08-IP Multicast Configuration Guide

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsConfigureConfiguration GuidesH3C VSR Series Virtual Services Routers Configuration Guides(V7)-R0621-6W30008-IP Multicast Configuration Guide
07-MLD configuration
Title Size Download
07-MLD configuration 430.92 KB

Contents

Configuring MLD·· 1

About MLD·· 1

MLD versions· 1

How MLDv1 works· 1

MLDv2 enhancements· 3

MLD SSM mapping· 4

MLD proxying· 5

IPv6 multicast access control 5

MLD support for VPNs· 6

Protocols and standards· 6

MLD tasks at a glance· 6

Prerequisites for MLD·· 6

Enabling MLD·· 6

Configuring basic MLD features· 7

Specifying an MLD version· 7

Configuring a static group member 7

Configuring an IPv6 multicast group policy· 8

Adjusting MLD performance· 8

Configuring MLD query and response parameters· 8

Enabling fast-leave processing· 11

Configuring MLD SSM mappings· 11

Configuring MLD proxying· 11

Prerequisites for MLD proxying· 11

Enabling MLD proxying· 11

Enabling IPv6 multicast forwarding on a non-querier interface· 12

Enabling IPv6 multicast load splitting for MLD proxy interfaces· 12

Configuring IPv6 multicast access control 13

Restrictions and guidelines for IPv6 multicast access control 13

Enabling IPv6 multicast access control 13

Configuring an MLD user access policy· 13

Enabling per-session IPv6 multicast forwarding· 14

Configuring a VLAN-based static group member 15

Display and maintenance commands for MLD·· 15

MLD configuration examples· 16

Example: Configuring basic MLD features· 16

Example: Configuring MLD SSM mapping· 18

Example: Configuring MLD proxying· 21

Example: Configuring PPPoE-based IPv6 multicast access control 23

Example: Configuring IPoE-based IPv6 multicast access control 28

Example: Configuring portal-based IPv6 multicast access control 32

Troubleshooting MLD·· 37

No member information exists on the receiver-side device· 37

Inconsistent membership information on the devices on the same subnet 37

 


Configuring MLD

About MLD

Multicast Listener Discovery (MLD) establishes and maintains IPv6 multicast group memberships between a Layer 3 multicast device and the hosts on the directly connected subnet.

MLD versions

MLD has the following versions:

·     MLDv1 (defined by RFC 2710), which is derived from IGMPv2.

·     MLDv2 (defined by RFC 3810), which is derived from IGMPv3.

MLDv1 and MLDv2 support the ASM model. MLDv2 can directly implement the SSM model, but MLDv1 must work with the MLD SSM mapping feature to implement the SSM model. For more information about the ASM and SSM models, see "Multicast overview."

How MLDv1 works

MLDv1 implements IPv6 multicast listener management based on the query and response mechanism.

Electing the MLD querier

All IPv6 multicast devices that run MLD on the same subnet can monitor MLD listener report messages (often called reports) from hosts. However, only one device can act as the MLD querier to send MLD query messages (often called queries). A querier election mechanism determines which device acts as the MLD querier on the subnet.

1.     Initially, every MLD device assumes itself as the querier. Each device sends MLD general query messages (often called general queries) to all hosts and devices on the local subnet. The destination address of the general queries is FF02::1.

2.     After receiving a general query, every MLD device compares the source IPv6 address of the query with its own link-local interface address. The device with the lowest IPv6 address wins the querier election and becomes the querier. All the other devices become non-queriers.

3.     All the non-queriers start a timer called the "other querier present timer." If a device receives an MLD query from the querier before the timer expires, it resets this timer. Otherwise, it considers that the querier has timed out. In this case, the device initiates a new querier election process.

Joining an IPv6 multicast group

Figure 1 MLD queries and reports

 

As shown in Figure 1, Host B and Host C want to receive the IPv6 multicast data addressed to IPv6 multicast group G1. Host A wants to receive the IPv6 multicast data addressed to G2. The following process describes how the hosts join the IPv6 multicast groups and how the MLD querier (Device B in Figure 1) maintains the IPv6 multicast group memberships:

1.     The hosts send unsolicited MLD reports to the IPv6 multicast groups they want to join without having to wait for the MLD queries.

2.     The MLD querier periodically multicasts MLD queries (with the destination address FF02::1) to all hosts and devices on the local subnet.

3.     After receiving a query, the host whose report delay timer expires first sends an MLD report to the IPv6 multicast group G1 to announce its membership for G1. In this example, Host B sends the report. After hearing the report from Host B, Host C, which is on the same subnet as Host B, suppresses its own report for G1.

Because the MLD devices already know that G1 has a minimum of one member, other members do not need to report their memberships. This mechanism, known as the host MLD report suppression, helps reduce traffic on the local subnet.

4.     At the same time, because Host A is interested in G2, it sends a report to the IPv6 multicast group G2.

5.     Through the query/report process, the MLD devices determine that G1 and G2 have members on the local subnet. The IPv6 multicast routing protocol (for example, IPv6 PIM) that is running on the devices generates (*, G1) and (*, G2) multicast forwarding entries. These entries are the basis for subsequent IPv6 multicast forwarding. The asterisk (*) represents any IPv6 multicast source.

6.     When the IPv6 multicast data addressed to G1 or G2 reaches an MLD device, the device looks up the IPv6 multicast forwarding table. Based on the (*, G1) and (*, G2) entries, the device forwards the IPv6 multicast data to the local subnet. Then, the receivers on the subnet receive the data.

Leaving an IPv6 multicast group

When a host is leaving an IPv6 multicast group, the following process occurs:

1.     The host sends an MLD done message to all IPv6 multicast devices on the local subnet. The destination address of done messages is FF02::2.

2.     After receiving the MLD done message, the querier sends a configurable number of multicast-address-specific queries to the group that the host is leaving. The IPv6 multicast addresses queried include both the destination address field and the group address field of the message.

3.     One of the remaining members (if any on the subnet) in the group sends a report within the time of the maximum response time advertised in the multicast-address-specific queries.

4.     If the querier receives a report for the group within the maximum response time, it maintains the memberships of the IPv6 multicast group. Otherwise, the querier assumes that no hosts on the subnet are interested in IPv6 multicast traffic addressed to that group and stops maintaining the memberships of the group.

MLDv2 enhancements

MLDv2 is based on and backwards-compatible with MLDv1. MLDv2 provides hosts with enhanced control capabilities and enhances the MLD state.

Enhancements in control capability of hosts

MLDv2 has introduced IPv6 multicast source filtering modes (Include and Exclude). These modes allow a host to receive or reject multicast data from the specified IPv6 multicast sources. When a host joins an IPv6 multicast group, one of the following occurs:

·     If the host expects IPv6 multicast data from specific IPv6 multicast sources like S1, S2, …, it sends a report with Filter-Mode denoted as "Include Sources (S1, S2, …)."

·     If the host does not expect IPv6 multicast data from specific IPv6 multicast sources like S1, S2, …, it sends a report with Filter-Mode denoted as "Exclude Sources (S1, S2, …)."

As shown in Figure 2, the network has two IPv6 multicast sources, Source 1 (S1) and Source 2 (S2). Both of the sources can send IPv6 multicast data to IPv6 multicast group G. Host B wants to receive IPv6 multicast data addressed to G from Source 1 but not from Source 2.

Figure 2 Flow paths of multicast-address-and-source-specific multicast traffic

 

In MLDv1, Host B cannot select IPv6 multicast sources when it joins IPv6 multicast group G. The IPv6 multicast streams from both Source 1 and Source 2 flow to Host B whether it needs them or not.

In MLDv2, Host B can explicitly express its interest in IPv6 multicast data destined to G from Source 1 but not from Source 2. Then, Host B receives only IPv6 multicast data from Source 1.

Enhancement in MLD state

A multicast device that is running MLDv2 maintains the multicast address state for each multicast address on each attached subnet. The multicast address state consists of the following information:

·     Filter mode—Device keeps tracing the Include or Exclude state.

