HP 6125XLG Configuration Manual page 161

Blade switch ip multicast configuration guide

Hide thumbs Also See for 6125XLG:

Layer 3 - ip routing configuration manual (492 pages)

Command reference manual (466 pages)

Configuration manual (414 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

Table of Contents

Configuring a legal BSR address range enables filtering of BSMs based on the address range, thereby

preventing a maliciously configured host from masquerading as a BSR. The same configuration must be

made on all routers in the IPv6 PIM-SM domain. The following describes the typical BSR spoofing cases

and the corresponding preventive measures:

•

Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings. Such

attacks often occur on border routers. Because a BSR is inside the network whereas hosts are

outside the network, you can protect a BSR against attacks from external hosts by enabling the

border routers to perform neighbor checks and RPF checks on BSMs and to discard unwanted

messages.

When an attacker controls a router in the network or when an illegal router is present in the network,

•

the attacker can configure the router as a C-BSR and make it win the BSR election to advertise RP

information in the network. After a router is configured as a C-BSR, it automatically floods the

network with BSMs. Because a BSM has a hop limit value of 1, the whole network will not be

affected as long as the neighbor router discards these BSMs. Therefore, with a legal BSR address

range configured on all routers in the network, all these routers can discard BSMs from out of the

legal address range.

These preventive measures can partially protect the BSR in a network. However, if an attacker controls a

legal BSR, the problem still exists.

When you configure a C-BSR, reserve a relatively large bandwidth between the C-BSR and the other

devices in the IPv6 PIM-SM domain.

To configure a C-BSR:

Step

Enter system view.

Enter IPv6 PIM view.

Configure a C-BSR.

(Optional.) Configure a legal

BSR address range.

Configuring an IPv6 PIM domain border

As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in

the form of bootstrap messages to all routers in the IPv6 PIM-SM domain.

An IPv6 PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope.

IPv6 PIM domain border interfaces partition a network into different IPv6 PIM-SM domains. Bootstrap

messages cannot cross a domain border in either direction.

Perform the following configuration on routers that you want to configure as an IPv6 PIM domain border.

To configure an IPv6 PIM border domain:

Step

Enter system view.

Enter interface view.

Command

system-view

ipv6 pim

c-bsr ipv6-address [ scope

scope-id ] [ hash-length

hash-length | priority priority ] *

bsr-policy acl6-number

Command

system-view

interface interface-type

interface-number

154

Remarks

N/A

By default, no C-BSR is configured.

By default, no restrictions are

defined.

Remarks

N/A

Table of Contents

HP 6125XLG Configuration Manual page 161

Troubleshooting

Related Products for HP 6125XLG

HP 6125XLG Configuration Manual page 161

Troubleshooting

Related Manuals for HP 6125XLG

Related Products for HP 6125XLG

Table of Contents