Supported Platforms
Related Documentation
- ACX, EX, J, M, MX, PTX, SRX, T Series
- show policy in the CLI Explorer
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- show pim join in the CLI Explorer
- J, M, MX, PTX, SRX, T Series, QFabric System, QFX Series standalone switches
- Filtering Outgoing PIM Join Messages
- M, MX, PTX, T Series
- Understanding Multicast Administrative Scoping
Filtering Incoming PIM Join Messages
Multicast scoping controls the propagation of multicast messages. Whereas multicast scoping prevents the actual multicast data packets from flowing in or out of an interface, PIM join filters prevent a state from being created in a router. A state—the (*,G) or (S,G) entries—is the information used for forwarding unicast or multicast packets. Using PIM join filters prevents the transport of multicast traffic across a network and the dropping of packets at a scope at the edge of the network. Also, PIM join filters reduce the potential for denial-of-service (DoS) attacks and PIM state explosion—large numbers of PIM join messages forwarded to each router on the rendezvous-point tree (RPT), resulting in memory consumption.
To use PIM join filters to efficiently restrict multicast traffic from certain source addresses, create and apply the routing policy across all routers in the network.
See Table 1 for a list of match conditions.
Table 1: PIM Join Filter Match Conditions
Match Condition | Matches On |
|---|---|
interface | Router interface or interfaces specified by name or IP address |
neighbor | Neighbor address (the source address in the IP header of the join and prune message) |
route-filter | Multicast group address embedded in the join and prune message |
source-address-filter | Multicast source address embedded in the join and prune message |
The following example shows how to create a PIM join filter. The filter is composed of a route filter and a source address filter—bad-groups and bad-sources, respectively. the bad-groups filter prevents (*,G) or (S,G) join messages from being received for all groups listed. The bad-sources filter prevents (S,G) join messages from being received for all sources listed. The bad-groups filter and bad-sources filter are in two different terms. If route filters and source address filters are in the same term, they are logically ANDed.
To filter incoming PIM join messages:
- Configure the policy.[edit policy-statement pim-join-filter term bad-groups]user@host# set from route-filter 224.0.1.2/32 exactuser@host# set from route-filter 239.0.0.0/8 orlongeruser@host# set then reject[edit policy-statement pim-join-filter term bad-sources]user@host# set from source-address-filter 10.0.0.0/8 orlongeruser@host# set from source-address-filter 127.0.0.0/8 orlongeruser@host# set then reject[edit policy-statement pim-join-filter term last]user@host# set then accept
- Apply one or more policies to routes being imported into
the routing table from PIM.[edit protocols pim]user@host# set import pim-join-filter
- Verify the configuration by checking the output of the show pim join and show policy commands.
Related Documentation
- ACX, EX, J, M, MX, PTX, SRX, T Series
- show policy in the CLI Explorer
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- show pim join in the CLI Explorer
- J, M, MX, PTX, SRX, T Series, QFabric System, QFX Series standalone switches
- Filtering Outgoing PIM Join Messages
- M, MX, PTX, T Series
- Understanding Multicast Administrative Scoping
Published: 2014-07-23
Supported Platforms
Related Documentation
- ACX, EX, J, M, MX, PTX, SRX, T Series
- show policy in the CLI Explorer
- EX, J, M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- show pim join in the CLI Explorer
- J, M, MX, PTX, SRX, T Series, QFabric System, QFX Series standalone switches
- Filtering Outgoing PIM Join Messages
- M, MX, PTX, T Series
- Understanding Multicast Administrative Scoping
