The mld group-policy command configures an MLD group policy on an interface to limit the range of multicast groups that the hosts can join.
The undo mld group-policy command deletes the MLD group policy.
By default, no MLD group policy is configured on an interface, and the hosts can join any multicast groups.
| Parameter | Description | Value |
|---|---|---|
| acl6-number | Specifies the number of a basic or advanced IPv6 ACL6. This ACL6 defines the range of multicast groups. | The number of a basic ACL6 is an integer that ranges from 2000 to 2999. The number of an advanced ACL6 is an integer that ranges from 3000 to 3999. |
| 1 | Limits the range of multicast groups that MLDv1 hosts can join. | - |
| 2 | Limits the range of multicast groups that MLDv2 hosts can join. | - |
GE interface view, XGE interface view, MultiGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, VLANIF interface view, loopback interface view
Usage Scenario
To control the range of multicast groups that hosts on the network attached to an interface can join, specify an ACL6 in the mld group-policy command. This configuration improves security of the MLD application. You can also run this command to prevent the switch from receiving Multicast Listener Report messages for specified groups.
If the MLD version is not specified, ACL6 rule is applicable to the two versions by default.
Prerequisites
Layer 3 IPv6 multicast has been enabled using the multicast ipv6 routing-enable command in the system view.
Precautions
An ACL6 defining the range of multicast groups has been created.
In the basic ACL6 view, set source in the rule (basic ACL6 view) command to the range of multicast groups that an interface can join.
In the advanced ACL6 view, set source in the rule (advanced ACL6 view) command to the source address that is allowed to send multicast data to the specified multicast groups, and set destination to the range of multicast groups that an interface can join.
The configurations of the Named ACL6 and the advanced ACL6 are the same, and can implement filtering of both source addresses and multicast group addresses. The Named ACL6 can also be configured with the time-range parameter.
After the mld group-policy command is executed on an interface:
The interface filters the received Report messages based on the ACL6 and maintains memberships only for the multicast groups permitted by the ACL6.
The interface discards the Report messages that are denied by the ACL6. If the entries of the multicast groups denied by the ACL6 exist on the switch, the switch deletes these entries when the aging time of the entries expires.
# Create ACL6 2005, and configure a rule that allows hosts to receive data of multicast group FF13::101. Configure an MLD group policy on VLANIF100 and reference ACL6 2005 to allow hosts connected to the interface to join only multicast group FF13::101.
<HUAWEI> system-view [HUAWEI] acl ipv6 number 2005 [HUAWEI-acl6-basic-2005] rule permit source ff13::101 128 [HUAWEI-acl6-basic-2005] quit [HUAWEI] multicast ipv6 routing-enable [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] mld group-policy 2005
<HUAWEI> system-view [HUAWEI] acl ipv6 number 2005 [HUAWEI-acl6-basic-2005] rule permit source ff13::101 128 [HUAWEI-acl6-basic-2005] quit [HUAWEI] multicast ipv6 routing-enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] mld group-policy 2005