Configuring PIM Filtering
Understanding Multicast Message Filters
Multicast sources and routers generate a considerable number of control messages, especially when using PIM sparse mode. These messages form distribution trees, locate rendezvous points (RPs) and designated routers (DRs), and transition from one type of tree to another. In most cases, this multicast messaging system operates transparently and efficiently. However, in some configurations, more control over the sending and receiving of multicast control messages is necessary.
You can configure multicast filtering to control the sending and receiving of multicast control messages.
To prevent unauthorized groups and sources from registering with an RP router, you can define a routing policy to reject PIM register messages from specific groups and sources and configure the policy on the designated router or the RP router.
If you configure the reject policy on an RP router, it rejects incoming PIM register messages from the specified groups and sources. The RP router also sends a register stop message by means of unicast to the designated router. On receiving the register stop message, the designated router sends periodic null register messages for the specified groups and sources to the RP router.
If you configure the reject policy on a designated router, it stops sending PIM register messages for the specified groups and sources to the RP router.
If you have configured the reject policy on an RP router, we recommend that you configure the same policy on all the RP routers in your multicast network.
If you delete a group and source address from the reject policy configured on an RP router and commit the configuration, the RP router will register the group and source only when the designated router sends a null register message.
See Also
Filtering MAC Addresses
When a router is exclusively configured with multicast protocols on an interface, multicast sets the interface media access control (MAC) filter to multicast promiscuous mode, and the number of multicast groups is unlimited. However, when the router is not exclusively used for multicasting and other protocols such as OSPF, Routing Information Protocol version 2 (RIPv2), or Network Time Protocol (NTP) are configured on an interface, each of these protocols individually requests that the interface program the MAC filter to pick up its respective multicast group only. In this case, without multicast configured on the interface, the maximum number of multicast MAC filters is limited to 20. For example, the maximum number of interface MAC filters for protocols such as OSPF (multicast group 224.0.0.5) is 20, unless a multicast protocol is also configured on the interface.
No configuration is necessary for MAC filters.
Filtering RP and DR Register Messages
You can filter Protocol Independent Multicast (PIM) register messages sent from the designated router (DR) or to the rendezvous point (RP). The PIM RP keeps track of all active sources in a single PIM sparse mode domain. In some cases, more control over which sources an RP discovers, or which sources a DR notifies other RPs about, is desired. A high degree of control over PIM register messages is provided by RP and DR register message filtering. Message filtering also prevents unauthorized groups and sources from registering with an RP router.
Register messages that are filtered at a DR are not sent to the RP, but the sources are available to local users. Register messages that are filtered at an RP arrive from source DRs, but are ignored by the router. Sources on multicast group traffic can be limited or directed by using RP or DR register message filtering alone or together.
If the action of the register filter policy is to discard the register message, the router needs to send a register-stop message to the DR. Register-stop messages are throttled to prevent malicious users from triggering them on purpose to disrupt the routing process.
Multicast group and source information is encapsulated inside unicast IP packets. This feature allows the router to inspect the multicast group and source information before sending or accepting the PIM register message.
Incoming register messages to an RP are passed through the configured register message filtering policy before any further processing. If the register message is rejected, the RP router sends a register-stop message to the DR. When the DR receives the register-stop message, the DR stops sending register messages for the filtered groups and sources to the RP. Two fields are used for register message filtering:
Group multicast address
Source address
The syntax of the existing policy statements is used to configure
the filtering on these two fields. The route-filter statement
is useful for multicast group address filtering, and the source-address-filter statement is useful for source address filtering. In most cases,
the action is to reject the register messages, but more
complex filtering policies are possible.
Filtering cannot be performed on other header fields, such as DR address, protocol, or port. In some configurations, an RP might not send register-stop messages when the policy action is to discard the register messages. This has no effect on the operation of the feature, but the router will continue to receive register messages.
When anycast RP is configured, register messages can be sent or received by the RP. All the RPs in the anycast RP set need to be configured with the same RP register message filtering policies. Otherwise, it might be possible to circumvent the filtering policy.
See Also
Filtering MSDP SA Messages
Along with applying MSDP source active (SA) filters on all external MSDP sessions (in and out) to prevent SAs for groups and sources from leaking in and out of the network, you need to apply bootstrap router (BSR) filters. Applying a BSR filter to the boundary of a network prevents foreign BSR messages (which announce RP addresses) from leaking into your network. Since the routers in a PIM sparse-mode domain need to know the address of only one RP router, having more than one in the network can create issues.
If you did not use multicast scoping to create boundary filters for all customer-facing interfaces, you might want to use PIM join filters. Multicast scopes prevent the actual multicast data packets from flowing in or out of an interface. PIM join filters prevent PIM sparse-mode state from being created in the first place. Since PIM join filters apply only to the PIM sparse-mode state, it might be more beneficial to use multicast scoping to filter the actual data.
When you apply firewall filters, firewall action modifiers, such as log, sample, and count, work only when you apply the filter on an inbound interface. The modifiers do not work on an outbound interface.
See Also
Configuring Interface-Level PIM Neighbor Policies
You can configure a policy to filter unwanted PIM neighbors. In the following example, the PIM interface compares neighbor IP addresses with the IP address in the policy statement before any hello processing takes place. If any of the neighbor IP addresses (primary or secondary) match the IP address specified in the prefix list, PIM drops the hello packet and rejects the neighbor.
If you configure a PIM neighbor policy after PIM has already established a neighbor adjacency to an unwanted PIM neighbor, the adjacency remains intact until the neighbor hold time expires. When the unwanted neighbor sends another hello message to update its adjacency, the router recognizes the unwanted address and rejects the neighbor.
To configure a policy to filter unwanted PIM neighbors:
See Also
Filtering Outgoing PIM Join Messages
When the core of your network is using MPLS, PIM join and prune messages stop at the customer edge (CE) routers and are not forwarded toward the core, because these routers do not have PIM neighbors on the core-facing interfaces. When the core of your network is using IP, PIM join and prune messages are forwarded to the upstream PIM neighbors in the core of the network.
When the core of your network is using a mix of IP and MPLS, you might want to filter certain PIM join and prune messages at the upstream egress interface of the CE routers.
You can filter PIM sparse mode (PIM-SM) join and prune messages at the egress interfaces for IPv4 and IPv6 in the upstream direction. The messages can be filtered based on the group address, source address, outgoing interface, PIM neighbor, or a combination of these values. If the filter is removed, the join is sent after the PIM periodic join timer expires.
To filter PIM sparse mode join and prune messages at the egress interfaces, create a policy rejecting the group address, source address, outgoing interface, or PIM neighbor, and then apply the policy.
The following example filters PIM join and prune messages for group addresses 224.0.1.2 and 225.1.1.1.
See Also
Example: Stopping Outgoing PIM Register Messages on a Designated Router
This example shows how to stop outgoing PIM register messages on a designated router.
Requirements
Before you begin:
Determine whether the router is directly attached to any multicast sources. Receivers must be able to locate these sources.
Determine whether the router is directly attached to any multicast group receivers. If receivers are present, IGMP is needed.
Determine whether to configure multicast to use sparse, dense, or sparse-dense mode. Each mode has different configuration considerations.
Determine the address of the RP if sparse or sparse-dense mode is used.
Determine whether to locate the RP with the static configuration, BSR, or auto-RP method.
Determine whether to configure multicast to use its own RPF routing table when configuring PIM in sparse, dense, or sparse-dense mode.
Configure the SAP and SDP protocols to listen for multicast session announcements.
Configure IGMP.
Configure the PIM static RP.
Filter PIM register messages from unauthorized groups and sources. See Example: Rejecting Incoming PIM Register Messages on RP Routers.
Overview
In this example, you configure the group address as 224.2.2.2/32 and the source address in the group as 20.20.20.1/32. You set the match action to not send PIM register messages for the group and source address. Then you configure the policy on the designated router to stop-pim-register-msg-dr.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set policy-options policy-statement stop-pim-register-msg-dr from route-filter 224.2.2.2/32 exact set policy-options policy-statement stop-pim-register-msg-dr from source-address-filter 20.20.20.1/32 exact set policy-options policy-statement stop-pim-register-msg-dr then reject set protocols pim rp dr-register-policy stop-pim-register-msg-dr
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To stop outgoing PIM register messages on a designated router:
Configure the policy options.
[edit] user@host# edit policy-options
Set the group address.
[edit policy-options] user@host# set policy statement stop-pim-register-msg-dr from route-filter 224.2.2.2/32 exact
Set the source address.
[edit policy-options] user@host# set policy statement stop-pim-register-msg-dr from source-address-filter 20.20.20.1/32 exact
Set the match action.
[edit policy-options] user@host# set policy statement stop-pim-register-msg-dr then reject
Assign the policy.
