PIM Register Policy

This feature allows you to filter register messages based on the policy file configured at the First Hop Router (FHR) and Rendezvous Point (RP) in PIM-SM domain. You can use the register policy to filter out specific PIM register messages that have encapsulated specific (S,G) packets. This feature allows you to detect and deny malicious multicast packets from flowing into a multicast shared tree, and causing a potential service blackout. The PIM Register Policy feature is supported in both the PIM IPV4 and PIM IPV6 mode .

Filtering at FHR

The PIM filtering policy is configured at the FHR using the configure pim {ipv4 | ipv6} register-policy [policy | none] command.

Filtering at RP

The PIM filtering policy is configured at RP using the following command:

configure pim {ipv4 | ipv6} register-policy rp [rp_policy_name | none]

Example

PIM Register policy rules can be created only on the Source IP address and group address, as shown in the following.

If the matching entry is not found, then the entry permission is considered as denied. Need wildcard entries to permit the unmatched entries. The following policy file permits the matched entries and wildcard entries deny the unmatched source:

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= Permit these sources for group
      then {
          nlri 226.1.1.0/24;               
          nlri 227.1.1.0/24;
          permit;
      }
}

entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          nlri 228.1.1.0/24;
          permit;
      }
}

entry policy3 {
     if match any{
      }
      then {                          <= deny all other source;
             deny;
      }
}

The following policy file denies the matched entries and wildcard entry permits the unmatched source:

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= deny these sources for group
      then {
          nlri 226.1.1.0/24;               
          nlri 227.1.1.0/24;
          deny;
      }
}

entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          nlri 228.1.1.0/24;
          deny;
      }
}

entry policy3 {
     if match any{
      }
      then {                          <= permit all other source;
             permit;
      }
}

The following policy file denies the matched entries and unmatched entries. Since the wildcard permit entry is not present in this policy file, by default all the unmatched entries are denied:

entry policy1 {
     if match any{
         nlri 10.10.10.0/24;
         nlri 20.20.20.0/24 ;              
      }                       <= deny these sources for group
      then {
          nlri 226.1.1.0/24;               
          nlri 227.1.1.0/24;
          deny;
      }
}

entry policy2 {
     if match any{
         nlri 10.10.10.0/24;
      }
      then {
          nlri 228.1.1.0/24;
          deny;
      }
}