·     List of sources—Device keeps tracing the newly added or deleted IPv6 multicast source.

·     Timers—Filter timers, which include the time that the device waits before switching to the Include mode after an IPv6 multicast address times out, and source timers for source recording.

MLD SSM mapping

An MLDv2 host can explicitly specify multicast sources in its MLDv2 reports. From the reports, the MLD device can obtain the multicast source addresses and directly provide the SSM service. However, an MLDv1 host cannot specify multicast sources in its MLDv1 reports.

The MLD SSM mapping feature enables the MLD device to provide SSM support for MLDv1 receiver host. The device translates (*, G) in MLDv1 reports into (G, INCLUDE, (S1, S2...)) based on the configured MLD SSM mappings.

Figure 3 Network diagram

 

As shown in Figure 3, Host A and Host B on the IPv6 SSM network run MLDv1, and Host C runs MLDv2. To provide the SSM service for Host A and Host B, you must configure the MLD SSM mapping feature on Device A.

After MLD SSM mappings are configured, Device A checks the IPv6 multicast group address G carried in the message, and performs the following operations:

·     If G is not in the IPv6 SSM group range, Device A provides the ASM service.

·     If G is in the IPv6 SSM group range but does not match any MLD SSM mapping, Device A drops the report.

·     If G is in the IPv6 SSM group range and matches MLD SSM mappings, Device A translates (*, G) in the report to (G, INCLUDE, (S1, S2...)) to provide SSM services.

 

 

NOTE:

The MLD SSM mapping feature does not process MLDv2 reports.

 

For more information about the IPv6 SSM group ranges, see "Configuring IPv6 PIM."

MLD proxying

As shown in Figure 4, in a simple tree-shaped topology, it is not necessary to configure IPv6 multicast routing protocols, such as IPv6 PIM, on edge devices. Instead, you can configure MLD proxying on these devices. With MLD proxying configured, the edge device acts as an MLD proxy:

·     For the upstream MLD querier, the MLD proxy device acts as a host.

·     For the downstream receiver hosts, the MLD proxy device acts as an MLD querier.

Figure 4 Network diagram

 

 

The following interfaces are defined in MLD proxying:

·     Host interface—An interface that is in the direction toward the root of the multicast forwarding tree. A host interface acts as a receiver host that is running MLD. MLD proxying must be enabled on this interface. This interface is also called the "proxy interface."

·     Router interface—An interface that is in the direction toward the leaf of the multicast forwarding tree. A router interface acts as a router that is running MLD. MLD must be configured on this interface.

An MLD proxy device maintains a group membership database, which stores the group memberships on all the router interfaces. The host interfaces and router interfaces perform actions based on this membership database.

·     The host interfaces respond to queries according to the membership database or sends join/done messages when the database changes.

·     The router interfaces participate in the querier election, send queries, and maintain memberships based on received MLD reports.

IPv6 multicast access control

IPv6 multicast allows users to join any IPv6 multicast group in order to receive IPv6 multicast data. In some carrier's services, such as IPTV, users are authenticated and authorized before accessing IPv6 multicast data.

IPv6 multicast access control provides a mechanism to control a user's access to IPv6 multicast data by limiting the IPv6 multicast groups that the user can join. When a user logs in, the BRAS downloads the access authorization profile of the user. Based on the authorization profile, the BRAS accepts or denies the MLD reports from the user to join IPv6 multicast groups.

MLD support for VPNs

MLD maintains group memberships on a per-interface basis. After receiving an MLD message on an interface, MLD processes the packet within the VPN to which the interface belongs. MLD only communicates with other multicast protocols within the same VPN instance.

Protocols and standards

·     RFC 2710, Multicast Listener Discovery (MLD) for IPv6

·     RFC 3810, Multicast Listener Discovery Version 2 (MLDv2) for IPv6

MLD tasks at a glance

To configure MLD, perform the following tasks:

1.     Enabling MLD

2.     (Optional.) Configuring basic MLD features

¡     Specifying an MLD version

¡     Configuring a static group member

¡     Configuring an IPv6 multicast group policy

3.     (Optional.) Adjusting MLD performance

¡     Configuring MLD query and response parameters

¡     Enabling fast-leave processing

4.     (Optional.) Configuring MLD SSM mappings

5.     (Optional.) Configuring MLD proxying

¡     Enabling MLD proxying

¡     Enabling IPv6 multicast forwarding on a non-querier interface

¡     Enabling IPv6 multicast load splitting for MLD proxy interfaces

6.     (Optional.) Configuring IPv6 multicast access control

¡     Enabling IPv6 multicast access control

¡     Configuring an MLD user access policy

¡     Enabling per-session IPv6 multicast forwarding

¡     Configuring a VLAN-based static group member

Prerequisites for MLD

Before you configure MLD, you must configure an IPv6 unicast routing protocol so that all devices can interoperate at the network layer.

Enabling MLD

Restrictions and guidelines

Perform this task on interfaces where IPv6 multicast group memberships are created and maintained.

Procedure

1.     Enter system view.

system-view

2.     Enable IPv6 multicast routing and enter IPv6 MRIB view.

ipv6 multicast routing [ vpn-instance vpn-instance-name ]

By default, IPv6 multicast routing is disabled.

For more information about this command, see IP Multicast Command Reference.

3.     Return to system view.

quit

4.     Enter interface view.

interface interface-type interface-number

5.     Enable MLD.

mld enable

By default, MLD is disabled.

Configuring basic MLD features

Specifying an MLD version

Restrictions and guidelines

For MLD to operate correctly, specify the same MLD version for all devices on the same subnet.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify an MLD version on the interface.

mld version version-number

By default, the MLD version on an interface is MLDv1.

Configuring a static group member

About this task

You can configure an interface as a static member of an IPv6 multicast group. Then, the interface can always receive IPv6 multicast data for the group.

A static group member does not respond to MLD queries. When you complete or cancel this configuration on an interface, the interface does not send an unsolicited MLD report or done message.

Restrictions and guidelines

The interface to be configured as a static member of an IPv6 multicast group has the following restrictions:

·     If the interface is MLD and IPv6 PIM-SM enabled, it must be an IPv6 PIM-SM DR.

·     If the interface is MLD enabled but not IPv6 PIM-SM enabled, it must be an MLD querier.

For more information about IPv6 PIM-SM and DR, see "Configuring IPv6 PIM."

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure a static group member.

mld static-group ipv6-group-address [ source ipv6-source-address ]

Configuring an IPv6 multicast group policy

About this task

This feature enables an interface to filter MLD reports by using an ACL that specifies IPv6 multicast groups and the optional sources. It is used to control the IPv6 multicast groups that the hosts attached to an interface can join.

Restrictions and guidelines

This configuration does not take effect on static group members, because static group members do not send MLD reports.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure an IPv6 multicast group policy on the interface.

mld group-policy ipv6-acl-number [ version-number ]

Adjusting MLD performance

Configuring MLD query and response parameters

About this task

The following are MLD query and response parameters:

·     MLD querier's robustness variable—Number of times for retransmitting MLD queries in case of packet loss. A higher robustness variable makes the MLD querier more robust, but increases the timeout time for IPv6 multicast groups.

·     MLD startup query interval—Interval at which an MLD querier sends MLD general queries at startup.

·     MLD startup query count—Number of MLD general queries that an MLD querier sends at startup.

·     MLD general query interval—Interval at which an MLD querier sends MLD general queries to check for IPv6 multicast group members on the network.

·     MLD last listener query interval—In MLDv1, it sets the interval at which a querier sends multicast-address-specific queries after receiving a done message. In MLDv2, it sets the interval at which a querier sends multicast-address-and-source-specific queries after receiving a report that changes IPv6 multicast source and group mappings.

·     MLD last listener query count—In MLDv1, it sets the number of multicast-address-specific queries that the querier sends after receiving a done message. In MLDv2, it sets the number of multicast-address-and-source-specific queries that the querier sends after receiving a report that changes IPv6 multicast group and source mappings.

