Policy Filters

You can configure a policy filter to control the flow of SA messages going to or coming from an MSDP (Multicast Source Discovery Protocol) peer. For example, policy filters can help mitigate state explosion during denial of service (DoS) or other attacks by limiting what is propagated to other domains using MSDP.

You can use the following policy attributes in an SA filter policy. All other attributes are ignored:
  • Match:
    • multicast-group
    • multicast-source
    • pim-rp
  • Set:
    • permit
    • deny
The following shows some examples of policy files taking into account multicast-source with permit/deny action:
entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          deny;
      }
}

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= permit these sources 
      then {
          permit;
      }
}