The igmp query ip-source-policy command configures IGMP Query message filtering based on source addresses.
The undo igmp query ip-source-policy command restores the default configuration.
By default, no source address-based IGMP Query message filtering is configured.
| Parameter | Description | Value |
|---|---|---|
| basic-acl-number | Specifies the number of a basic ACL, which defines the range of source addresses. | The value is an integer that ranges from 2000 to 2999. |
GE interface view, XGE interface view, MultiGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, GE sub-interface view, XGE sub-interface view, MultiGE sub-interface view, 25GE sub-interface view, 40GE sub-interface view, 100GE sub-interface view, Eth-Trunk sub-interface view, VLANIF interface view, loopback interface view
Usage Scenario
If an attacker sends forged IGMP Query messages with an IP address smaller than the querier IP address, the querier will be replaced by the attacker. As a result, the real querier cannot respond to Report messages from group members and bandwidth is wasted. Source address-based IGMP Query message filtering can protect the querier from such attacks. After this function is configured on a switch, the switch accepts only the IGMP Query messages with source addresses permitted by the specified ACL. This function controls querier election.
Prerequisites
IP multicast routing has been enabled using the multicast routing-enable command.
Precautions
IGMP Query messages are encapsulated into IP messages. This command configures a policy to filter IGMP Query messages based on source addresses in IP headers, allowing only the source addresses that are in the ACL referenced in the policy.
The igmp query ip-source-policy command works with the acl command. For a numbered ACL, you can configure the source address of IGMP Query messages by specifying the source parameter in the rule command in the basic ACL view.
<HUAWEI> system-view [HUAWEI] multicast routing-enable [HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 10.10.1.1 0 [HUAWEI-acl-basic-2001] quit [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] igmp query ip-source-policy 2001
<HUAWEI> system-view [HUAWEI] multicast routing-enable [HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 10.10.1.1 0 [HUAWEI-acl-basic-2001] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] igmp query ip-source-policy 2001