·     MLD maximum response time—Maximum time before a receiver responds with a report to an MLD general query. This per-group timer is initialized to a random value in the range of 0 to the maximum response time specified in the MLD query. When the timer value decreases to 0, the receiver sends an MLD report to the group.

·     MLD other querier present timer—Lifetime for an MLD querier after a non-querier receives an MLD general query. If the non-querier does not receive a new query when this timer expires, the non-querier considers that the querier has failed and starts a new querier election.

Restrictions and guidelines

·     To avoid frequent MLD querier changes, set the MLD other querier present timer greater than the MLD general query interval. In addition, configure the same MLD other querier present timer for all MLD devices on the same subnet.

·     To speed up the response to MLD queries and avoid simultaneous timer expirations that cause MLD report traffic bursts, you must set an appropriate maximum response time.

¡     For MLD general queries, the maximum response time is set by the max-response-time command.

¡     For MLD multicast-address-specific queries or MLD multicast-address-and-source-specific queries, the maximum response time equals the MLD last listener query interval.

·     You can configure MLD query and response parameters globally for all interfaces in MLD view or for an interface in interface view. The interface-specific configuration takes priority over the global configuration.

Configuring the MLD query and response parameters globally

1.     Enter system view.

system-view

2.     Enter MLD view.

mld [ vpn-instance vpn-instance-name ]

3.     Set the MLD querier's robustness variable.

robust-count count

By default, the MLD querier's robustness variable is 2.

4.     Set the MLD startup query interval.

startup-query-interval interval

By default, the MLD startup query interval is equal to one quarter of the MLD general query interval.

5.     Set the MLD startup query count.

startup-query-count count

By default, the MLD startup query count is equal to the MLD querier's robustness variable.

6.     Set the MLD general query interval.

query-interval interval

By default, the MLD general query interval is 125 seconds.

7.     Set the MLD last listener query interval.

last-listener-query-interval interval

By default, the MLD last listener query interval is 1 second.

8.     Set the MLD last listener query count.

last-listener-query-count count

By default, the MLD last listener query count is equal to the MLD querier's robustness variable.

9.     Set the maximum response time for MLD general queries.

max-response-time time

By default, the maximum response time for MLD general queries is 10 seconds.

10.     Set the MLD other querier present timer.

other-querier-present-timeout time

By default, the MLD other querier present timer is calculated by using the following formula:
[ MLD general query interval ] × [ MLD robustness variable ] + [ maximum response time for MLD general queries ] / 2.

Configuring the MLD query and response parameters on an interface

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the MLD querier's robustness variable.

mld robust-count count

By default, the MLD querier's robustness variable is 2.

4.     Set the MLD startup query interval.

mld startup-query-interval interval

By default, the MLD startup query interval is equal to one quarter of the MLD general query interval.

5.     Set the MLD startup query count.

mld startup-query-count count

By default, the MLD startup query count is equal to the MLD querier's robustness variable.

6.     Set the MLD general query interval.

mld query-interval interval

By default, the MLD general query interval is 125 seconds.

7.     Set the MLD last listener query interval.

mld last-listener-query-interval interval

By default, the MLD last listener query interval is 1 second.

8.     Set the MLD last listener query count.

mld last-listener-query-count count

By default, the MLD last listener query count is equal to the MLD querier's robustness variable.

9.     Set the maximum response time for MLD general queries.

mld max-response-time time

By default, the maximum response time for MLD general queries is 10 seconds.

10.     Set the MLD other querier present timer.

mld other-querier-present-timeout time

By default, the MLD other querier present timer is calculated by using the following formula:
[ MLD general query interval ] × [ MLD robustness variable ] + [ maximum response time for MLD general queries ] / 2.

Enabling fast-leave processing

About this task

This feature enables an MLD querier to send leave notifications to the upstream without sending multicast-address-specific or multicast-address-and-source-specific queries after receiving a done message. Use this feature to reduce leave latency and to preserve the network bandwidth.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable fast-leave processing.

mld fast-leave [ group-policy ipv6-acl-number ]

By default, fast-leave processing is disabled.

Configuring MLD SSM mappings

About this task

This feature enables the device to provide SSM services for MLDv1 hosts.

Restrictions and guidelines

This feature does not process MLDv2 messages. Enable MLDv2 on the receiver-side interface to ensure that MLDv2 reports from MLDv2 receiver hosts can be processed.

Procedure

1.     Enter system view.

system-view

2.     Enter MLD view.

mld [ vpn-instance vpn-instance-name ]

3.     Configure an MLD SSM mapping.

ssm-mapping ipv6-source-address ipv6-acl-number

Configuring MLD proxying

Prerequisites for MLD proxying

Before you configure MLD proxying, determine the router interfaces and host interface based on the network topology. Then, enable MLD on the router interfaces.

Enabling MLD proxying

Restrictions and guidelines

·     Enable MLD proxying on the receiver-side interfaces.

·     On an interface enabled with MLD proxying, only the mld version command takes effect and other MLD commands do not take effect.

·     If you enable both MLD proxying and an IPv6 multicast routing protocol on the same device, the IPv6 multicast routing protocol does not take effect.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable MLD proxying.

mld proxy enable

By default, MLD proxying is disabled.

Enabling IPv6 multicast forwarding on a non-querier interface

About this task

Typically, only MLD queriers can forward IPv6 multicast traffic and non-queriers cannot. This prevents IPv6 multicast data from being repeatedly forwarded. If a router interface on the MLD proxy failed the querier election, enable IPv6 multicast forwarding on the interface to forward IPv6 multicast data to downstream receivers.

Restrictions and guidelines

A shared-media network might have multiple MLD proxies, including one proxy acting as a querier. To avoid duplicate IPv6 multicast traffic, do not enable IPv6 multicast forwarding on any of the non-querier MLD proxies for the network.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable IPv6 multicast forwarding on a non-querier interface.

mld proxy forwarding

By default, IPv6 multicast forwarding is disabled on a non-querier interface.

Enabling IPv6 multicast load splitting for MLD proxy interfaces

About this task

If multiple MLD proxy interfaces exist on the device, only the proxy interface with the highest IP address forwards IPv6 multicast traffic. You can enable IPv6 multicast load splitting on the device so that all the proxy interfaces can share IPv6 multicast traffic.

Procedure

1.     Enter system view.

system-view

2.     Enter MLD view.

mld [ vpn-instance vpn-instance-name ]

3.     Enable IPv6 multicast load splitting for MLD proxy interfaces.

proxy multipath

By default, IPv6 multicast load splitting is disabled for MLD proxy interfaces.

Configuring IPv6 multicast access control

Restrictions and guidelines for IPv6 multicast access control

Configure IPv6 multicast access control only on the BRAS.

IPv6 multicast access control is available for IPoE only when IPoE operates in Layer 2 access mode. For more information about IPoE access modes, see IPoE configuration in Layer 2—WAN Access Configuration Guide.

Enabling IPv6 multicast access control

About this task

Enable IPv6 multicast access control on interfaces of the BRAS where you want to control the downstream users' access to IPv6 multicast traffic.

This feature takes effect only on local online users. Non-local users and offline users are not affected.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 3 interface view.

¡     Enter Layer 3 Ethernet interface view.

interface interface-type interface-number

¡     Enter Layer 3 Ethernet subinterface view.

interface interface-type interface-number.subnumber

¡     Enter Layer 3 aggregate interface view.

interface route-aggregation interface-number

¡     Enter Layer 3 aggregate subinterface view.

interface route-aggregation interface-number.subnumber

¡     Enter VT interface view.

interface virtual-template number

3.     Enable IPv6 multicast access control.

mld authorization-enable

By default, IPv6 multicast access control is disabled.

Configuring an MLD user access policy

About this task

This feature enables the BRAS to filter MLD reports by using an ACL that specifies the IPv6 multicast groups in a user profile. Use this feature to control the IPv6 multicast groups that an MLD user can join.

You can also configure an IPv6 multicast group list on the RADIUS server to achieve the same purpose. A user can join an IPv6 multicast group if the group is in the group list.

If you specify both an IPv6 multicast group list and a user access policy, a user can join an IPv6 multicast group that meets either of them.

