(Optional) Configuring a Multicast Group Security Policy

A multicast group policy can be configured to limit the range and number of multicast groups that some hosts can join or to add security messages to multicast data packets.

Context

A multicast group security policy provides the following functions:

Limit on multicast group types: There are two types of multicast groups: Any-Source Multicast (ASM) and Source-Specific Multicast (SSM). During IGMPv3 multicast service deployment, you can limit the type of multicast groups for which a Layer 2 device in a VLAN or VSI forwards data.
Limit on the multicast group address range: This function is used to limit the range of multicast groups that user hosts attached to a sub-interface or in a VLAN or VSI are allowed to join.
Multicast protocol packet protection: This function is used to ensure protocol security. After this function is enabled on a device, the device directly discards an IGMP message that does not carry the Router Alert option in the IP header.
Multicast message filtering based on source or destination IP addresses: An access control list (ACL) is configured to filter the source and destination IP addresses in IGMP Query, Report or Leave messages, which prevents forged IGMP Query, Report or Leave messages from interrupting multicast services.

The preceding functions are optional and can be configured in any order. Configure one or more functions as required. Default settings are recommended.

Before configuring a multicast group security policy, enable IGMP snooping both globally and in a specified VLAN or VSI.

Procedure

Limit the type of multicast groups.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations to select VLAN or VPLS networking:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name [ static ] command to enter the VSI view.
3. Run igmp-snooping version 3
  The version number of IGMP snooping is set to 3 in the VLAN or VSI.
4. Run igmp-snooping { ssm-only | asm-only | asm-ssm }
  A multicast group type is set in the VLAN or VSI.
5. Run commit
  The configuration is committed.
Limit the multicast address range in a VLAN or VSI.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations to select VLAN or VPLS networking:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name [ static ] command to enter the VSI view.
3. Run igmp-snooping group-policy { acl-number | acl-name acl-name } [ version number ]
  The multicast group address range is limited in the VLAN or VSI. Interfaces in the VLAN or VSI are allowed to join only multicast groups in the range defined by a specified ACL.
  
  By default, the multicast address range is not limited in the VLAN or VSI.
4. Run commit
  The configuration is committed.
Limit the multicast group address range on a sub-interface.
1. Run system-view
  The system view is displayed.
2. Run interface { ethernet | gigabitethernet |eth-trunk} interface-number.subnumber
  The sub-interface view is displayed.
3. Run igmp-snooping group-policy { acl-number | acl-name acl-name } [ version number ]
  The multicast group address range is limited on the sub-interface, and the sub-interface is allowed to join only multicast groups in the range defined by a specified ACL.
4. Run commit
  The configuration is committed.
Configure multicast protocol packet protection.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations to select VLAN or VPLS networking:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name [ static ] command to enter the VSI view.
3. Run igmp-snooping require-router-alert
  The device is configured to accept only IGMP messages that carry the Router Alert option in the IP header.
  
  The device discards a received IGMP message that does not carry the Router Alert option in the IP header.
4. Run igmp-snooping send-router-alert
  The device is configured to send only IGMP messages that carry the Router Alert option in the IP header.
5. Run commit
  The configuration is committed.
Configure multicast message filtering based on source or destination IP addresses.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations to select VLAN or VPLS networking:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name command to enter the VSI view.
3. Perform either of the following operations to configure IGMP Query, Report, or Leave message filtering based on source or destination IP addresses.
  - Run the igmp-snooping query-ip-policy { acl-number | acl-name acl-name } command to configure IGMP Query message filtering based on source IP addresses.
    
    After the configuration is complete and the device receives forged IGMP Query messages from a user host, the device does not forward subsequent IGMP Report or Leave messages to the user host. This configuration prevents multicast service interruptions.
  - Run the igmp-snooping ip-policy { acl-number | acl-name acl-name } command to configure IGMP Report or Leave message filtering based on source or destination IP addresses.
    
    After the configuration is complete and the device receives forged IGMP Report or Leave messages from a user host, the device does not forward multicast traffic to the user host. This configuration prevents bandwidth resource waste.
4. Run commit
  The configuration is committed.