HP FlexFabric 5950 series Configuration Manual page 151

domain, reserve a large bandwidth between the C-BSR and other devices.
The BSR election process is summarized as follows:
1. Initially, each C-BSR regards itself as the BSR of the BIDIR-PIM domain and sends BSMs to
other routers in the domain.
2. When a C-BSR receives the BSM from another C-BSR, it compares its own priority with the
priority carried in the message. The C-BSR with a higher priority wins the BSR election. If a tie
exists in the priority, the C-BSR with a higher IP address wins. The loser uses the winner's BSR
address to replace its own BSR address and no longer regards itself as the BSR. The winner
retains its own BSR address and continues to regard itself as the BSR.
The elected BSR distributes the RP-set information collected from C-RPs to all routers in the
BIDIR-PIM domain. All routers use the same hash algorithm to select an RP for a specific multicast
group.
A BSR policy enables the router to filter BSR messages by using an ACL that specifies the legal BSR
addresses. It is used to guard against the following BSR spoofing cases:
•
Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings.
Such attacks often occur on border routers.
•
When an attacker controls a router on the network, the attacker can configure the router as a
C-BSR to win the BSR election. Through this router, the attacker controls the advertising of RP
information.
When you configure a C-BSR, follow these restrictions and guidelines:
•
C-BSRs should be configured on routers on the backbone network.
•
You must configure the same BSR policy on all routers in the BIDIR-PIM domain. The BSR
policy discards illegal BSR messages, but it partially guards against BSR attacks on the
network. If an attacker controls a legal BSR, the problem still exists.
•
For C-BSRs interconnected through a GRE tunnel, configure static multicast routes to make
sure the next hop to a C-BSR is a tunnel interface. For more information about static multicast
routes, see "Configuring multicast routing and forwarding."
To configure a C-BSR:
Step
1. Enter system view.
2. Enter PIM view.
3. Configure a C-BSR.
4. (Optional.) Configure a BSR
policy.
Configuring a PIM domain border
A PIM domain border determines the transmission boundary of bootstrap messages. Bootstrap
messages cannot cross the domain border in either direction. A number of PIM domain border
interfaces partition a network into different BIDIR-PIM domains.
To configure a PIM domain border:
Command
system-view
pim
[ vpn-instance vpn-instance-name ]
c-bsr ip-address
[ scope group-address
{ mask-length | mask } ]
[ hash-length hash-length
| priority priority ] *
bsr-policy ipv4-acl-number
141
Remarks
N/A
N/A
By default, no C-BSRs exist.
By default, no BSR policy exists,
and all bootstrap messages are
regarded as legal.