Procedure

1.     Enter system view.

system-view

2.     Enter ISP domain view.

domain isp-name

For more information about this command, see Security Command Reference.

3.     Configure the default authorization user profile for the ISP domain.

authorization-attribute user-profile profile-name

By default, the default authorization user profile is not configured for an ISP domain.

The authorization user profile configuration made on the RADIUS server takes priority over the configuration made for the ISP domain.

For more information about this command, see Security Command Reference.

4.     Return to system view.

quit

5.     Enter user profile view.

user-profile profile-name

For more information about this command, see Security Command Reference.

6.     Configure an MLD user access policy.

mld access-policy ipv6-acl-number

You can configure multiple MLD user access policies by using this command multiple times. An MLD report is permitted if it matches one of the access policies.

Enabling per-session IPv6 multicast forwarding

About this task

By default, the BRAS forwards the IPv6 multicast traffic on a per-interface basis. It sends one copy of IPv6 multicast traffic to a downstream interface, and the downstream MLD snooping device replicates the IPv6 multicast traffic to each user.

If the downstream device does not support MLD snooping, you can configure the downstream interface on the BRAS to forward IPv6 multicast traffic on a per-session basis. This allows the BRAS to send a separate copy of the IPv6 multicast data to each user.

Restrictions and guidelines

This configuration automatically deletes the static IPv6 multicast forwarding entries created by the non-VLAN-based static member group configurations.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 3 interface view.

¡     Enter Layer 3 Ethernet interface view.

interface interface-type interface-number

¡     Enter Layer 3 Ethernet subinterface view.

interface interface-type interface-number.subnumber

¡     Enter Layer 3 aggregate interface view.

interface route-aggregation interface-number

¡     Enter Layer 3 aggregate subinterface view.

interface route-aggregation interface-number.subnumber

3.     Enable per-session IPv6 multicast forwarding.

mld join-by-session

By default, per-session IPv6 multicast forwarding is enabled.

Configuring a VLAN-based static group member

About this task

In access-controlled IPv6 multicast, IPv6 multicast packets are VLAN-tagged. When you configure a subinterface on the BRAS as a VLAN-based static group member, you must specify the VLANs to which the subinterface belongs. Otherwise, the subinterface cannot join the IPv6 multicast group, and the static IPv6 multicast forwarding entry cannot be created.

Restrictions and guidelines

·     When you configure a subinterface as a non-VLAN-based static member interface, do not configure the mld join-by-session or mld user-vlan-aggregation dot1q command on the subinterface. Otherwise, IPv6 static multicast forwarding entries cannot be created.

·     When you configure a subinterface as a VLAN-based static member interface, you must also configure the mld join-by-session or mld user-vlan-aggregation dot1q command on the subinterface. An IPv6 static multicast forwarding entry can be created under either of the following conditions:

¡     When the mld join-by-session command is configured, users that belong to the specified VLANs log in.

¡     When the user-vlan-aggregation dot1q command is configured, the specified VLAN IDs are the same as or are included in the VLAN IDs specified in the mld static-group command.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 3 subinterface view.

¡     Enter Layer 3 Ethernet subinterface view.

interface interface-type interface-number.subnumber

¡     Enter Layer 3 aggregate subinterface view.

interface route-aggregation interface-number.subnumber

3.     Configure the subinterface as a VLAN-based static group member.

mld static-group ipv6-group-address [ source ipv6-source-address ] { dot1q vid vlan-list | dot1q vid vlan-id second-dot1q vlan-list }

By default, a subinterface is not a VLAN-based static group member for any IPv6 multicast groups or IPv6 multicast source and groups.

Display and maintenance commands for MLD

CAUTION

CAUTION:

The reset mld group command might cause IPv6 multicast data transmission failures.

 

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information about MLD multicast groups.

display mld [ vpn-instance vpn-instance-name ] group [ ipv6-group-address | interface interface-type interface-number ] [ static | verbose ]

Display MLD information for interfaces.

display mld [ vpn-instance vpn-instance-name ] interface [ interface-type interface-number ] [ proxy ] [ verbose ]

Display IPv6 multicast routing entries maintained by the MLD proxy.

display mld [ vpn-instance vpn-instance-name ] proxy group [ ipv6-group-address | interface interface-type interface-number ] [ verbose ]

Display information about the MLD proxy routing table.

display mld [ vpn-instance vpn-instance-name ] proxy routing-table [ ipv6-source-address [ prefix-length ] | ipv6-group-address [ prefix-length ] ] * [ verbose ]

Display MLD SSM mappings.

display mld [ vpn-instance vpn-instance-name ] ssm-mapping ipv6-group-address

Display authorization information for MLD users.

display mld user-authorization [ interface interface-type interface-number ]

Clear dynamic MLD multicast group entries.

reset mld [ vpn-instance vpn-instance-name ] group { all | interface interface-type interface-number { all | ipv6-group-address [ prefix-length ] [ ipv6-source-address [ prefix-length ] ] } }

 

MLD configuration examples

Example: Configuring basic MLD features

Network configuration

As shown in Figure 5:

·     OSPFv3 and IPv6 PIM-DM run on the network.

·     VOD streams are sent to receiver hosts in multicast. Receiver hosts of different organizations form stub networks N1 and N2. Host A and Host C are multicast receiver hosts in N1 and N2, respectively.

·     MLDv1 runs between Router A and N1, and between the other two routers (Router B and Router C) and N2.

·     Router A acts as the MLD querier in N1. Router B acts as the MLD querier in N2 because it has a lower IPv6 address.

Configure the routers to meet the following requirements:

·     The hosts in N1 can only join IPv6 multicast group FF1E::101.

·     The hosts in N2 can join any IPv6 multicast groups.

Figure 5 Network diagram

Procedure

1.     Assign an IPv6 address and prefix length to each interface, as shown in Figure 5. (Details not shown.)

2.     Configure OSPFv3 on the routers in the IPv6 PIM-DM domain. (Details not shown.)

3.     Enable the IPv6 multicast routing, MLD, and IPv6 PIM-DM:

# On Router A, enable IPv6 multicast routing.

<RouterA> system-view

[RouterA] ipv6 multicast routing

[RouterA-mrib6] quit

# Enable MLD on GigabitEthernet 1/0.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] mld enable

[RouterA-GigabitEthernet1/0] quit

# Enable IPv6 PIM-DM on GigabitEthernet 2/0.

[RouterA] interface gigabitethernet 2/0

[RouterA-GigabitEthernet2/0] ipv6 pim dm

[RouterA-GigabitEthernet2/0] quit

# On Router B, enable IPv6 multicast routing.

<RouterB> system-view

[RouterB] ipv6 multicast routing

[RouterB-mrib6] quit

# Enable MLD on GigabitEthernet 1/0.

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] mld enable

[RouterB-GigabitEthernet1/0] quit

# Enable IPv6 PIM-DM on GigabitEthernet 2/0.

[RouterB] interface gigabitethernet 2/0

[RouterB-GigabitEthernet2/0] ipv6 pim dm

[RouterB-GigabitEthernet2/0] quit

# On Router C, enable IPv6 multicast routing.

<RouterC> system-view

[RouterC] ipv6 multicast routing

[RouterC-mrib6] quit

# Enable MLD on GigabitEthernet 1/0.

[RouterC] interface gigabitethernet 1/0

[RouterC-GigabitEthernet1/0] mld enable

[RouterC-GigabitEthernet1/0] quit

# Enable IPv6 PIM-DM on GigabitEthernet 2/0.

[RouterC] interface gigabitethernet 2/0

[RouterC-GigabitEthernet2/0] ipv6 pim dm

[RouterC-GigabitEthernet2/0] quit

4.     Configure an IPv6 multicast group policy on Router A so that hosts connected to GigabitEthernet 1/0 can join only IPv6 multicast group FF1E::101.

[RouterA] acl ipv6 basic 2001

[RouterA-acl-ipv6-basic-2001] rule permit source ff1e::101 128

[RouterA-acl-ipv6-basic-2001] quit

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] mld group-policy 2001

[RouterA-GigabitEthernet1/0] quit

Verifying the configuration

# Display MLD information for GigabitEthernet 1/0 on Router B.

[RouterB] display mld interface gigabitethernet 1/0

 GigabitEthernet1/0(FE80::200:5EFF:FE66:5100):

   MLD is enabled.

   MLD version: 1

   Query interval for MLD: 125s

   Other querier present time for MLD: 255s

   Maximum query response time for MLD: 10s

   Querier for MLD: FE80::200:5EFF:FE66:5100 (this router)

  MLD groups reported in total: 1

Example: Configuring MLD SSM mapping

Network configuration

As shown in Figure 6:

·     OSPFv3 runs on the network.

·     The IPv6 PIM-SM domain uses the SSM model for IPv6 multicast delivery. The IPv6 SSM group range is FF3E::/64.

·     MLDv2 runs on GigabitEthernet 1/0 of Router D. The receiver host runs MLDv1, and does not support MLDv2. The receiver host cannot specify multicast sources in its membership reports.

·     Source 1, Source 2, and Source 3 send IPv6 multicast packets to multicast groups in the IPv6 SSM group range.

Configure the MLD SSM mapping feature on Router D so that the receiver host will receive IPv6 multicast data only from Source 1 and Source 3.

Figure 6 Network diagram

Table 1 Interface and IPv6 address assignment

Device

Interface

IPv6 address

Device

Interface

IPv6 address

Source 1

1001::1/64

Source 3

3001::1/64

Source 2

2001::1/64

Receiver

4001::1/64

Router A

GE1/0

1001::2/64

Router C

GE1/0

3001::2/64

Router A

GE2/0

1002::1/64

Router C

GE2/0

3002::1/64

Router A

GE3/0

1003::1/64

Router C

GE3/0

2002::2/64

Router B

GE1/0

2001::2/64

Router D

GE1/0

4001::2/64

Router B

GE2/0

1002::2/64

Router D

GE2/0

3002::2/64

Router B

GE3/0

2002::1/64

Router D

GE3/0

1003::2/64

 

Procedure

1.     Assign an IPv6 address and prefix length to each interface, as shown in Table 1. (Details not shown.)

2.     Configure OSPFv3 on the routers in the IPv6 PIM-SM domain. (Details not shown.)

3.     Enable IPv6 multicast routing, IPv6 PIM-SM, and MLD:

# On Router D, enable IPv6 multicast routing.

<RouterD> system-view

[RouterD] ipv6 multicast routing

[RouterD-mrib6] quit

# Enable MLDv2 on the receiver-side interface (GigabitEthernet 1/0).

[RouterD] interface gigabitethernet 1/0

[RouterD-GigabitEthernet1/0] mld enable

[RouterD-GigabitEthernet1/0] mld version 2

[RouterD-GigabitEthernet1/0] quit

# Enable IPv6 PIM-SM on the other interfaces.

[RouterD] interface gigabitethernet 2/0

[RouterD-GigabitEthernet2/0] ipv6 pim sm

[RouterD-GigabitEthernet2/0] quit

[RouterD] interface gigabitethernet 3/0

[RouterD-GigabitEthernet3/0] ipv6 pim sm

[RouterD-GigabitEthernet3/0] quit

# On Router A, enable IPv6 multicast routing.

<RouterA> system-view

[RouterA] ipv6 multicast routing

[RouterA-mrib6] quit

# Enable IPv6 PIM-SM on each interface.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] ipv6 pim sm

[RouterA-GigabitEthernet1/0] quit

[RouterA] interface gigabitethernet 2/0

[RouterA-GigabitEthernet2/0] ipv6 pim sm

[RouterA-GigabitEthernet2/0] quit

[RouterA] interface gigabitethernet 3/0

[RouterA-GigabitEthernet3/0] ipv6 pim sm

[RouterA-GigabitEthernet3/0] quit

# Configure Router B and Router C in the same way Router A is configured. (Details not shown.)

4.     Configure the IPv6 SSM group range:

# On Router D, specify FF3E::/64 as the IPv6 SSM group range.

[RouterD] acl ipv6 basic 2000

[RouterD-acl-ipv6-basic-2000] rule permit source ff3e:: 64

[RouterD-acl-ipv6-basic-2000] quit

[RouterD] ipv6 pim

[RouterD-pim6] ssm-policy 2000

[RouterD-pim6] quit

# Configure Router A, Router B, and Router C in the same way Router D is configured. (Details not shown.)

5.     Configure MLD SSM mappings on Router D.

[RouterD] mld

[RouterD-mld] ssm-mapping 1001::1 2000

[RouterD-mld] ssm-mapping 3001::1 2000

[RouterD-mld] quit

Verifying the configuration

# Display MLD SSM mappings for IPv6 multicast group FF3E::101 on Router D.

[RouterD] display mld ssm-mapping ff3e::101

 Group: FF3E::101

 Source list:

        1001::1

        3001::1

# On Router D, display information about MLD multicast groups that hosts have dynamically joined.

[RouterD] display mld group

MLD groups in total: 1

 GigabitEthernet1/0(FE80::101):

  MLD groups reported in total: 1

   Group address: FF3E::101

    Last reporter: FE80::1

    Uptime: 00:02:04

    Expires: Off

# Display IPv6 PIM routing entries on Router D.

[RouterD] display ipv6 pim routing-table

 Total 0 (*, G) entry; 2 (S, G) entry

 

 (1001::1, FF3E::101)

     Protocol: pim-ssm, Flag:

     UpTime: 00:13:25

     Upstream interface: GigabitEthernet3/0

         Upstream neighbor: 1003::1

         RPF prime neighbor: 1003::1

     Downstream interface(s) information:

     Total number of downstreams: 1

         1: GigabitEthernet1/0

             Protocol: mld, UpTime: 00:13:25, Expires: -

 

 (3001::1, FF3E::101)

     Protocol: pim-ssm, Flag:

     UpTime: 00:13:25

     Upstream interface: GigabitEthernet2/0

         Upstream neighbor: 3002::1

         RPF prime neighbor: 3002::1

     Downstream interface(s) information:

     Total number of downstreams: 1

         1: GigabitEthernet1/0

             Protocol: mld, UpTime: 00:13:25, Expires: -

Example: Configuring MLD proxying

Network configuration

As shown in Figure 7:

·     IPv6 PIM-DM runs on the core network.

·     Host A and Host C on the stub network receive VOD information sent to IPv6 multicast group FF3E::101.

Configure the MLD proxying feature on Router B so that Router B can maintain group memberships and forward IPv6 multicast traffic without running IPv6 PIM-DM.

Figure 7 Network diagram

 

Procedure

1.     Assign an IPv6 address and prefix length to each interface, as shown in Figure 7. (Details not shown.)

2.     Enable IPv6 multicast routing, IPv6 PIM-DM, MLD, and MLD proxying:

# On Router A, enable IPv6 multicast routing.

<RouterA> system-view

[RouterA] ipv6 multicast routing

[RouterA-mrib6] quit

# Enable IPv6 PIM-DM on GigabitEthernet 2/0.

[RouterA] interface gigabitethernet 2/0

[RouterA-GigabitEthernet2/0] ipv6 pim dm

[RouterA-GigabitEthernet2/0] quit

# Enable MLD on GigabitEthernet 1/0.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] mld enable

[RouterA-GigabitEthernet1/0] quit

# On Router B, enable IPv6 multicast routing.

<RouterB> system-view

[RouterB] ipv6 multicast routing

[RouterB-mrib6] quit

# Enable MLD proxying on GigabitEthernet 1/0.

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] mld proxy enable

[RouterB-GigabitEthernet1/0] quit

# Enable MLD on GigabitEthernet 2/0.

[RouterB] interface gigabitethernet 2/0

[RouterB-GigabitEthernet2/0] mld enable

[RouterB-GigabitEthernet2/0] quit

Verifying the configuration

# On Router B, display IPv6 multicast group membership information maintained by the MLD proxy.

[RouterB] display mld proxy group

MLD proxy group records in total: 1

 GigabitEthernet1/0(FE80::16:1):

  MLD proxy group records in total: 1

   Group address: FF1E::1

    Member state: Delay

    Expires: 00:00:02

Example: Configuring PPPoE-based IPv6 multicast access control

Network configuration

As shown in Figure 8:

·     OSPF runs in the PIM-SM domain.

