Filtering MLD Messages Based on Source Addresses
Context
MLD runs between member hosts and the Layer 3 multicast device that is directly connected to the host network segment. A multicast device processes all received Report messages. To improve security and prevent multicast services from being affected by MLD messages maliciously forged by other devices, you can configure the router to filter Multicast Listener Discovery (MLD) messages received on an interface. Messages that can be filtered include MLD Query messages, MLD Report and Done messages.
Before configuring MLD message filtering based on source addresses, configure an IPv6 access control list (ACL6) to define the range of source addresses for packet filtering. For details about the ACL6 configuration, see "ACL Configuration" in the NetEngine AR Configuration Guide - Security.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- Run mld query ip-source-policy { basic-acl6-number | acl6-name acl6-name }
A policy is configured to filter MLD Query messages.
By default, the router does not filter Query messages and processes all the received Query messages.
When configuring an ACL6 rule for the interface, use the permit parameter to configure the interface to accept only Query messages with source addresses in a specified range. If no rule is configured in the ACL6, the interface discards Query messages from all source addresses.
- Run mld ip-source-policy { basic-acl6-number | acl6-name acl6-name }
A policy is configured to filter Report/Done messages.
By default, the router does not filter Report/Done messages and processes all the received Report/Done messages.
When configuring an ACL6 rule for the interface, use the permit parameter to configure the interface to accept only Report and Done messages with source addresses in a specified range. If no rule is configured in the ACL6, the interface discards Report and Done messages from all source addresses.
