Home » HP Manuals » Servers » HP 6125XLG » Manual Viewer

HP 6125XLG R2306-HP 6125XLG Blade Switch IP Multicast Configuration Guide - Page 161

Configuring an IPv6 PIM domain border

Add to My Manuals
Save this manual to your list of manuals

Page 161 highlights

Configuring a legal BSR address range enables filtering of BSMs based on the address range, thereby preventing a maliciously configured host from masquerading as a BSR. The same configuration must be made on all routers in the IPv6 PIM-SM domain. The following describes the typical BSR spoofing cases and the corresponding preventive measures: • Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling the border routers to perform neighbor checks and RPF checks on BSMs and to discard unwanted messages. • When an attacker controls a router in the network or when an illegal router is present in the network, the attacker can configure the router as a C-BSR and make it win the BSR election to advertise RP information in the network. After a router is configured as a C-BSR, it automatically floods the network with BSMs. Because a BSM has a hop limit value of 1, the whole network will not be affected as long as the neighbor router discards these BSMs. Therefore, with a legal BSR address range configured on all routers in the network, all these routers can discard BSMs from out of the legal address range. These preventive measures can partially protect the BSR in a network. However, if an attacker controls a legal BSR, the problem still exists. When you configure a C-BSR, reserve a relatively large bandwidth between the C-BSR and the other devices in the IPv6 PIM-SM domain. To configure a C-BSR: Step 1. Enter system view. 2. Enter IPv6 PIM view. 3. Configure a C-BSR. 4. (Optional.) Configure a legal BSR address range. Command system-view ipv6 pim c-bsr ipv6-address [ scope scope-id ] [ hash-length hash-length | priority priority ] * bsr-policy acl6-number Remarks N/A N/A By default, no C-BSR is configured. By default, no restrictions are defined. Configuring an IPv6 PIM domain border As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in the form of bootstrap messages to all routers in the IPv6 PIM-SM domain. An IPv6 PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope. IPv6 PIM domain border interfaces partition a network into different IPv6 PIM-SM domains. Bootstrap messages cannot cross a domain border in either direction. Perform the following configuration on routers that you want to configure as an IPv6 PIM domain border. To configure an IPv6 PIM border domain: Step 1. Enter system view. 2. Enter interface view. Command system-view interface interface-type interface-number Remarks N/A N/A 154

