mld-snooping ip-policy

Function

The mld-snooping ip-policy command configures a filtering policy to permit or deny MLD Report messages of hosts in a VLAN/VSI, controlling the multicast groups that the hosts can join.

The undo mld-snooping ip-policy command restores the default configuration.

By default, no filtering policy is configured, so that all hosts in a VLAN can join multicast groups.

Format

mld-snooping ip-policy { acl6-number | acl6-name acl6-name }

undo mld-snooping ip-policy

Parameters

Parameter Description Value
acl6-number

Specifies an ACL6 number.

The value is an integer ranging from 2000 to 3999. The ACL6 is used to permit or deny services requests of hosts in a VLAN/VSI based on source or destination addresses carried in MLD Report messages.
acl6-name acl6-name

Specifies the name of a named ACL6.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).

Views

VLAN view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
l2mc write

Usage Guidelines

Usage Scenario

To improve multicast service deployment security, run the mld-snooping ip-policy command to configure a filtering policy to permit or deny MLD Report messages of hosts in a VLAN/VSI.

If you specify a basic ACL6, the device filters the MLD Report messages based on the carried source IP addresses. If an advanced ACL6 is specified, the device filters MLD Report messages based on the carried source and destination addresses.

Configuration Impact

After the command is run, MLD Report messages are discarded if the carried source or destination IP addresses match the deny clause in the specified ACL6.

Precautions

This command takes effect only for MLD Report messages.

The

mld-snooping ip-policy command fails to be run in a VSI view in the following condition:

  • The VSI is bound to a BD.

Example

# Configure the device to deny a host of VLAN 11 if its MLD Report messages carry the source IP address 1::1.
<HUAWEI> system-view
[~HUAWEI] acl ipv6 2000
[*HUAWEI-acl6-basic-2000] rule deny source 1::1 128
[*HUAWEI-acl6-basic-2000] rule permit source any
[*HUAWEI-acl6-basic-2000] quit
[*HUAWEI] mld-snooping enable
[*HUAWEI] vlan 11
[*HUAWEI-vlan11] mld-snooping ip-policy 2000
Parent Topic: Layer 2 Multicast Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >