1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. H3C S3600 Series
  6. Command manual

Chapter 6 Pim Configuration Commands; Pim Configuration Commands; Bsr-Policy - H3C S3600 Series Command Manual

Multicast
Hide thumbs Also See for S3600 Series:
Table of Contents

Advertisement

Command Manual – Multicast
H3C S3600 Series Ethernet Switches-Release 1510

Chapter 6 PIM Configuration Commands

6.1 PIM Configuration Commands

6.1.1 bsr-policy

Syntax
bsr-policy acl-number
undo bsr-policy
View
PIM view
Parameter
acl-number: ACL number imported in BSR filtering policy, in the range of 2000 to 2999.
Description
Use the bsr-policy command to limit the range of legal BSRs to prevent BSR spoofing.
Use the undo bsr-policy command to restore the default setting; that is, no range limit
is set and all received messages are taken as legal.
In the PIM SM network using BSR (bootstrap router) mechanism, every router can set
itself as C-BSR (candidate BSR) and take the authority to advertise RP information in
the network once it wins in the contention. To prevent malicious BSR spoofing in the
network, the following two measures need to be taken:
Prevent the router from being spoofed by hosts though faking legal BSR
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so this type of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside; therefore, neighbor and
RPF checks can be used to stop this type of attacks.
If a router in the network is manipulated by an attacker, or an illegal router gained
access to the network, the attacker may set itself as C-BSR and try to win the
contention and obtain authority to advertise RP information in the network. Since
the router configured as C-BSR propagate BSR messages, which are multicast
messages sent hop by hop with TTL as 1, in the network, then the network cannot
be affected as long as the peer routers do not receive these BSR messages. One
way is to configure the bsr-policy command on each router to limit the legal BSR
range. For example, only 1.1.1.1/32 and 1.1.1.2/32 can be BSR. Thus, the routers
cannot receive or forward BSR messages other than these two. Even legal BSRs
cannot contend with them.
Chapter 6 PIM Configuration Commands
6-1

Advertisement

Table of Contents
loading

Related Manuals for H3C S3600 Series

Related Content for H3C S3600 Series

Table of Contents