Configuring Source Address-based MLD Message Filtering

Source address-based MLD message filtering is a security policy used for filtering MLD message on the router's interface connected to user hosts.

Context

By default, no source address-based MLD message filtering is configured on the router's interface connected to user hosts.

After you configure source address-based MLD message filtering on the router's interface connected to user hosts, the interface filters MLD messages based on the access control list (ACL) configuration.

Perform the following operations on the router's interface connected to user hosts.

Procedure

Configure source address-based MLD Report or Done message filtering.
1. Run system-view
  The system view is displayed.
2. Configure a basic numbered ACL6 or a naming ACL6 as needed.
  - Configure a basic numbered ACL6.
    1. Run acl ipv6 [ number ] basic-acl6-number [ match-order { auto | config } ]
      A basic numbered ACL6 is created, and the basic numbered ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the basic numbered ACL6.
  - Configure a naming ACL6.
    1. Run acl ipv6 name acl6-name basic [ match-order { auto | config } ]
      A naming ACL6 is created, and the naming ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the naming ACL6.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The interface view is displayed.
5. Run mld ip-source-policy { basic-acl6-number | acl6-name acl6-name }
  Source address-based MLD Report or Done message filtering is configured.
  - If an MLD Report or Leave message matches an ACL rule and the action is permit, the interface permits this message.
  - If an MLD Report or Leave message matches an ACL rule and the action is deny, the interface denies this message.
  - If an MLD Report or Leave message does not match any ACL rule, the interface denies this message.
  - If a specified ACL does not exist or does not contain rules, the interface denies all MLD Report and Leave messages.
6. Run commit
  The configuration is committed.
Configure source address-based MLD Query message filtering.
1. Run system-view
  The system view is displayed.
2. Configure a basic numbered ACL6 or a naming ACL6 as needed.
  - Configure a basic numbered ACL6.
    1. Run acl ipv6 [ number ] basic-acl6-number [ match-order { auto | config } ]
      A basic numbered ACL6 is created, and the basic numbered ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the basic numbered ACL6.
  - Configure a naming ACL6.
    1. Run acl ipv6 name acl6-name basic [ match-order { auto | config } ]
      A naming ACL6 is created, and the naming ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the naming ACL6.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The interface view is displayed.
5. Run mld query ip-source-policy { basic-acl6-number | acl6-name acl6-name }
  Source address-based MLD Query message filtering is configured to control querier election.
  - If an MLD Query message matches an ACL rule and the action is permit, the interface permits this message.
  - If an MLD Query message matches an ACL rule and the action is deny, the interface denies this message.
  - If an MLD Query message does not match any ACL rule, the interface denies this message.
  - If a specified ACL does not exist or does not contain rules, the interface denies all MLD Query messages.
6. Run commit
  The configuration is committed.