·     Source 1, Source 2, and Source 3 send IPv6 multicast data to the IPv6 multicast groups FF1E::101, FF1E::102, and FF1E::103, respectively.

·     GigabitEthernet 2/0 on Router A acts as a C-BSR and a C-RP, and it is designated to all IPv6 multicast groups.

·     Router A acts as the BRAS, and it connects the users in ISP 1 and ISP 2 to the PIM-SM network.

Configure the IPv6 multicast access control feature on Router A to meet the following requirements:

·     Host A and Host B in ISP 1 can join only IPv6 multicast groups FF1E::101 and FF1E::102.

·     Host C and Host D in ISP 2 can join only IPv6 multicast groups FF1E::102 and FF1E::103.

Figure 8 Network diagram

Table 2 Interface and IPv6 address assignment

Device

Interface

IPv6 address

Device

Interface

IPv6 address

Source 1

1001::1/64

Host A

3001::2/64

Source 2

1002::1/64

Host B

3001::3/64

Source 3

1003::1/64

Host C

3002::2/64

RADIUS server

2004::2/64

Host D

3002::3/64

Router B

GE1/0

2001::2/64

Router A

GE1/0

2001::1/64

Router B

GE2/0

1001::2/64

Router A

GE2/0

2002::1/64

Router C

GE1/0

2002::2/64

Router A

GE3/0

2003::1/64

Router C

GE2/0

1002::2/64

Router A

GE4/0

2004::1/64

Router D

GE1/0

2003::2/64

Router A

GE5/0.1

3001::1/64

Router D

GE2/0

1003::2/64

Router A

GE5/0.2

3002::1/64

Procedure

1.     Assign an IPv6 address and prefix length to each interface, as shown in Table 2. (Details not shown.)

2.     Configure OSPFv3 in the IPv6 PIM-SM domain. (Details not shown.)

3.     Enable IPv6 multicast routing, and configure IPv6 PIM-SM:

# On Router A, enable IPv6 multicast routing.

<RouterA> system-view

[RouterA] ipv6 multicast routing

[RouterA-mrib6] quit

# Enable IPv6 PIM-SM on GigabitEthernet 1/0 through GigabitEthernet 3/0.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] ipv6 pim sm

[RouterA-GigabitEthernet1/0] quit

[RouterA] interface gigabitethernet 2/0

[RouterA-GigabitEthernet2/0] ipv6 pim sm

[RouterA-GigabitEthernet2/0] quit

[RouterA] interface gigabitethernet 3/0

[RouterA-GigabitEthernet3/0] ipv6 pim sm

[RouterA-GigabitEthernet3/0] quit

# On Router B, enable IPv6 multicast routing.

<RouterB> system-view

[RouterB] ipv6 multicast routing

[RouterB-mrib6] quit

# Enable IPv6 PIM-SM on each interface.

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] ipv6 pim sm

[RouterB-GigabitEthernet1/0] quit

[RouterB] interface gigabitethernet 2/0

[RouterB-GigabitEthernet2/0] ipv6 pim sm

[RouterB-GigabitEthernet2/0] quit

# Configure Router C and Router D in the same way Router B is configured. (Details not shown.)

# On Router A, configure GigabitEthernet 2/0 as a C-BSR and a C-RP.

[RouterA] ipv6 pim

[RouterA-pim6] c-bsr 2002::1

[RouterA-pim6] c-rp 2002::1

[RouterA-pim6] quit

4.     Configure the access service on the BRAS:

# Configure a RADIUS scheme.

[RouterA] radius scheme spec

[RouterA-radius-spec] primary authentication ipv6 2004::2 key simple 123456

[RouterA-radius-spec] primary accounting ipv6 2004::2 key simple 123456

[RouterA-radius-spec] user-name-format without-domain

[RouterA-radius-spec] nas-ip ipv6 2004::1

[RouterA-radius-spec] quit

# Create an ISP domain named isp1 and specify the STB service for users in the ISP domain.

[RouterA] domain isp1

[RouterA-isp-isp1] service-type stb

# Configure AAA methods for ISP domain isp1.

[RouterA-isp-isp1] authentication ppp radius-scheme spec

[RouterA-isp-isp1] authorization ppp radius-scheme spec

[RouterA-isp-isp1] accounting ppp radius-scheme spec

[RouterA-isp-isp1] quit

# Create an ISP domain named isp2, and specify the STB service for users in the ISP domain.

[RouterA] domain isp2

[RouterA-isp-isp2] service-type stb

# Configure AAA methods for ISP domain isp2.

[RouterA-isp-isp2] authentication ppp radius-scheme spec

[RouterA-isp-isp2] authorization ppp radius-scheme spec

[RouterA-isp-isp2] accounting ppp radius-scheme spec

[RouterA-isp-isp2] quit

# Create interface Virtual-Template 1, and assign an IPv6 address and prefix length to the interface.

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ipv6 address 4001::1 64

# Configure interface Virtual-Template 1 to authenticate users in ISP domain isp1 by using PAP.

[RouterA-Virtual-Template1] ppp authentication-mode pap domain isp1

[RouterA-Virtual-Template1] quit

# Create interface Virtual-Template 2, and assign an IPv6 address and prefix length to the interface.

[RouterA] interface virtual-template 2

[RouterA-Virtual-Template2] ipv6 address 4002::1 64

# Configure interface Virtual-Template 2 to authenticate users in ISP domain isp2 by using PAP.

[RouterA-Virtual-Template2] ppp authentication-mode pap domain isp2

[RouterA-Virtual-Template2] quit

# Configure GigabitEthernet 5/0.1 to terminate VLAN-tagged packets whose outer VLAN ID is 1 and inner VLAN ID is in the range of 1 to 100.

[RouterA] interface gigabitethernet 5/0.1

[RouterA-GigabitEthernet5/0.1] vlan-type dot1q vid 1 second-dot1q 1 to 100

# Bind GigabitEthernet 5/0.1 to interface Virtual-Template 1.

[RouterA-GigabitEthernet5/0.1] pppoe-server bind virtual-template 1

[RouterA-GigabitEthernet5/0.1] quit

# Configure GigabitEthernet 5/0.2. to terminate VLAN-tagged packets whose outer VLAN ID is 2 and inner VLAN ID is in the range of 1 to 100.

[RouterA] interface gigabitethernet 5/0.2

[RouterA-GigabitEthernet5/0.2] vlan-type dot1q vid 2 second-dot1q 1 to 100

# Bind subinterface GigabitEthernet 5/0.2 to interface Virtual-Template 2.

[RouterA-GigabitEthernet5/0.2] pppoe-server bind virtual-template 2

[RouterA-GigabitEthernet5/0.2] quit

5.     Configure IPv6 multicast access control on the BRAS:

# Enable MLD and IPv6 multicast access control on interface Virtual-Template 1.

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] mld enable

[RouterA-Virtual-Template1] mld authorization-enable

[RouterA-Virtual-Template1] quit

# Configure interface Virtual-Template 2 in the same way interface Virtual-Template 1 is configured. (Details not shown.)

# Configure an access policy in user profile profile1 to authorize MLD users to join IPv6 multicast groups FF03::101 and FF03::102.

[RouterA] acl ipv6 basic 2000

[RouterA-acl-ipv6-basic-2000] rule permit source ff1e::101 128

[RouterA-acl-ipv6-basic-2000] rule permit source ff1e::102 128

[RouterA-acl-ipv6-basic-2000] quit

[RouterA] user-profile profile1

[RouterA-user-profile-profile1] mld access-policy 2000

[RouterA-user-profile-profile1] quit

# Specify user profile profile1 for users in ISP domain isp1.

[RouterA] domain isp1

[RouterA-isp-isp1] authorization-attribute user-profile profile1

[RouterA-isp-isp1] quit

# Configure an access policy in user profile profile2 to authorize MLD users to join IPv6 multicast groups FF03::102 and FF03::103.

