No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Multicast

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of IP multicast, including IP multicast basics, IGMP, MLD, PIM (IPv4), PIM (IPv6), MSDP, multicast VPN, multicast route management (IPv4), multicast route management (IPv6), IGMP snooping, MLD snooping, static multicast MAC address, multicast VLAN, multicast network management.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the IGMP Snooping Policy

Configuring the IGMP Snooping Policy

Context

The IGMP snooping policy controls the multicast programs for users, making the multicast network controllable and secure.

Configuring a Multicast Group Policy

Context

A multicast group policy determines which multicast groups the hosts in a VLAN can join, and is applicable only to dynamic multicast groups. Before configuring a multicast group policy, create an access control list (ACL) and define rules. For details about ACL configuration, see "ACL Configuration" in the CloudEngine 8800, 7800, 6800, and 5800 Series Switches Configuration Guide - Security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Use either of the following methods to configure a multicast group policy.

    • Configure a multicast group policy in a BD.
      1. Run bridge-domain bd-id

        The BD view is displayed.

      2. Run igmp snooping group-policy { acl-number | acl-name acl-name } [ version version-number ]

        A multicast group policy is configured.

    • Configure a multicast group policy on a Layer 2 sub-interface.
      1. Run interface interface-type interface-number.subnum mode l2

        The Layer 2 sub-interface view is displayed.

      2. Run igmp snooping group-policy { acl-number | acl-name acl-name } [ version version-number ]

        A multicast group policy is configured on a Layer 2 sub-interface.

    By default, the user hosts in a BD can join any multicast group. If the IGMP version is not specified for a multicast group policy, the switch applies the policy to all the received IGMP messages regardless of their versions.

    If you configure multicast group policies for the same BD in the Layer 2 sub-interface view and BD view, the system first uses the policy configured in the Layer 2 sub-interface view and then the policy configured in the BD view to determine the groups that user hosts can join.

    NOTE:

    The ACL referenced in a group policy permits all multicast groups by default. Therefore, to allow interfaces in a BD to receive only multicast data sent to specific groups, use a rule deny source any rule with permit rules in the ACL.

  3. Run commit

    The configuration is committed.

Configuring a Policy to Filter IGMP Report/Leave Messages

Context

An administrator can configure a policy to filter IGMP Report/Leave messages from specified hosts to improve security of multicast services.

This function must be used together with an access control list (ACL). When a basic ACL is used, IGMP Report/Leave messages with specified source addresses can be filtered. When an advanced ACL is used, IGMP Report/Leave messages with destination addresses or source addresses can be filtered. For details on how to configure an ACL, see "ACL Configuration" in the CloudEngine 8800, 7800, 6800, and 5800 Series Switches Configuration Guide - Security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

  3. Run igmp snooping ip-source-policy { acl-number | acl-name acl-name }

    A policy is configured to filter IGMP Report/Leave messages so that hosts in a BD can only dynamically join multicast groups that match the ACL rule.

    By default, no policy is configured to filter IGMP Report/Leave messages in a BD.

  4. Run commit

    The configuration is committed.

Configuring a Policy to Filter IGMP Query Messages

Context

If an attacker sends Query messages with a smaller IP address than the real IGMP querier on the network, switches running IGMP snooping consider the attacker as a querier and forward IGMP Membership Report messages to the attacker. In this case, multicast traffic cannot be forwarded correctly. You can configure an IGMP Query message filtering policy to defend against such attacks. An IGMP Query message filtering policy permits only IGMP Query messages with specified source IP addresses and rejects other IGMP Query messages. This improves security of a Layer 2 multicast network.

An IGMP Query message filtering policy must reference an access control list (ACL). IGMP Query messages are accepted only when their source IP addresses are permitted by the referenced ACL (within the address range following permit in the ACL rule). For details about ACL configuration, see "ACL Configuration" in the CloudEngine 8800, 7800, 6800, and 5800 Series Switches Configuration Guide - Security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

  3. Run igmp snooping query ip-source-policy { acl-number | acl-name acl-name }

    An IGMP Query message filtering policy is configured.

    By default, no IGMP Query message filtering policy is configured in a BD.

  4. Run commit

    The configuration is committed.

Configuring an SSM Group Policy

Context

By default, the address of a Source-Specific Multicast (SSM) group ranges from 232.0.0.0 to 232.255.255.255. If a user joins a multicast group whose IP address is not in this range, configure an SSM group policy in the BD to add the multicast group address to the range of SSM group addresses. The SSM group policy must be used together with an ACL. For details on how to configure an ACL, see "ACL Configuration" in the CloudEngine 8800, 7800, 6800, and 5800 Series Switches Configuration Guide - Security.

NOTE:

By default, the ACL applied to an SSM group policy denies all multicast groups. Therefore, to exclude specific group addresses from the SSM group address range, use a rule permit source any rule with deny rules in the ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

  3. Run igmp snooping ssm-policy { basic-acl-number | acl-name acl-name }

    An SSM group policy is configured.

    After you configure an SSM group policy, the multicast groups specified in the SSM policy are considered as SSM groups.

  4. Run commit

    The configuration is committed.

Setting the Aging Time for Entries Triggered by Multicast Traffic in a BD

Context

If no multicast data is sent to a multicast group, matching (S, G) or (*, G) entries need to be deleted. Therefore, the device needs to periodically detect presence of multicast flows sent to the multicast group to determine whether to delete the matching entry. You can set the aging time of multicast traffic triggered entries in a BD. If the device does not receive multicast data sent to a group within the aging time, the device deletes the corresponding (S, G) or (*, G) entry. The aging time enables the device to update multicast entries and release entry resources in a timely manner.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

  3. Run multicast layer-2 source-lifetime lifetime

    The aging time is set for entries triggered by multicast traffic in the BD.

    By default, the aging time of an entry triggered by multicast traffic is 210s.

    Configure aging time of (S, G) or (*, G) entries according to the number of the multicast forwarding entries used. If a large number of multicast entries are used on your network, a too short aging time will make the multicast forwarding table incomplete. However, if the aging time is too long, invalid entries will be retained for a long time, wasting system resources. The following table lists the recommended aging time values for different quantities of multicast forwarding entries.

    Table 14-14 Recommended aging time for multicast forwarding entries in a BD

    Number of Entries

    Recommended Aging Time

    Within 1000

    Default value

    1000 or more

    1000 seconds

  4. Run commit

    The configuration is committed.

Verifying the IGMP Snooping Policy Configuration

Prerequisites

After the configurations of IGMP snooping policy are complete, run the following commands in any view to check the policy configurations and usage.

Procedure

  • Run the display igmp snooping [ bridge-domain [ bd-id ] ] configuration command to check the IGMP snooping configuration.

    The configurations of IGMP snooping include the configurations of IGMP snooping policy in the BD.

  • Run the display igmp snooping port-info bridge-domain bd-id [ group-address group-address ] [ verbose ] command to check member ports of the multicast group.

    You can check whether a Layer 2 multicast policy is used correctly by viewing member ports of the multicast group.

  • Run the display multicast layer-2 ip fib [ bridge-domain bd-id [ group group-address ] ] command to check the multicast forwarding table in a BD.

    You can check whether a Layer 2 multicast policy is used correctly by viewing Layer 2 multicast forwarding entries.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100075361

Views: 24627

Downloads: 33

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next