HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

641

642

643

644

645

646

647

648

649

650

622

Configuring a hello message filter

Along with the wide applications of PIM, the security requirement for the protocol is becoming

increasingly demanding. The establishment of correct PIM neighboring relationship is the prerequisite for

secure application of PIM.

To guard against PIM message attacks, you can configure a legal source address range for hello

messages on interfaces of routers to ensure the correct PIM neighboring relationship.

To configure a hello message filter:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter interface view.

interface interface-type

interface-number

N/A

3. Configure a hello

message filter.

pim neighbor-policy acl-number

No hello message filter by default.

When the hello message filter is

configured, if hello messages of an existing

PIM neighbor fail to pass the filter, the PIM

neighbor will be removed automatically

when it times out.

Configuring PIM hello options

In either a PIM-DM domain or a PIM-SM domain, hello messages exchanged among routers contain the

following configurable options:

• DR_Priority (for PIM-SM only)—Priority for DR election. The device with the highest priority wins the

DR election. You can configure this option for all the routers in a shared-media LAN that directly

connects to the multicast source or the receivers.

• Holdtime—PIM neighbor lifetime. If a router receives no hello message from a neighbor when the

neighbor lifetime expires, it regards the neighbor failed or unreachable.

• LAN_Prune_Delay—Delay of forwarding prune messages on a shared-media LAN. This option

consists of LAN delay (namely, prune message delay), override interval, and neighbor tracking

support (namely, the capability to disable join message suppression).

The prune message delay defines the delay time for a router to forward a received prune message

to the upstream routers. The override interval defines a time period for a downstream router to

override a prune message. If the prune message delay or override interval on different PIM routers

on a shared-media LAN are different, the largest value takes effect.

A router does not immediately prune an interface after it receives a prune message from the

interface. Instead, it starts a timer (the prune message delay plus the override interval). If interface

receives a join message before the override interval expires, the router does not prune the

interface. Otherwise, the router prunes the interface when the timer (the prune message delay plus

the override interval) expires.

You can enable the neighbor tracking function (or disable the join message suppression function)

on an upstream router to track the states of the downstream nodes that have sent the join message

and the joined state holdtime timer has not expired. If you want to enable the neighbor tracking

function, you must enable it on all PIM routers on a shared-media LAN. Otherwise, the upstream

router cannot track join messages from every downstream routers..