Section	Page
Title Page	1
Contents	3
Multicast overview	8
Introduction to multicast	8
Information transmission techniques	8
Unicast	8
Broadcast	9
Multicast	9
Multicast features	10
Common notations in multicast	11
Multicast benefits and applications	11
Multicast benefits	11
Multicast applications	11
Multicast models	12
ASM model	12
SFM model	12
SSM model	12
Multicast architecture	12
Multicast addresses	13
IP multicast addresses	13
Ethernet multicast MAC addresses	15
Multicast protocols	16
Layer 3 multicast protocols	16
Layer 2 multicast protocols	17
Multicast packet forwarding mechanism	18
Configuring IGMP snooping	20
Overview	20
Basic IGMP snooping concepts	20
IGMP snooping related ports	20
Aging timers for dynamic ports in IGMP snooping	21
How IGMP snooping works	22
General query	22
IGMP report	22
Leave message	23
Protocols and standards	23
IGMP snooping configuration task list	24
Configuring basic IGMP snooping functions	24
Enabling IGMP snooping	24
Specifying the IGMP snooping version	25
Setting the maximum number of IGMP snooping forwarding entries	25
Configuring parameters for IGMP queries and responses	26
Configuring parameters for IGMP queries and responses globally	26
Configuring parameters for IGMP queries and responses in a VLAN	26
Configuring IGMP snooping port functions	27
Setting aging timers for dynamic ports	27
Setting the aging timers for dynamic ports globally	27
Setting the aging timers for the dynamic ports in a VLAN	27
Configuring static ports	28
Enabling IGMP snooping fast-leave processing	28
Configuring IGMP snooping policies	29
Configuring a multicast group filter	29
Configuring a multicast group filter globally	29
Configuring a multicast group filter on a port	30
Configuring multicast source port filtering	30
Configuring multicast source port filtering globally	30
Configuring multicast source port filtering on a port	30
Enabling dropping unknown multicast data	30
Setting the maximum number of multicast groups on a port	31
Enabling the multicast group replacement function	31
Displaying and maintaining IGMP snooping	32
IGMP snooping configuration examples	33
Group policy configuration example	33
Network requirements	33
Configuration procedure	33
Verifying the configuration	34
Static port configuration example	35
Network requirements	35
Configuration procedure	35
Verifying the configuration	37
Troubleshooting IGMP snooping	37
Layer 2 multicast forwarding cannot function	37
Symptom	37
Analysis	37
Solution	37
Multicast group filter does not work	38
Symptom	38
Analysis	38
Solution	38
Configuring multicast routing and forwarding	39
Overview	39
RPF check mechanism	39
RPF check process	39
RPF check implementation in multicast	40
Static multicast routes	41
Changing an RPF route	41
Creating an RPF route	42
Multicast forwarding across unicast subnets	43
Configuration task list	43
Enabling IP multicast routing	44
Configuring multicast routing and forwarding	44
Configuring static multicast routes	44
Configuring the RPF route selection rule	45
Configuring multicast load splitting	45
Configuring a multicast forwarding boundary	45
Configuring static multicast MAC address entries	45
Displaying and maintaining multicast routing and forwarding	46
Configuration examples	47
Changing an RPF route	47
Network requirements	47
Configuration procedure	48
Verifying the configuration	49
Creating an RPF route	49
Network requirements	49
Configuration procedure	50
Verifying the configuration	51
Multicast forwarding over a GRE tunnel	51
Network requirements	51
Configuration procedure	52
Verifying the configuration	53
Troubleshooting multicast routing and forwarding	54
Static multicast route failure	54
Symptom	54
Analysis	54
Solution	54
Multicast data fails to reach receivers	55
Symptom	55
Analysis	55
Solution	55
Configuring IGMP	56
Overview	56
IGMPv1 overview	56
IGMPv2 enhancements	58
Querier election mechanism	58
\	58
IGMPv3 enhancements	58
Enhancements in control capability of hosts	58
Enhancements in query and report capabilities	59
Protocols and standards	60
IGMP configuration task list	60
Configuring basic IGMP functions	60
Enabling IGMP	61
Specifying the IGMP version	61
Configuring an interface as a static member interface	61
Configuration guidelines	61
Configuration procedure	61
Configuring a multicast group filter	62
Adjusting IGMP performance	62
Enabling IGMP fast-leave processing	62
Displaying and maintaining IGMP	63
IGMP configuration examples	63
Network requirements	63
Configuration procedure	64
Verifying the configuration	65
Troubleshooting IGMP	65
No membership information on the receiver-side router	65
Symptom	65
Analysis	66
Solution	66
Inconsistent membership information on the routers on the same subnet	66
Symptom	66
Analysis	66
Solution	66
Configuring PIM	67
Overview	67
PIM-DM overview	67
Neighbor discovery	68
SPT building	68
Graft	69
Assert	69
PIM-SM overview	70
Neighbor discovery	70
DR election	70
RP discovery	71
RPT building	72
Multicast source registration	73
Switchover to SPT	74
Assert	74
Administrative scoping overview	75
Administrative scoping mechanism	75
Relationship between admin-scoped zones and the global-scoped zone	75
Protocols and standards	77
Configuring PIM-DM	77
PIM-DM configuration task list	77
Configuration prerequisites	77
Enabling PIM-DM	77
Enabling the state refresh feature	78
Configuring state refresh parameters	78
Configuring PIM-DM graft retry timer	79
Configuring PIM-SM	79
PIM-SM configuration task list	79
Configuration prerequisites	79
Enabling PIM-SM	80
Configuring an RP	80
Configuring a static RP	80
Configuring a C-RP	81
Configuring a BSR	81
Configuring a C-BSR	82
Configuring a PIM domain border	83
Disabling the BSM semantic fragmentation function	83
Configuring multicast source registration	84
Configuring switchover to SPT	84
Configuring common PIM features	85
Configuration task list	85
Configuration prerequisites	85
Configuring a multicast data filter	85
Configuring a hello message filter	85
Configuring PIM hello message options	86
Configuring hello message options globally	87
Configuring hello message options on an interface	87
Configuring common PIM timers	87
Configuring common PIM timers globally	88
Configuring common PIM timers on an interface	88
Setting the maximum size of each join or prune message	89
Enabling PIM to work with BFD	89
Displaying and maintaining PIM	89
PIM configuration examples	90
PIM-DM configuration example	90
Network requirements	90
Configuration procedure	91
Verifying the configuration	92
PIM-SM non-scoped zone configuration example	94
Network requirements	94
Configuration procedure	95
Verifying the configuration	96
PIM-SM admin-scoped zone configuration example	97
Network requirements	97
Configuration procedure	99
Verifying the configuration	100
Troubleshooting PIM	102
A multicast distribution tree cannot be correctly built	102
Symptom	102
Analysis	102
Solution	103
Multicast data is abnormally terminated on an intermediate router	103
Symptom	103
Analysis	103
Solution	104
An RP cannot join an SPT in PIM-SM	104