[edit] user@host# set dr-register-policy stop-pim-register-msg-dr
Results
From configuration mode, confirm your configuration
by entering the show policy-options and show protocols commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show policy-options
policy-statement stop-pim-register-msg-dr {
from {
route-filter 224.2.2.2/32 exact;
source-address-filter 20.20.20.1/32 exact;
}
then reject;
}
[edit]
user@host# show protocols
pim {
rp {
dr-register-policy stop-pim-register-msg-dr;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying SAP and SDP Addresses and Ports
- Verifying the IGMP Version
- Verifying the PIM Mode and Interface Configuration
- Verifying the PIM RP Configuration
Verifying SAP and SDP Addresses and Ports
Purpose
Verify that SAP and SDP are configured to listen on the correct group addresses and ports.
Action
From operational mode, enter the show sap listen command.
Verifying the IGMP Version
Purpose
Verify that IGMP version 2 is configured on all applicable interfaces.
Action
From operational mode, enter the show igmp interface command.
Verifying the PIM Mode and Interface Configuration
Purpose
Verify that PIM sparse mode is configured on all applicable interfaces.
Action
From operational mode, enter the show pim interfaces command.
Filtering Incoming PIM Join Messages
Multicast scoping controls the propagation of multicast messages. Whereas multicast scoping prevents the actual multicast data packets from flowing in or out of an interface, PIM join filters prevent a state from being created in a router. A state—the (*,G) or (S,G) entries—is the information used for forwarding unicast or multicast packets. Using PIM join filters prevents the transport of multicast traffic across a network and the dropping of packets at a scope at the edge of the network. Also, PIM join filters reduce the potential for denial-of-service (DoS) attacks and PIM state explosion—large numbers of PIM join messages forwarded to each router on the rendezvous-point tree (RPT), resulting in memory consumption.
To use PIM join filters to efficiently restrict multicast traffic from certain source addresses, create and apply the routing policy across all routers in the network.
See Table 1 for a list of match conditions.
Match Condition |
Matches On |
|---|---|
interface |
Router interface or interfaces specified by name or IP address |
neighbor |
Neighbor address (the source address in the IP header of the join and prune message) |
route-filter |
Multicast group address embedded in the join and prune message |
source-address-filter |
Multicast source address embedded in the join and prune message |
The following example shows how to create a PIM join filter. The filter is composed of a route filter and a source address filter—bad-groups and bad-sources, respectively. the bad-groups filter prevents (*,G) or (S,G) join messages from being received for all groups listed. The bad-sources filter prevents (S,G) join messages from being received for all sources listed. The bad-groups filter and bad-sources filter are in two different terms. If route filters and source address filters are in the same term, they are logically ANDed.
To filter incoming PIM join messages:
See Also
Example: Rejecting Incoming PIM Register Messages on RP Routers
This example shows how to reject incoming PIM register messages on RP routers.
Requirements
Before you begin:
Determine whether the router is directly attached to any multicast sources. Receivers must be able to locate these sources.
Determine whether the router is directly attached to any multicast group receivers. If receivers are present, IGMP is needed.
Determine whether to configure multicast to use sparse, dense, or sparse-dense mode. Each mode has different configuration considerations.
Determine the address of the RP if sparse or sparse-dense mode is used.
Determine whether to locate the RP with the static configuration, BSR, or auto-RP method.
Determine whether to configure multicast to use its own RPF routing table when configuring PIM in sparse, dense, or sparse-dense mode.
Configure the SAP and SDP protocols to listen for multicast session announcements. See Configuring the Session Announcement Protocol.
Configure IGMP. See Configuring IGMP.
Configure the PIM static RP. See Configuring Static RP.
Overview
In this example, you configure the group address as 224.1.1.1/32 and the source address in the group as 10.10.10.1/32. You set the match action to reject PIM register messages and assign reject-pim-register-msg-rp as the policy on the RP.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level and then enter commit from configuration mode.
set policy-options policy-statement reject-pim-register-msg-rp from route-filter 224.1.1.1/32 exact set policy-options policy-statement reject-pim-register-msg-rp from source-address-filter 10.10.10.1/32 exact set policy-options policy-statement reject-pim-register-msg-rp then reject set protocols pim rp rp-register-policy reject-pim-register-msg-rp
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To reject the incoming PIM register messages on an RP router:
Configure the policy options.
[edit] user@host# edit policy-options
Set the group address.
