This section describes security policies, network attack modes, and configuration and maintenance methods and suggestions applied to layer 2 multicast.
In Layer 2 multicast, group policies can be set to restrict the access of multicast groups (multicast source groups) to a VLAN or an interface.
In Layer 2 multicast, IP policies can be set based on the source IP address to restrict the access of source IP addresses to a VLAN or VSI. Here the source IP address refers to the one carried in the IP header, that is, the host IP address.
In Layer 2 multicast, you can configure router ports not to be learned through packets.
Malicious users access a device using changed multicast addresses over invalid multicast channels. As a result, many invalid entries are created on the device and use system resources, and common users cannot access services. Multicast group policies can be set to limit the range of multicast groups that users can access.
Malicious users exchange source IP addresses to access the device. Source IP address-based policies can be set to limit the range of valid source IP addresses that can access the device.
Attacks are conducted through query packets. A multicast router port is configured on the device to receive traffic from all multicast groups. As a result, a large amount of traffic is sent over this port and this consumes interface bandwidth. To resolve this problem, configure static ports and configure router ports not to be learned through packets.
igmp-snooping group-policy
igmp-snooping ip-policy
undo igmp-snooping router-learning
Based on service deployment, you are recommended to configure group policies for VLANs or VSIs based on the IPTV multicast group address range.
igmp-snooping group-policy acl-number
rule [ rule-id ] { deny | permit } source source-ip-address source-wildcard