Symptom	104
Analysis	104
Solution	104
An RPT cannot be built or multicast source registration fails in PIM-SM	104
Symptom	104
Analysis	104
Solution	105
Configuring MLD snooping	106
Overview	106
Basic MLD snooping concepts	106
MLD snooping related ports	106
Aging timers for dynamic ports in MLD snooping	107
How MLD snooping works	108
General query	108
MLD report	108
Done message	109
Protocols and standards	109
MLD snooping configuration task list	110
Configuring basic MLD snooping functions	110
Enabling MLD snooping	110
Specifying the MLD snooping version	111
Setting the maximum number of MLD snooping forwarding entries	111
Configuring parameters for MLD queries and responses	112
Configuring parameters for MLD queries and responses globally	112
Configuring parameters for MLD queries and responses in a VLAN	112
Configuring MLD snooping port functions	112
Setting aging timers for dynamic ports	113
Setting the aging timers for dynamic ports globally	113
Setting the aging timers for the dynamic ports in a VLAN	113
Configuring static ports	113
Enabling MLD snooping fast-leave processing	114
Configuring MLD snooping policies	115
Configuring an IPv6 multicast group filter	115
Configuring an IPv6 multicast group filter globally	115
Configuring an IPv6 multicast group filter on a port	115
Configuring IPv6 multicast source port filtering	116
Configuring IPv6 multicast source port filtering globally	116
Configuring IPv6 multicast source port filtering on a port	116
Enabling dropping unknown IPv6 multicast data	116
Setting the maximum number of IPv6 multicast groups on a port	117
Enabling the IPv6 multicast group replacement function	117
Displaying and maintaining MLD snooping	118
MLD snooping configuration examples	119
IPv6 group policy configuration example	119
Network requirements	119
Configuration procedure	119
Verifying the configuration	120
Static port configuration example	121
Network requirements	121
Configuration procedure	121
Verifying the configuration	123
Troubleshooting MLD snooping	123
Layer 2 multicast forwarding cannot function	123
Symptom	123
Analysis	123
Solution	123
IPv6 multicast group filter does not work	124
Symptom	124
Analysis	124
Solution	124
Configuring IPv6 multicast routing and forwarding	125
Overview	125
RPF check mechanism	125
RPF check process	125
RPF check implementation in IPv6 multicast	125
IPv6 multicast forwarding across IPv6 unicast subnets	127
Configuration task list	127
Enabling IPv6 multicast routing	127
Configuring IPv6 multicast routing and forwarding	128
Configuring the RPF route selection rule	128
Configuring IPv6 multicast load splitting	128
Configuring an IPv6 multicast forwarding boundary	128
Configuring IPv6 static multicast MAC address entries	129
Displaying and maintaining IPv6 multicast routing and forwarding	130
IPv6 multicast routing and forwarding configuration example	130
Network requirements	131
Configuration procedure	131
Verifying the configuration	133
Troubleshooting	133
IPv6 multicast data fails to reach receivers	133
Symptom	133
Analysis	133
Solution	134
Configuring MLD	135
Overview	135
How MLDv1 works	135
Electing the MLD querier	135
Joining an IPv6 multicast group	136
Leaving an IPv6 multicast group	136
MLDv2 enhancements	137
Enhancements in control capability of hosts	137
Enhancement in MLD state	138
Protocols and standards	138
MLD configuration task list	138
Configuring basic MLD functions	138
Enabling MLD	138
Specifying the MLD version	139
Configuring an interface as a static member interface	139
Configuration guidelines	139
Configuration procedure	139
Configuring an IPv6 multicast group filter	140
Adjusting MLD performance	140
Enabling MLD fast-leave processing	140
Displaying and maintaining MLD	141
MLD configuration examples	141
Network requirements	141
Configuration procedure	142
Verifying the configuration	143
Troubleshooting MLD	143
No member information exists on the receiver-side router	143
Symptom	143
Analysis	144
Solution	144
Inconsistent membership information on the routers on the same subnet	144
Symptom	144
Analysis	144
Solution	144
Configuring IPv6 PIM	145
PIM overview	145
IPv6 PIM-DM overview	145
Neighbor discovery	146
SPT building	146
Graft	147
Assert	147
IPv6 PIM-SM overview	148
Neighbor discovery	148
DR election	148
RP discovery	149
Embedded RP	150
RPT building	151
IPv6 multicast source registration	151
Switchover to SPT	152
Assert	153
IPv6 administrative scoping overview	153
IPv6 administrative scoping mechanism	153
Relationship between IPv6 admin-scoped zones and the IPv6 global-scoped zone	154
Protocols and standards	155
Configuring IPv6 PIM-DM	155
IPv6 PIM-DM configuration task list	155
Configuration prerequisites	156
Enabling IPv6 PIM-DM	156
Enabling the state refresh feature	156
Configuring state refresh parameters	157
Configuring IPv6 PIM-DM graft retry timer	157
Configuring IPv6 PIM-SM	158
IPv6 PIM-SM configuration task list	158
Configuration prerequisites	158
Enabling IPv6 PIM-SM	158
Configuring an RP	159
Configuring a static RP	159
Configuring a C-RP	159
Configuring a BSR	160
Configuring a C-BSR	160
Configuring an IPv6 PIM domain border	161
Disabling the BSM semantic fragmentation function	162
Configuring IPv6 multicast source registration	162
Configuring switchover to SPT	163
Configuring common IPv6 PIM features	163
Configuration task list	163
Configuration prerequisites	164
Configuring an IPv6 multicast data filter	164
Configuring a hello message filter	164
Configuring IPv6 PIM hello message options	165
Configuring hello message options globally	165
Configuring hello message options on an interface	166
Configuring common IPv6 PIM timers	166
Configuring common IPv6 PIM timers globally	167
Configuring common IPv6 PIM timers on an interface	167
Setting the maximum size of each join or prune message	167
Enabling IPv6 PIM to work with BFD	168
Displaying and maintaining IPv6 PIM	168
IPv6 PIM configuration examples	169
IPv6 PIM-DM configuration example	169
Network requirements	169
Configuration procedure	170
Verifying the configuration	171
IPv6 PIM-SM non-scoped zone configuration example	172
Network requirements	172
Configuration procedure	174
Verifying the configuration	175
IPv6 PIM-SM admin-scoped zone configuration example	176
Network requirements	176
Configuration procedure	177
Verifying the configuration	179
Troubleshooting IPv6 PIM	181
A multicast distribution tree cannot be correctly built	181
Symptom	181
Analysis	181
Solution	182
IPv6 multicast data is abnormally terminated on an intermediate router	182
Symptom	182
Analysis	182
Solution	183
An RP cannot join an SPT in IPv6 PIM-SM	183
Symptom	183
Analysis	183
Solution	183
An RPT cannot be built or IPv6 multicast source registration fails in IPv6 PIM-SM	183
Symptom	183
Analysis	183
Solution	184
Support and other resources	185
Contacting HP	185
Subscription service	185
Related information	185
Documents	185
Websites	185
Conventions	186
Command conventions	186
GUI conventions	186
Symbols	186
Network topology icons	187
Port numbering in examples	187

