H3C S7500E Series Operation Manual page 711

Operation Manual – Multicast
H3C S7500E Series Ethernet Switches
perform neighbor check and RPF check on BSR messages and discard unwanted
messages.
2) When a router in the network is controlled by an attacker or when an illegal router
is present in the network, the attacker can configure such a router to be a C-BSR
and make it win BSR election so as to gain the right of advertising RP information
in the network. After being configured as a C-BSR, a router automatically floods
the network with BSR messages. As a BSR message has a TTL value of 1, the
whole network will not be affected as long as the neighbor router discards these
BSR messages. Therefore, if a legal BSR address range is configured on all
routers in the entire network, all routers will discard BSR messages from out of the
legal address range, and thus this kind of attacks can be prevented.
The above-mentioned preventive measures can partially protect the security of BSRs in
a network. However, if a legal BSR is controlled by an attacker, the above-mentioned
problem will also occur.
Follow these steps to complete basic C-BSR configuration:
Enter system view
Enter PIM view
Configure an interface as
a C-BSR
Configure a legal BSR
address range
Note:
Since a large amount of information needs to be exchanged between a BSR and the
other devices in the PIM-SM domain, a relatively large bandwidth should be provided
between the C-BSR and the other devices in the PIM-SM domain.
II. Configuring a global-scope C-BSR
Follow these steps to configure a global-scope C-BSR:
To do...
Enter system view
Enter PIM view
To do...
system-view
pim
c-bsr interface-type
interface-number
[ hash-length [ priority ] ]
bsr-policy acl-number
Use the command...
system-view
pim
Use the command...
5-22
Chapter 5 PIM Configuration
Remarks
—
—
Required
No C-BSR is configured
by default
Optional
No restrictions on BSR
address range by default
Remarks
—
—