1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. Switch 7700
  6. Configuration manual

3Com Switch 7700 Configuration Manual page 231

Switch
Hide thumbs Also See for Switch 7700:
Table of Contents

Advertisement

information in the network once it wins in the contention. To prevent malicious
BSR proofing in the network, the following two measures need to be taken:
Prevent the router from being spoofed by hosts though faking legal BSR
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so these types of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside, therefore neighbor and
RPF checks can be used to stop these types of attacks.
If a router in the network is manipulated by an attacker, or an illegal router is
accessed into the network, the attacker may set itself as C-BSR and try to win
the contention and gain authority to advertise RP information among the
network. Since the router configured as C-BSR shall propagate BSR messages,
which are multicast messages sent hop by hop with TTL as 1, among the
network, then the network cannot be affected as long as the peer routers do
not receive these BSR messages. One way is to configure bsr-policy on each
router to limit legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can
be BSR, thus the routers cannot receive or forward BSR messages other than
these two. Even legal BSRs cannot contest with them.
Perform the following configuration in PIM view.
Limiting the Range of Legal BSR
Table 40
Operation
Limit the legal BSR range
Restore to the default setting
For detailed information of the bsr-policy command, see the Switch 7700
Command Reference Guide.
Limiting the Range of Legal C-RP
In the PIM SM network, using BSR mechanism, every router can set itself as the
C-RP (candidate rendezvous point) servicing particular groups. If elected, a C-RP
becomes the RP servicing the current group.
In the BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which
then propagates the C-RP messages among the network by BSR message. To
prevent C-RP spoofing, you need to configure crp-policy on the BSR to limit legal
C-RP range and their service group range. Since each C-BSR has the chance to
become BSR, you must configure the same filtering policy on each C-BSR router.
Perform the following configuration in PIM view.
Limiting the Range of Legal C-RP
Table 41
Operation
Limit the legal C-RP range
Restore to the default setting
For detailed information of the crp-policy command, see the Switch 7700
Command Reference Guide.
Configuring PIM-SM
Command
bsr-policy acl-number
undo bsr-policy
Command
crp-policy acl-number
undo crp-policy
223
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for 3Com Switch 7700

Related Products for 3Com Switch 7700

Table of Contents