PIM-SM Overview 345Perform the following configuration in PIM view.If an entry of a source group is denied by the ACL, or the ACL does not defineoperation to it, or there is no ACL defined, the RP will send RegisterStop messages tothe DR to prevent the register process of the multicast data stream.Only the register messages matching the ACL permit clause can be accepted by theRP. Specifying an undefined ACL will make the RP to deny all register messages.Limiting the Range of Legal BSRIn the PIM SM network using BSR (bootstrap router) mechanism, every router can setitself as C-BSR (candidate BSR) and take the authority to advertise RP information inthe network once it wins in the contention. To prevent malicious BSR proofing in thenetwork, the following two measures need to be taken:■ Prevent the router from being spoofed by hosts though faking legal BSR messagesto modify RP mapping. BSR messages are of multicast type and their TTL is 1, sothis type of attacks often hit edge routers. Fortunately, BSRs are inside thenetwork, while assaulting hosts are outside, therefore neighbor and RPF checkscan be used to stop this type of attack.■ If a router in the network is manipulated by an attacker, or an illegal router isaccessed into the network, the attacker may set itself as C-BSR and try to win thecontention and gain authority to advertise RP information among the network.Since the router configured as C-BSR shall propagate BSR messages, which aremulticast messages sent hop by hop with TTL as 1, among the network, then thenetwork cannot be affected as long as the peer routers do not receive these BSRmessages. One way is to configure bsr-policy on each router to limit legal BSRrange, for example, only 1.1.1.1/32 and 1.1.1.2/32 can be BSR, thus the routerscannot receive or forward BSR messages other than these two. Even legal BSRscannot contest with them.Perform the following configuration in PIM View.For detailed information of bsr-policy, please refer to the command manual.Limiting the Range of Legal C-RPIn the PIM-SM network using BSR mechanism, every router can set itself as C-RP(candidate rendezvous point) servicing particular groups. If elected, a C-RP becomesthe RP servicing the current group.Table 357 Configuring RP to filter the register messages sent by DROperation CommandConfigure RP to filter the register messages sent by DR register-policy acl_numberCancel the configured filter of messages undo register-policyTable 358 Limiting the range of legal BSROperation CommandSet the legal BSR range limit bsr-policy acl_numberRestore to the default setting undo bsr-policy