[RouterA] acl ipv6 basic 2001

[RouterA-acl-ipv6-basic-2001] rule permit source ff1e::102 128

[RouterA-acl-ipv6-basic-2001] rule permit source ff1e::103 128

[RouterA-acl-ipv6-basic-2001] quit

[RouterA] user-profile profile2

[RouterA-user-profile-profile2] mld access-policy 2001

[RouterA-user-profile-profile2] quit

# Specify user profile profile2 for users in ISP domain isp2.

[RouterA] domain isp2

[RouterA-isp-isp2] authorization-attribute user-profile profile2

[RouterA-isp-isp2] quit

Verifying the configuration

# Display authorized MLD user information on Router A after Host A and Host C log in.

[RouterA] display mld user-authorization

 Authorized users in total: 2

 

   User name: user1@isp1

   Access type: PPP

   Interface: Virtual-Access0

   Access interface: Virtual-Access0

   Maximum programs for order: 10

   User profile: profile1

   Authorized programs list:

 

   User name: user1@isp2

   Access type: PPP

   Interface: Virtual-Access1

   Access interface: Virtual-Access1

   Maximum programs for order: 10

   User profile: profile2

   Authorized programs list:

Example: Configuring IPoE-based IPv6 multicast access control

Network configuration

As shown in Figure 9:

·     OSPF runs in the PIM-SM domain.

·     Source 1, Source 2, and Source 3 send IPv6 multicast data to IPv6 multicast groups FF1E::101, FF1E::102, and FF1E::103, respectively.

·     GigabitEthernet 2/0 on Router A acts as a C-BSR and a C-RP, and it is designated to all IPv6 multicast groups.

·     Router A acts as the BRAS, and connects the users in ISP 1 and ISP 2 to the PIM-SM network.

Configure the IPv6 multicast access control feature on Router A to meet the following requirements:

·     Host A and Host B in ISP 1 can join only IPv6 multicast groups FF1E::101 and FF1E::102.

·     Host C and Host D in ISP 2 can join only IPv6 multicast groups FF1E::102 and FF1E::103.

Figure 9 Network diagram

Table 3 Interface and IPv6 address assignment

Device

Interface

IPv6 address

Device

Interface

IPv6 address

Source 1

1001::1/64

Host A

3001::2/64

Source 2

1002::1/64

Host B

3001::3/64

Source 3

1003::1/64

Host C

3002::2/64

RADIUS server

2004::2/64

Host D

3002::3/64

Router B

GE1/0

2001::2/64

Router A

GE1/0

2001::1/64

Router B

GE2/0

1001::2/64

Router A

GE2/0

2002::1/64

Router C

GE1/0

2002::2/64

Router A

GE3/0

2003::1/64

Router C

GE2/0

1002::2/64

Router A

GE4/0

2004::1/64

Router D

GE1/0

2003::2/64

Router A

GE5/0.1

3001::1/64

Router D

GE2/0

1003::2/64

Router A

GE5/0.2

3002::1/64

Procedure

1.     Assign an IPv6 address and prefix length to each interface, as shown in Table 3. (Details not shown.)

2.     Configure OSPFv3 in the IPv6 PIM-SM domain. (Details not shown.)

3.     Enable IPv6 multicast routing, and configure IPv6 PIM-SM:

# On Router A, enable IPv6 multicast routing.

<RouterA> system-view

[RouterA] ipv6 multicast routing

[RouterA-mrib6] quit

# Enable IPv6 PIM-SM on GigabitEthernet 1/0 through GigabitEthernet 3/0.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] ipv6 pim sm

[RouterA-GigabitEthernet1/0] quit

[RouterA] interface gigabitethernet 2/0

[RouterA-GigabitEthernet2/0] ipv6 pim sm

[RouterA-GigabitEthernet2/0] quit

[RouterA] interface gigabitethernet 3/0

[RouterA-GigabitEthernet3/0] ipv6 pim sm

[RouterA-GigabitEthernet3/0] quit

# On Router B, enable IPv6 multicast routing.

<RouterB> system-view

[RouterB] ipv6 multicast routing

[RouterB-mrib6] quit

# Enable IPv6 PIM-SM on each interface.

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] ipv6 pim sm

[RouterB-GigabitEthernet1/0] quit

[RouterB] interface gigabitethernet 2/0

[RouterB-GigabitEthernet2/0] ipv6 pim sm

[RouterB-GigabitEthernet2/0] quit

# Configure Router C and Router D in the same way Router B is configured. (Details not shown.)

# On Router A, configure GigabitEthernet 2/0 as a C-BSR and a C-RP.

[RouterA] ipv6 pim

[RouterA-pim6] c-bsr 2002::1

[RouterA-pim6] c-rp 2002::1

[RouterA-pim6] quit

4.     Configure the access service on the BRAS:

# Configure a RADIUS scheme.

[RouterA] radius scheme spec

[RouterA-radius-spec] primary authentication ipv6 2004::2 key simple 123456

[RouterA-radius-spec] primary accounting ipv6 2004::2 key simple 123456

[RouterA-radius-spec] user-name-format without-domain

[RouterA-radius-spec] nas-ip ipv6 2004::1

[RouterA-radius-spec] quit

# Create ISP domain isp1, and specify the STB service for users in the ISP domain.

[RouterA] domain isp1

[RouterA-isp-isp1] service-type stb

# Configure AAA methods for ISP domain isp1.

[RouterA-isp-isp1] authentication ipoe radius-scheme spec

[RouterA-isp-isp1] authorization ipoe radius-scheme spec

[RouterA-isp-isp1] accounting ipoe radius-scheme spec

[RouterA-isp-isp1] quit

# Create ISP domain isp2, and specify the STB service for users in the ISP domain.

[RouterA] domain isp2

[RouterA-isp-isp2] service-type stb

# Configure AAA methods for ISP domain isp2.

[RouterA-isp-isp2] authentication ipoe radius-scheme spec

[RouterA-isp-isp2] authorization ipoe radius-scheme spec

[RouterA-isp-isp2] accounting ipoe radius-scheme spec

[RouterA-isp-isp2] quit

# Enable DHCP on Router A.

[RouterA] dhcp enable

# Create a DHCPv6 address pool named 1.

[RouterA] ipv6 dhcp pool 1

# Specify a subnet of 4000::1/96 for DHCPv6 address pool 1.

[RouterA-dhcp-pool-1] network 4000::1/96 preferred-lifetime 172800 valid-lifetime 345600

# Specify a domain name of isp1 for DHCPv6 address pool 1.

[RouterA-dhcp-pool-1] domain-name isp1

[RouterA-dhcp-pool-1] quit

# Create a DHCPv6 address pool named 2.

[RouterA] ipv6 dhcp pool 2

# Specify a subnet of 4000::1/96 for DHCPv6 address pool 2.

[RouterA-dhcp-pool-2] network 4001::1/96 preferred-lifetime 172800 valid-lifetime 345600

# Specify a domain name of isp2 for DHCPv6 address pool 2.

[RouterA-dhcp-pool-2] domain-name isp2

[RouterA-dhcp-pool-2] quit

# Configure GigabitEthernet 5/0.1 to terminate VLAN-tagged packets whose outer VLAN ID is 1 and inner VLAN ID is in the range of 1 to 100..

[RouterA] interface gigabitethernet 5/0.1

[RouterA-GigabitEthernet5/0.1] vlan-type dot1q vid 1 second-dot1q 1 to 100

# Configure the DHCP service on GigabitEthernet 5/0.1.

[RouterA-GigabitEthernet5/0.1] ipv6 dhcp select server

[RouterA-GigabitEthernet5/0.1] ipv6 subscriber l2-connected enable

[RouterA-GigabitEthernet5/0.1] ipv6 subscriber initiator dhcp enable

[RouterA-GigabitEthernet5/0.1] ipv6 subscriber dhcp domain isp1

[RouterA-GigabitEthernet5/0.1] quit

# Configure GigabitEthernet 5/0.2 to terminate VLAN-tagged packets whose outer VLAN ID is 2 and inner VLAN ID is in the range of 1 to 100.

