PIM Register Policy

This feature allows you to filter register messages based on the policy file configured at the First Hop Router (FHR) and Rendezvous Point (RP) in PIM-SM domain. You can use the register policy to filter out specific PIM register messages that have encapsulated specific (S,G) packets. This feature allows you to detect and deny malicious multicast packets from flowing into a multicast shared tree, and causing a potential service blackout. The PIM Register Policy feature is supported in both the PIM IPV4 and PIM IPV6 mode .

Filtering at FHR

  • FHR receives the source multicast packet and sends a register message towards the RP. Before it sends the register message to the RP, the FHR checks the configured register filter policy. If the (S,G) is denied by the policy, the register will not send a message to the RP. The FHR adds the L3 entries to stop the packet from arriving at the CPU. An EMS message is logged.
  • The FHR checks the register policy before generating a NULL register packet. If the policy is denied by the filter then the NULL register is not sent to the RP.
  • If the cache‘s Group is in the SSM range, or is received in the PIM dense circuit, then this filtering is not applicable. The cache miss packet will go thru the normal processing.
  • If a non-SSM (S,G) cache already exists but is denied by the filter policy, then (S,G) cache is removed. The cache miss comes to the CPU for register processing if the traffic is still flowing.

The PIM filtering policy is configured at the FHR using the configure pim {ipv4 | ipv6} register-policy [policy | none] command.

Filtering at RP

  • When an encapsulated PIM register packet or PIM NULL register is received by the RP, and is denied by the registering filter policy, the register message is discarded. Additionally, no (S,G) cache is created in the PIM cache.
  • The register drop counter is incremented, and the EMS message is logged.
  • If a register is received from the MSDP (Multicast Source Discovery Protocol), it also goes through the RP filtering policy.

The PIM filtering policy is configured at RP using the following command:

configure pim {ipv4 | ipv6} register-policy rp [rp_policy_name | none]

Example

PIM Register policy rules can be created only on the Source IP address and group address, as shown in the following.

If the matching entry is not found, then the entry permission is considered as denied. Need wildcard entries to permit the unmatched entries. The following policy file permits the matched entries and wildcard entries deny the unmatched source:

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= Permit these sources for group
      then {
          nlri 226.1.1.0/24;               
          nlri 227.1.1.0/24;
          permit;
      }
}

entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          nlri 228.1.1.0/24;
          permit;
      }
}

entry policy3 {
     if match any{
      }
      then {                          <= deny all other source;
             deny;
      }
}

The following policy file denies the matched entries and wildcard entry permits the unmatched source:

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= deny these sources for group
      then {
          nlri 226.1.1.0/24;               
          nlri 227.1.1.0/24;
          deny;
      }
}

entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          nlri 228.1.1.0/24;
          deny;
      }
}

entry policy3 {
     if match any{
      }
      then {                          <= permit all other source;
             permit;
      }
}

The following policy file denies the matched entries and unmatched entries. Since the wildcard permit entry is not present in this policy file, by default all the unmatched entries are denied:

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= deny these sources for group
      then {
          nlri 226.1.1.0/24;               
          nlri 227.1.1.0/24;
          deny;
      }
}

entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          nlri 228.1.1.0/24;
          deny;
      }
}