The mld ip-source-policy command configures a policy for filtering Multicast Listener Discovery (MLD) Report or Done messages based on source addresses.
The undo mld ip-source-policy command restores the default configuration.
By default, no policy is configured for filtering MLD Report or Done messages based on source addresses.
| Parameter | Description | Value |
|---|---|---|
| basic-acl6-number | Specifies the number of a basic IPv6 ACL, which defines the range of source addresses. |
The value is an integer ranging from 2000 to 2999. |
| acl6-name acl6-name | Specifies the name of a named basic IPv6 ACL. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive). |
100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, Loopback interface view, PW-VE sub-interface view, VE sub-interface view, VLANIF interface view
Usage Scenario
To protect a multicast device against attacks from user hosts, run the mld ip-source-policy command on a user-side interface to configure a policy for filtering MLD Report or Done messages based on source addresses, enabling the multicast device to filter out MLD Report or Done messages whose source addresses are denied by IPv6 ACL rules.
Source-address-based MLD message filter is based on permit and deny actions in a specified IPv6 ACL. The multicast device permits only MLD Report or Done messages whose source addresses are permitted in an IPv6 ACL rule.Prerequisites
The multicast routing function has been enabled using the multicast ipv6 routing-enable command.
Configuration Impact
If the mld ip-source-policy command is run more than once, the latest configuration overrides the previous one.
Precautions
To use a numbered ACL, the mld ip-source-policy command requires an ACL configured using the acl ipv6 command. Run the rule command in the basic ACL view and set the source parameter to specify source addresses of MLD messages.
<HUAWEI> system-view [~HUAWEI] multicast ipv6 routing-enable [*HUAWEI] acl ipv6 name myacl basic [*HUAWEI-acl6-basic-myacl] rule permit source 2001:DB8:FE80::1 128 [*HUAWEI-acl6-basic-myacl] rule deny source 2001:DB8:FE70::1 128 [*HUAWEI-acl6-basic-myacl] quit [*HUAWEI] interface GigabitEthernet 0/1/0 [*HUAWEI-GigabitEthernet0/1/0] ipv6 enable [*HUAWEI-GigabitEthernet0/1/0] mld ip-source-policy acl6-name myacl
<HUAWEI> system-view [~HUAWEI] multicast ipv6 routing-enable [*HUAWEI] acl ipv6 number 2001 [*HUAWEI-acl6-basic-2001] rule permit source 2001:DB8:FE80::1 128 [*HUAWEI-acl6-basic-2001] rule deny source 2001:DB8:FE70::1 128 [*HUAWEI-acl6-basic-2001] quit [*HUAWEI] interface GigabitEthernet 0/1/0 [*HUAWEI-GigabitEthernet0/1/0] ipv6 enable [*HUAWEI-GigabitEthernet0/1/0] mld ip-source-policy 2001