[edit policy-options] user@host# set policy statement reject-pim-register-msg-rp from route-filter 224.1.1.1/32 exact
Set the source address.
[edit policy-options] user@host# set policy statement reject-pim-register-msg-rp from source-address-filter 10.10.10.1/32 exact
Set the match action.
[edit policy-options] user@host# set policy statement reject-pim-register-msg-rp then reject
Configure the protocol.
[edit] user@host# edit protocols pim rp
Assign the policy.
[edit] user@host# set rp-register-policy reject-pim-register-msg-rp
Results
From configuration mode, confirm your configuration
by entering the show policy-options and show protocols
pim command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show policy-options
policy-statement reject-pim-register-msg-rp {
from {
route-filter 224.1.1.1/32 exact;
source-address-filter 10.10.10.1/32 exact;
}
then reject;
}
[edit]
user@host# show protocols pim
rp {
rp-register-policy reject-pim-register-msg-rp;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying SAP and SDP Addresses and Ports
- Verifying the IGMP Version
- Verifying the PIM Mode and Interface Configuration
- Verifying the PIM Register Messages
Verifying SAP and SDP Addresses and Ports
Purpose
Verify that SAP and SDP are configured to listen on the correct group addresses and ports.
Action
From operational mode, enter the show sap listen command.
Verifying the IGMP Version
Purpose
Verify that IGMP version 2 is configured on all applicable interfaces.
Action
From operational mode, enter the show igmp interface command.
Verifying the PIM Mode and Interface Configuration
Purpose
Verify that PIM sparse mode is configured on all applicable interfaces.
Action
From operational mode, enter the show pim interfaces command.
Configuring Register Message Filters on a PIM RP and DR
PIM register messages are sent to the rendezvous point (RP) by a designated router (DR). When a source for a group starts transmitting, the DR sends unicast PIM register packets to the RP.
Register messages have the following purposes:
Notify the RP that a source is sending to a group.
Deliver the initial multicast packets sent by the source to the RP for delivery down the shortest-path tree (SPT).
The PIM RP keeps track of all active sources in a single PIM sparse mode domain. In some cases, you want more control over which sources an RP discovers, or which sources a DR notifies other RPs about. A high degree of control over PIM register messages is provided by RP or DR register message filtering. Message filtering prevents unauthorized groups and sources from registering with an RP router.
You configure RP or DR register message filtering to control the number and location of multicast sources that an RP discovers. You can apply register message filters on a DR to control outgoing register messages, or apply them on an RP to control incoming register messages.
When anycast RP is configured, all RPs in the anycast RP set need to be configured with the same register message filtering policy.
You can configure message filtering globally or for a routing instance. These examples show the global configuration.
To configure an RP filter to drop the register packets for multicast group range 224.1.1.0/24 from source address 10.10.94.2:
To configure a DR filter to prevent sending register packets for group range 224.1.1.0/24 and source address 10.10.10.1/32:
On the DR, configure the policy.
[edit policy-options policy-statement outgoing-policy-for-rp] user@host# set from route-filter 224.1.1.0/24 orlonger user@host# set from source-address-filter 10.10.10.1/32 exact user@host# set then reject user@host# exit
Apply the policy to the DR.
The static address is the address of the RP to which you do not want the DR to send the filtered register messages.
[edit protocols pim rp] user@host# set dr-register-policy outgoing-policy-for-dr user@host# set static 10.10.10.3 user@host# exit
To configure a policy expression to accept register messages for multicast group 224.1.1.5 but reject those for 224.1.1.1:
On the RP, configure the policies.
[edit policy-options policy-statement reject_224_1_1_1] user@host# set from route-filter 224.1.1.0/24 orlonger user@host# set from source-address-filter 10.10.94.2/32 exact user@host# set then reject user@host# exit
[edit policy-options policy-statement accept_224_1_1_5] user@host# set term one from route-filter 224.1.1.5/32 exact user@host# set term one from source-address-filter 10.10.94.2/32 exact user@host# set term one then accept user@host# set term two then reject user@host# exit
Apply the policies to the RP.
[edit protocols pim rp] user@host# set rp-register-policy [ reject_224_1_1_1 | accept_224_1_1_5 ] user@host# set local address 10.10.10.5
To monitor the operation of the filters, run the show pim statistics command. The command output contains the
following fields related to filtering:
RP Filtered Source
Rx Joins/Prunes filtered
Tx Joins/Prunes filtered
Rx Register msgs filtering drop
Tx Register msgs filtering drop