Match case Limit results 1 per page

154

Configuring a legal BSR address range enables filtering of BSMs based on the address range, thereby

preventing a maliciously configured host from masquerading as a BSR. The same configuration must be

made on all routers in the IPv6 PIM-SM domain. The following describes the typical BSR spoofing cases

and the corresponding preventive measures:

•

Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings. Such

attacks often occur on border routers. Because a BSR is inside the network whereas hosts are

outside the network, you can protect a BSR against attacks from external hosts by enabling the

border routers to perform neighbor checks and RPF checks on BSMs and to discard unwanted

messages.

•

When an attacker controls a router in the network or when an illegal router is present in the network,

the attacker can configure the router as a C-BSR and make it win the BSR election to advertise RP

information in the network. After a router is configured as a C-BSR, it automatically floods the

network with BSMs. Because a BSM has a hop limit value of 1, the whole network will not be

affected as long as the neighbor router discards these BSMs. Therefore, with a legal BSR address

range configured on all routers in the network, all these routers can discard BSMs from out of the

legal address range.

These preventive measures can partially protect the BSR in a network. However, if an attacker controls a

legal BSR, the problem still exists.

When you configure a C-BSR, reserve a relatively large bandwidth between the C-BSR and the other

devices in the IPv6 PIM-SM domain.

To configure a C-BSR:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enter IPv6 PIM view.

ipv6 pim

N/A

Configure a C-BSR.

c-bsr

ipv6-address

[

scope

scope-id

] [

hash-length

priority

] *

By default, no C-BSR is configured.

(Optional.) Configure a legal

BSR address range.

bsr-policy

acl6-number

By default, no restrictions are

defined.

Configuring an IPv6 PIM domain border

As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in

the form of bootstrap messages to all routers in the IPv6 PIM-SM domain.

An IPv6 PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope.

IPv6 PIM domain border interfaces partition a network into different IPv6 PIM-SM domains. Bootstrap

messages cannot cross a domain border in either direction.

Perform the following configuration on routers that you want to configure as an IPv6 PIM domain border.

To configure an IPv6 PIM border domain:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enter interface view.

interface

interface-type

interface-number

N/A