This feature allows you to filter register messages based on the policy file configured at the First Hop Router (FHR) and Rendezvous Point (RP) in PIM-SM domain. You can use the register policy to filter out specific PIM register messages that have encapsulated specific (S,G) packets. This feature allows you to detect and deny malicious multicast packets from flowing into a multicast shared tree, and causing a potential service blackout. The PIM Register Policy feature is supported in both the PIM IPV4 and PIM IPV6 mode .
If the cache‘s Group is in the SSM range, or is received in the PIM dense circuit, then this filtering is not applicable. The cache miss packet will go thru the normal processing.
The PIM filtering policy is configured at the FHR using the configure pim {ipv4 | ipv6} register-policy [policy | none] command.
The PIM filtering policy is configured at RP using the following command:
configure pim {ipv4 | ipv6} register-policy rp [rp_policy_name | none]
PIM Register policy rules can be created only on the Source IP address and group address, as shown in the following.
entry policy1 { if match any{ nlri 10.10.10.0/24; nlri 20.20.20.0/24 ; } <= Permit these sources for group then { nlri 226.1.1.0/24; nlri 227.1.1.0/24; permit; } } entry policy2 { if match any{ nlri 10.10.10.0/24; } then { nlri 228.1.1.0/24; permit; } } entry policy3 { if match any{ } then { <= deny all other source; deny; } }
The following policy file denies the matched entries and wildcard entry permits the unmatched source:
entry policy1 { if match any{ nlri 10.10.10.0/24; nlri 20.20.20.0/24 ; } <= deny these sources for group then { nlri 226.1.1.0/24; nlri 227.1.1.0/24; deny; } } entry policy2 { if match any{ nlri 10.10.10.0/24; } then { nlri 228.1.1.0/24; deny; } } entry policy3 { if match any{ } then { <= permit all other source; permit; } }
entry policy1 { if match any{ nlri 10.10.10.0/24; nlri 20.20.20.0/24 ; } <= deny these sources for group then { nlri 226.1.1.0/24; nlri 227.1.1.0/24; deny; } } entry policy2 { if match any{ nlri 10.10.10.0/24; } then { nlri 228.1.1.0/24; deny; } }