3Com 5500G-EI Command Reference Guide - Page 263
Example, c-bsr, Syntax, 1.1.1/32 and 1.1.1.2/32 can be BSRs, thus the routers cannot receive or
UPC - 662705493534
View all 3Com 5500G-EI manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 263 highlights
PIM Configuration Commands 263 Use the undo bsr-policy command to restore the default setting so that no range limit is set and all received messages are taken as legal. In a PIM SM network using the BSR (bootstrap router) mechanism, every router can set itself as a C-BSR (candidate BSR) and have the authority to advertise RP information in the network once it wins the election. To prevent malicious BSR spoofing in the network, the following two measures need to be taken: ■ Prevent the router from being spoofed by hosts though faking legal BSR messages to modify RP mapping. BSR messages are of multicast type and their TTL is 1, so this type of attacks often hits edge routers. Fortunately, BSRs are inside the network, while the assaulting hosts are outside, therefore neighbor and RPF checks can be used to stop this type of attacks. ■ If a router in the network is manipulated by an attacker, or an illegal router is placed on the network, the attacking router may set itself as a C-BSR and try to win the election and gain the authority to advertise RP information throughout the network. Since the router configured as a C-BSR propagates BSR messages, as multicast with a TTL of 1. Then the network cannot be affected as long as the peer routers do not receive these BSR messages. This is done by configuring bsr-policy on each router to limit the legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can be BSRs, thus the routers cannot receive or forward BSR messages received from any other source other than these two. Even legal BSRs cannot contest with them. Problems may still exist if a legal BSR is attacked, though these two measures can effectively guarantee high BSR security. The source parameter in the rule command is translated as a BSR address in the bsr-policy command. Related commands: acl and rule Example Configure BSR filtering policy on routers, only 1.1.1.1/32 can be a BSR. system-view System View: return to User View with Ctrl+Z [SW5500]multicast routing-enable [SW5500]pim [SW5500-pim]bsr-policy 2000 [SW5500-pim]quit [SW5500]acl number 2000 [SW5500-acl-basic-2000]rule 0 permit source 1.1.1.1 0 c-bsr Syntax c-bsr interface-type interface-number hash-mask-len [ priority ] undo c-bsr View PIM View