The pim join-policy command enables an interface to filter join information in Join/Prune messages.
The undo pim join-policy command restores the default configuration.
By default, an interface does not filter join information in Join/Prune messages.
| Parameter | Description | Value |
|---|---|---|
| advanced-acl-number |
Specifies the number of an advanced ACL. |
The value is an integer that ranges from 3000 to 3999. |
| acl-name |
Specifies a named ACL for ASM. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. The name must start with a letter or digit, and cannot contain only digits. |
| acl-name acl-name |
Specifies the name of a named ACL. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. The name must start with a letter or digit, and cannot contain only digits. |
| asm |
Enables an interface to filter join information of group addresses in the ASM address range. |
- |
| basic-acl-number |
Specifies a basic ACL for ASM. |
The value is an integer that ranges from 2000 to 2999. |
| ssm |
Enables an interface to filter join information sent by specified source addresses to group addresses in the SSM address range. |
- |
100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, Loopback interface view, PW-VE sub-interface view, Tunnel interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view, Virtual template view
Usage Scenario
To protect a Router against Join/Prune message attacks, run the pim join-policy command to configure a join information filter policy by setting valid source and group address ranges for Join/Prune messages. The policy enables the Router to discard join information that does not match the specified filter policy.
Prerequisites
The multicast routing-enable command has been run in the instance to which the interface belongs. This command is valid only for PIM-SM.
Configuration Impact
If asm or ssm is configured more than once, the latest configuration overrides the previous one. You can configure both a basic ACL and an advanced ACL to filter the join information with group addresses in the ASM address range and SSM address range, respectively.
After the pim join-policy command is run:Precautions
The command can be used to filter PIM Join messages in either of the following modes:
(1) The pim join-policy { asm { <basic-acl-number> | acl-name <acl-name> } | ssm { <advanced-acl-number> | acl-name <acl-name> } } command filters PIM Join messages with multicast group addresses in the ASM or SSM address range. If PIM Join messages with multicast group addresses in the ASM address range need to be filtered, the asm parameter must be specified in the command. If PIM Join messages with multicast group addresses in the SSM address range need to be filtered, the ssm parameter must be specified in the command. (2) The pim join-policy {<advanced-acl-number> | acl-name <acl-name> } } command filters PIM Join messages with multicast group addresses both in the ASM and SSM address ranges. The precautions for configuring filtering rules are as follows:When configuring filtering rules for an advanced ACL or a named ACL:For the rules used to filter PIM Join messages with multicast group addresses in the ASM address range: (1) To filter (*, G) PIM Join messages, the source address in the ACL rule must be set to 7.255.255.254, and the destination address must be set to the multicast group address based on which the messages are to be filtered. (2) To filter (S, G) PIM Join messages:In an ACL rule, if the source address is set to a multicast source address and the destination address is set to a multicast group address, the messages are filtered based on the multicast source address and multicast group address.In an ACL rule, if the source address is set to a multicast source address and the destination address is set to any, the messages are filtered based on the multicast source address.In an ACL rule, if the source address is set to any and the destination address is set to a multicast group address, the messages are filtered based on the multicast group address. (3) The filtering rules do not take effect on (S, G, RPT) PIM Join messages. For the rules used to filter PIM Join messages with multicast group addresses in the SSM address range: (1) To filter (S, G) PIM Join messages:In an ACL rule, if the source address is set to a multicast source address and the destination address is set to a multicast group address, the messages are filtered based on the multicast source address and multicast group address.In an ACL rule, if the source address is set to a multicast source address and the destination address is set to any, the messages are filtered based on the multicast source address.In an ACL rule, if the source address is set to any and the destination address is set to a multicast group address, the messages are filtered based on the multicast group address.<HUAWEI> system-view [~HUAWEI] acl number 3000 [*HUAWEI-acl4-advance-3000] rule permit ip source 10.10.0.0 0.0.255.255 destination 225.1.0.0 0.0.255.255 [*HUAWEI-acl4-advance-3000] quit [*HUAWEI] multicast routing-enable [*HUAWEI] interface GigabitEthernet 0/1/0 [*HUAWEI-GigabitEthernet0/1/0] undo portswitch [*HUAWEI-GigabitEthernet0/1/0] pim join-policy ssm 3000