(Optional) Configuring MLD Snooping Policies

To improve service security, configure MLD snooping policies on a Layer 2 multicast device to filter multicast messages or restrict the multicast group range that hosts can join.

Context

Configure MLD snooping policies to control the programs that users can join and improve the controllability and security of a Layer 2 multicast network. MLD snooping policies include:

Multicast group model restriction: Based on whether source addresses are defined, multicast groups are categorized as any-source multicast (ASM) and source-specific multicast (SSM) ones. If MLDv2 is used, you can configure the device to forward only ASM or SSM group data in a VLAN/VSI.
Multicast group address restriction: You can configure the range of multicast groups that users can join on a specified interface/sub-interface or in a specified VLAN/VSI.
Multicast protocol message protection: You can configure the device to discard the MLD messages that are received from a VLAN or VSI and carry no Router-Alert option in IP headers. This function improves device security.
Multicast packet filtering based on source or destination IP addresses: Configure an ACL to filter MLD Report messages based on source or destination IP addresses, which prevents forged MLD Report messages from interrupting multicast services.

The following functions are optional and can be configured in any order. Default settings are recommended.

Before configuring MLD snooping policies, enable MLD snooping both globally and in a specified VLAN/VSI view.

Procedure

Set a multicast group model.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations based on the VLAN or VPLS networking scenario:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name [ static ] command to enter the VSI view.
3. Run mld-snooping version 2
  MLDv2 is set as the version of MLD snooping in the VLAN/VSI.
4. Run mld-snooping { ssm-only | asm-only | asm-ssm }
  A multicast group model is set in the VLAN/VSI.
5. Run commit
  The configuration is committed.
Set the range of multicast groups that hosts can join in a VLAN/VSI.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations based on the VLAN or VPLS networking scenario:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name [ static ] command to enter the VSI view.
3. Run mld-snooping group-policy { acl-number | acl-name acl-name } [ version number ]
  The range of multicast groups that hosts can join in the VLAN/VSI is set.
4. Run commit
  The configuration is committed.
Set the range of multicast groups that hosts can join on a sub-interface.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number.subnumber
  The sub-interface view is displayed.
3. Run mld-snooping group-policy { acl-number | acl-name acl-name } [ version number ]
  The range of multicast groups that hosts can join is set.
4. Run commit
  The configuration is committed.
Configure a security policy for multicast protocol messages.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations based on the VLAN or VPLS networking scenario:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name [ static ] command to enter the VSI view.
3. Run mld-snooping require-router-alert
  The device is enabled to discard MLD messages that do not carry the Router-Alert option in IP headers.
  
  After this command is run, the device discards the MLD messages that do not carry the Router-Alert option in IP headers.
4. Run mld-snooping send-router-alert
  The device is configured to add the Router-Alert option in IP headers of MLD messages to be sent.
5. Run commit
  The configuration is committed.
Configure multicast message filtering based on source or destination IP addresses.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations based on the VLAN or VPLS networking scenario:
  - Run the vlan vlan-id command to enter the VLAN view.
  - Run the vsi vsi-name command to enter the VSI view.
3. Configure the device to filter MLD Report messages based on source or destination IP addresses.
  - Run mld-snooping ip-policy { acl6-number | acl6-name acl6-name }
    
    The device is configured to filter MLD Report
    
    After the configuration is complete and the device receives forged MLD Report messages from a user host, the device does not forward multicast traffic to the network segment of the user host. This prevents bandwidth resource waste.
4. Run commit
  The configuration is committed.