Manualshelf

HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
891892893894895896897898899900
876
multicast data. In other words, IPv6 PIM routers can act as IPv6 multicast data filters. These filters can help
implement traffic control and also control the information available to downstream receivers to enhance
data security.
Generally, a smaller distance from the filter to the IPv6 multicast source results in a more remarkable
filtering effect.
To configure an IPv6 multicast data filter:
Ste
p
Command Remarks
1. Enter system view.
system-view N/A
2. Enter IPv6 PIM view.
pim ipv6 N/A
3. Configure an IPv6 multicast
group filter.
source-policy
acl6-number
No IPv6 multicast data filter by default.
This filter works not only on independent IPv6
multicast data but also on IPv6 multicast data
encapsulated in register messages.
Configuring a hello message filter
Along with the wide applications of IPv6 PIM, the security requirement for the protocol is becoming
increasingly demanding. The establishment of correct IPv6 PIM neighboring relationship is a prerequisite
for secure application of IPv6 PIM.
To guard against IPv6 PIM message attacks, you can configure a legal source address range for hello
messages on interfaces of routers to ensure the correct IPv6 PIM neighboring relationship.
To configure a hello message filter:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure a hello
message filter.
pim ipv6 neighbor-policy
acl6-number
No hello message filter by default.
When the hello message filter is configured, if
the hello messages of an existing IPv6 PIM
neighbor fail to pass the filter, the IPv6 PIM
neighbor will be removed automatically when it
times out.
Configuring IPv6 PIM hello options
In either an IPv6 PIM-DM domain or an IPv6 PIM-SM domain, hello messages exchanged among routers
contain the following configurable options:
DR_Priority (for IPv6 PIM-SM only)—Priority for DR election. The device with the highest priority
wins the DR election. You can configure this option for all the routers in a shared-media LAN that
directly connects to the IPv6 multicast source or the receivers.
Holdtime—IPv6 PIM neighbor lifetime. If a router receives no hello message from a neighbor when
the neighbor lifetime expires, it regards the neighbor failed or unreachable.