0 0.0.0.255
    #
    acl number 2001
     rule 5 permit source 192.168.2.0 0.0.0.255
    #
    isis 1
     network-entity 10.0000.0000.0001.00
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip address 192.168.9.1 255.255.255.0
     pim sm
     isis enable 1
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ip address 10.110.1.1 255.255.255.0
     pim sm
     igmp enable
     igmp version 3
     isis enable 1
    #
    interface GigabitEthernet3/0/0
     undo shutdown
     ip address 192.168.1.1 255.255.255.0
     pim sm
     isis enable 1
    #
    pim
     bsr-policy 2001
     source-policy 2000
    #
    return
    
  • Device B configuration file

    #
    sysname DeviceB
    #
    multicast routing-enable
    #
    acl number 2000
     rule 5 permit source 10.110.5.0 0.0.0.255
    #
    acl number 2001
     rule 5 permit source 192.168.2.0 0.0.0.255
    #
    isis 1
     network-entity 10.0000.0000.0002.00
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip address 192.168.2.1 255.255.255.0
     isis enable 1
     pim sm
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ip address 10.110.2.1 255.255.255.0
     isis enable 1
     pim sm
     igmp enable
     igmp version 3
    #
    pim
     bsr-policy 2001
     source-policy 2000
    #
    return
    
  • Device C configuration file

    #
    sysname DeviceC
    #
    multicast routing-enable
    #
    acl number 2000
     rule 5 permit source 10.110.5.0 0.0.0.255
    #
    acl number 2001
     rule 5 permit source 192.168.2.0 0.0.0.255
    #
    isis 1
     network-entity 10.0000.0000.0003.00
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip address 10.110.2.2 255.255.255.0
     isis enable 1
     pim sm
     igmp enable
     igmp version 3
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ip address 192.168.3.1 255.255.255.0
     pim sm
     isis enable 1
    #
    pim
     bsr-policy 2001
     source-policy 2000
    #
    return
    
  • Device D configuration file

    #
    sysname DeviceD
    #
    multicast routing-enable
    #
    acl number 2000
     rule 5 permit source 10.110.5.0 0.0.0.255
    #
    acl number 2001
     rule 5 permit source 192.168.2.0 0.0.0.255
    #
    isis 1
     network-entity 10.0000.0000.0004.00
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip address 192.168.4.2 255.255.255.0
     pim sm
     isis enable 1
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ip address 192.168.1.2 255.255.255.0
     pim sm
     isis enable 1
    #
    interface GigabitEthernet3/0/0
     undo shutdown
     ip address 10.110.5.1 255.255.255.0
     pim sm
     isis enable 1
    #
    pim
     bsr-policy 2001
     source-policy 2000
    #
    return
  • Device E configuration file

    #
    sysname DeviceE
    #
    multicast routing-enable
    #
    acl number 2000
     rule 5 permit source 10.110.5.0 0.0.0.255
    #
    acl number 2001
     rule 5 permit source 192.168.2.0 0.0.0.255
    #
    acl number 3000
     rule 5 permit ip source 192.168.2.2 0 destination 224.0.0.0 15.255.255.255
    #
    acl number 3001
     rule 5 permit ip source 10.110.5.0 0.0.0.255 destination 225.1.1.0 0.0.0.255
    #
    isis 1
     network-entity 10.0000.0000.0005.00
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip address 192.168.3.2 255.255.255.0
     pim sm
     isis enable 1
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     ip address 192.168.2.2 255.255.255.0
     pim sm
     isis enable 1
    #
    interface GigabitEthernet3/0/0
     undo shutdown
     ip address 192.168.9.2 255.255.255.0
     pim sm
     isis enable 1
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ip address 192.168.4.1 255.255.255.0
     pim sm
     isis enable 1
    #
    pim
     bsr-policy 2001
     register-policy 3001
     source-policy 2000
     c-bsr GigabitEthernet2/0/0
     crp-policy 3000
     c-rp GigabitEthernet2/0/0
    #
    return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055017

Views: 40776

Downloads: 97

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next