Configuring PIM Neighbor Filtering
Context
- Configure a valid neighbor address range to prevent unauthorized neighbors from connecting to the network.
- Configure the switch to reject Hello messages without Generation IDs so that switch connects to PIM neighbors that are working normally.
- Enable the PIM neighbor check function to discard Join/Prune messages and Assert messages that are not sent from neighbors or send Join/Prune messages and Assert messages only to neighbors.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
- Run pim neighbor-policy basic-acl-number
The range of valid neighbor addresses is configured.
If the IP address of a PIM neighbor that has established a neighbor relationship with the switch is not in the configured range of valid neighbor addresses, the switch will no longer receive Hello messages from this PIM neighbor. When the holdtime of Hello messages expires, the neighbor relationship between the PIM device and the switch is terminated.
When configuring an ACL rule for the interface, use the permit parameter to configure the interface to accept only Hello messages with source addresses in a specified range. If no rule is configured in the ACL, the interface discards Hello messages from all source addresses.
- Run pim require-genid
The device is configured to accept only Hello messages that contain Generation IDs.
- Run quit
The system exits from the interface view.
- Run pim[ vpn-instance vpn-instance-name | all-instance ]
The PIM view is displayed.
- Run neighbor-check { receive | send }
The PIM neighbor check function is enabled.