The crp-policy command limits the range of valid C-RP addresses and the range of the multicast addresses served by a C-RP. The BSR drops the C-RP messages with addresses out of the specified range to protect valid C-RPs.
The undo crp-policy command restores the default configuration.
By default, the BSR does not limit the range of valid C-RP addresses and the range of the multicast groups served by a C-RP. The BSR considers all the received C-RP messages valid.
| Parameter | Description | Value |
|---|---|---|
| advanced-acl6-number | Specifies the number of an advanced ACL. The ACL defines the range of the C-RP addresses and the range of the group addresses served by a C-RP. | The value is an integer that ranges from 3000 to 3999. |
Usage Scenario
On a PIM SM network that uses the BSR mechanism, any switch can be configured as a C-RP to serve the multicast groups in a specified range. Each C-RP sends its information to the BSR in unicast mode. The BSR summarizes all received C-RP information into an RP-set, and floods it to the entire network using BSR messaged. The local switch then works out the RP serving a specific multicast group address range according to the RP-set.
To protect valid C-RPs from being spoofed, configure crp-policy on the BSR to limit the range of valid C-RP addresses and the range of multicast group addresses served by a C-RP. Configure the same filtering rule on each C-BSR because any C-BSR can become the BSR.
Prerequisites
IPv6 multicast routing has been enabled globally using the multicast ipv6 routing-enable command in the system view.
Configuration Impact
The crp-policy command and the acl ipv6 (system view) command are used together. In the ACL6 view, you can set the valid source address range for the C-RP by specifying the source parameter in the rule (advanced ACL6 view) command. You can set the address range of multicast groups that are served by specifying the destination parameter in the rule (advanced ACL6 view) command.
If an ACL rule is specified but no C-RP address range is set, all C-RP messages are denied.
The crp-policy command and the acl command are used together. In the ACL6 view, you can set the valid source address range for the C-RP by specifying the source parameter in the rule command, and set the address range of multicast groups that are serviced by specifying the destination parameter in the rule command.
The matching of the received C-RP message succeeds only when the C-RP address carried in the message matches source and the address of the multicast groups carried in the message is a subset of the group address range in the ACL.
The configurations of the named ACL6 and the advanced ACL are the same, and can implement filtering of both source addresses and multicast group addresses. The named ACL can also be configured with the time-range parameter.
# Configure a C-RP policy on the C-BSR, which allows only the C-RP with the address FC00:0:0:2001::1/128 and allows the C-RP to serve only the multicast groups FF13::101/128.
<HUAWEI> system-view [HUAWEI] acl ipv6 number 3100 [HUAWEI-acl6-adv-3100] rule permit ipv6 source fc00:0:0:2001::1 128 destination ff13::101 128 [HUAWEI-acl6-adv-3100] quit [HUAWEI] multicast ipv6 routing-enable [HUAWEI] pim-ipv6 [HUAWEI-pim6] crp-policy 3100