Policy Filters

You can configure a policy filter to control the flow of SA messages going to or coming from an MSDP peer. For example, policy filters can help mitigate state explosion during denial of service (DoS) or other attacks by limiting what is propagated to other domains using MSDP.

You can use the following policy attributes in an SA filter policy. All other attributes are ignored:

Match:
- multicast-group
- multicast-source
- pim-rp
Set:
- permit
- deny

The following shows some examples of policy files taking into account multicast-source with permit/deny action:

entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          deny;
      }
}

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= permit these sources 
      then {
          permit;
      }
}

To configure an incoming or outgoing policy filter for SA messages:
configure msdp peer [remoteaddr | all] sa-filter [in | out] [filter-name | none] {vr vr_name}
To remove a policy filter for SA messages, use the none keyword:
configure msdp [{peer} remoteaddr | peer all] sa-filter [in | out] none
To verify that a policy filter is configured on an MSDP peer:
show msdp [peer {detail} | {peer} remoteaddr] {vr vr_name}