No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Feature Description - IP Multicast 01

This is ME60 V800R010C10SPC500 Feature Description - IP Multicast
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IGMP Policy Control

IGMP Policy Control

IGMP policy control restricts or extends IGMP actions, without affecting IGMP implementation. IGMP policy control can be implemented through IGMP-limit, Source Address-based IGMP Message Filtering or group-policy.

  • IGMP-limit

    IGMP-limit is configured on ME device interfaces connected to users to limit the maximum number of multicast groups, including source-specific multicast groups. This mechanism enables users who have successfully joined multicast groups to enjoy smoother multicast services.

  • Source address-based IGMP message filtering

    This feature allows you to specify multicast source addresses used to filter IGMP messages. This feature prevents forged IGMP message attacks and enhances multicast network security.

  • Group-policy

    Group-policy is configured on ME device interfaces to allow the ME device to set restrictions on specific multicast groups, so that entries will not be created for the restricted multicast groups. This improves IGMP security.

IGMP-Limit

When a large number of multicast users request multiple programs simultaneously, excessive bandwidth resources will be exhausted, and the ME device's performance will be degraded, deteriorating the multicast service quality.

Figure 3-3 IGMP-limit application

To prevent this problem, configure IGMP-limit on a ME device interface to limit the maximum number of IGMP entries on the interface. When receiving an IGMP Join message from a user, the ME device interface first checks whether the configured maximum number of IGMP entries is reached. If the maximum number is reached, the ME device interface discards the IGMP Join message and rejects the user. If the maximum number is not reached, the ME device interface sets up an IGMP membership and forwards data flows of the requested multicast group to the user. This mechanism enables users who have successfully joined multicast groups to enjoy smoother multicast services.

For example, on the network shown in Figure 3-3, if the maximum number of IGMP entries is set to 1 on Interface 1 of ME device A, Interface 1 allows only one host to join a multicast group and creates an IGMP entry only for the permitted host.

The working principles of IGMP-limit are as follows:
  • IGMP-limit allows you to configure a maximum number of IGMP entries on a ME device interface. After receiving an IGMP Join message, a ME device interface determines whether to create an entry by checking whether the number of IGMP entries has reached the upper limit on the interface.

  • IGMP-limit allows you to configure an ACL on a ME device interface, so that the interface permits IGMP Join messages containing a group address, including a source-group address, in the range specified in the ACL, irrespective of whether the configured maximum number of IGMP entries is reached. An IGMP entry that contains a group address in the range specified in the ACL is not counted as one entry on an interface.

The principles of counting the number of IGMP entries are as follows:
  • Each (*, G) entry is counted as one entry on an interface, and each (S, G) is counted as one entry on an interface.

  • Source-specific multicast (SSM) mapping (*, G) entries are not counted as entries on an interface, and each (S, G) entry mapped using the SSM-mapping mechanism is counted as one entry on an interface.

Source Address-based IGMP Message Filtering

If a multicast network is attacked by bogus IGMP messages, the network will forward multicast traffic to multicast groups that do not have receivers, wasting bandwidth resources. Source address-based IGMP message filtering resolves this problem by enabling a device to filter out IGMP messages that contain unauthorized source addresses. Source address-based IGMP message filtering works as follows for IGMP Report and Leave messages and for IGMP Query messages:
  • Source address-based IGMP message filtering for IGMP Report and Leave messages:
    • The device permits the message only if the message's source address is 0.0.0.0 or an address on the same network segment as the interface that receives the message.

    • If ACL rules are configured for filtering IGMP Report and Leave messages, the device determines whether to permit or discard an IGMP Report or Leave message based on the ACL configurations.

  • Source address-based IGMP message filtering for IGMP Query messages: A device determines whether to permit or drop an IGMP Query message based on only the configured ACL rules.

On the network shown in Figure 3-4, Device A's interface 10.0.0.1/24 connects to a user network. Host A sends IGMP Report or Leave messages with the source address 11.0.0.1, Host B sends IGMP Report or Leave messages with the source address 10.0.0.8, and Host C sends IGMP Report or Leave messages with the source address 0.0.0.0. If an ACL rule is not configured, Device A permits messages from Host B and Host C, but drops messages from Host A. If ACL rules are configured, Device A determines whether to permit or drop IGMP Report or Leave messages from Host B and Host C based on the ACL configurations. For example, if an ACL rule only permits IGMP Report or Leave messages with the source address 10.0.0.8, Device A permits IGMP Report or Leave messages from Host B, but drops IGMP Report or Leave messages from Host C.

Figure 3-4 Source address-based filtering for IGMP Report or Leave messages

On the network shown in Figure 3-5, Device A is a querier that receives IGMP Report or Leave messages from hosts. If Device B constructs bogus IGMP Query messages that contain a source address lower than Device A's address, such as 10.0.0.1/24, Device A will become a non-querier and fail to respond to IGMP Leave messages from hosts, so Device A continues to forward multicast traffic to user hosts who have left, which wastes network resources. To resolve this problem, you can configure an ACL rule on Device A to drop IGMP Query messages with the source address 10.0.0.1/24.

Figure 3-5 Source address-based filtering for IGMP Query messages

Group-Policy

Group-policy is a filtering policy configured on ME device interfaces. For example, on the network shown in Figure 3-6, Host A and Host C request to join the multicast group 225.1.1.1. Host B and Host D request to join the multicast group 226.1.1.1. Group-policy is configured on ME device A to permit join requests only for the multicast group 225.1.1.1. Then, ME device A creates entries for Host A and Host C, but not for Host B or Host D.

Figure 3-6 Group-policy application

To improve network security and facilitate network management, you can use group-policy to disable a ME device interface from receiving IGMP Report messages from or forwarding multicast data to specific multicast groups.

Group-policy is implemented through access control list (ACL) configurations.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059456

Views: 10470

Downloads: 13

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next