[RouterA] interface gigabitethernet 5/0.2

[RouterA-GigabitEthernet5/0.2] vlan-type dot1q vid 2 second-dot1q 1 to 100

# Configure DHCP service on GigabitEthernet 5/0.2.

[RouterA-GigabitEthernet5/0.2] ipv6 dhcp select server

[RouterA-GigabitEthernet5/0.2] ipv6 subscriber l2-connected enable

[RouterA-GigabitEthernet5/0.2] ipv6 subscriber initiator dhcp enable

[RouterA-GigabitEthernet5/0.2] ipv6 subscriber dhcp domain isp2

[RouterA-GigabitEthernet5/0.2] quit

5.     Configure IPv6 multicast access control on the BRAS:

# Enable MLD on GigabitEthernet 5/0.1.

[RouterA] interface gigabitethernet 5/0.1

[RouterA-GigabitEthernet5/0.1] mld enable

# Enable IPv6 multicast access control on GigabitEthernet 5/0.1.

[RouterA-GigabitEthernet5/0.1] mld authorization-enable

# Enable per-session IPv6 multicast forwarding on GigabitEthernet 5/0.1.

[RouterA-GigabitEthernet5/0.1] mld join-by-session

[RouterA-GigabitEthernet5/0.1] quit

# Configure GigabitEthernet 5/0.2 in the same way GigabitEthernet 5/0.1 is configured. (Details not shown.)

# Configure an access policy in user profile profile1 to authorize MLD users to join IPv6 multicast groups FF03::101 and FF03::102.

[RouterA] acl ipv6 basic 2000

[RouterA-acl-ipv6-basic-2000] rule permit source ff1e::101 128

[RouterA-acl-ipv6-basic-2000] rule permit source ff1e::102 128

[RouterA-acl-ipv6-basic-2000] quit

[RouterA] user-profile profile1

[RouterA-user-profile-profile1] mld access-policy 2000

[RouterA-user-profile-profile1] quit

# Specify user profile profile1 for users in ISP domain isp1.

[RouterA] domain isp1

[RouterA-isp-isp1] authorization-attribute user-profile profile1

[RouterA-isp-isp1] quit

# Configure an access policy in user profile profile2 to authorize MLD users to join IPv6 multicast groups FF03::102 and FF03::103.

[RouterA] acl ipv6 basic 2001

[RouterA-acl-ipv6-basic-2001] rule permit source ff1e::102 128

[RouterA-acl-ipv6-basic-2001] rule permit source ff1e::103 128

[RouterA-acl-ipv6-basic-2001] quit

# Specify user profile profile2 for users in ISP domain isp2.

[RouterA] user-profile profile2

[RouterA-user-profile-profile2] mld access-policy 2001

[RouterA-user-profile-profile2] quit

[RouterA] domain isp2

[RouterA-isp-isp2] authorization-attribute user-profile profile2

[RouterA-isp-isp2] quit

Verifying the configuration

# Display authorized MLD user information on Router A after Host A and Host C log in.

[RouterA] display mld user-authorization

 Authorized users in total: 2

 

   User name: user1@isp1

   Access type: IPoE

   Interface: Multicast-UA1

   Access interface: GigabitEthernet5/0.1

   VLAN ID: 1

   Second VLAN ID: 2

   Maximum programs for order: 10

   User profile: profile1

   Authorized programs list:

 

   User name: user1@isp2

   Access type: IPoE

   Interface: Multicast-UA2

   Access interface: GigabitEthernet5/0.2

   VLAN ID: 2 

   Second VLAN ID: 2

   Maximum programs for order: 10

   User profile: profile2

   Authorized programs list:

Example: Configuring portal-based IPv6 multicast access control

Network configuration

As shown in Figure 10:

·     OSPF runs in the PIM-SM domain.

·     Source 1, Source 2, and Source 3 send IPv6 multicast data to IPv6 multicast groups FF1E::101, FF1E::102, and FF1E::103, respectively.

·     GigabitEthernet 2/0 on Router A acts as a C-BSR and a C-RP, and it is designated to all IPv6 multicast groups.

·     Router A acts as the BRAS, and connects the users in ISP 1 and ISP 2 to the PIM-SM network.

Configure the IPv6 multicast access control feature on Router A to meet the following requirements:

·     Host A and Host B in ISP 1 can join only IPv6 multicast groups FF1E::101 and FF1E::102.

·     Host C and Host D in ISP 2 can join only IPv6 multicast groups FF1E::102 and FF1E::103.

Figure 10 Network diagram

Table 4 Interface and IPv6 address assignment

Device

Interface

IPv6 address

Device

Interface

IPv6 address

Source 1

1001::1/64

Host A

3001::2/64

Source 2

1002::1/64

Host B

3001::3/64

Source 3

1003::1/64

Host C

3002::2/64

RADIUS server

2004::2/64

Host D

3002::3/64

IMC server

2005::2/64

Router A

GE1/0

2001::1/64

Router B

GE1/0

2001::2/64

Router A

GE2/0

2002::1/64

Router B

GE2/0

1001::2/64

Router A

GE3/0

2003::1/64

Router C

GE1/0

2002::2/64

Router A

GE4/0

2004::1/64

Router C

GE2/0

1002::2/64

Router A

GE5/0

3002::1/64

Router D

GE1/0

2003::2/64

Router A

GE6/0

3001::1/64

Router D

GE2/0

1003::2/64

 

 

 

Procedure

1.     Assign an IPv6 address and prefix length to each interface, as shown in Table 4. (Details not shown.)

2.     Configure OSPFv3 in the IPv6 PIM-SM domain. (Details not shown.)

3.     Enable IPv6 multicast routing, and configure IPv6 PIM-SM:

# On Router A, enable IPv6 multicast routing.

<RouterA> system-view

[RouterA] ipv6 multicast routing

[RouterA-mrib6] quit

# Enable IPv6 PIM-SM on GigabitEthernet 1/0 through GigabitEthernet 3/0.

[RouterA] interface gigabitethernet 1/0

[RouterA-GigabitEthernet1/0] ipv6 pim sm

[RouterA-GigabitEthernet1/0] quit

[RouterA] interface gigabitethernet 2/0

[RouterA-GigabitEthernet2/0] ipv6 pim sm

[RouterA-GigabitEthernet2/0] quit

[RouterA] interface gigabitethernet 3/0

[RouterA-GigabitEthernet3/0] ipv6 pim sm

[RouterA-GigabitEthernet3/0] quit

# On Router B, enable IPv6 multicast routing.

<RouterB> system-view

[RouterB] ipv6 multicast routing

[RouterB-mrib6] quit

# Enable IPv6 PIM-SM on each interface.

[RouterB] interface gigabitethernet 1/0

[RouterB-GigabitEthernet1/0] ipv6 pim sm

[RouterB-GigabitEthernet1/0] quit

[RouterB] interface gigabitethernet 2/0

[RouterB-GigabitEthernet2/0] ipv6 pim sm

[RouterB-GigabitEthernet2/0] quit

# Configure Router C and Router D in the same way Router B is configured. (Details not shown.)

# Configure GigabitEthernet 2/0 on Router A as a C-BSR and a C-RP.

[RouterA] ipv6 pim

[RouterA-pim6] c-bsr 2002::1

[RouterA-pim6] c-rp 2002::1

[RouterA-pim6] quit

4.     Configure the access service on the BRAS:

# Configure a RADIUS scheme.

[RouterA] radius scheme spec

[RouterA-radius-spec] primary authentication ipv6 2004::2 key simple 123456

[RouterA-radius-spec] primary accounting ipv6 2004::2 key simple 123456

[RouterA-radius-spec] user-name-format without-domain

[RouterA-radius-spec] nas-ip ipv6 2004::1

[RouterA-radius-spec] quit

# Configure a portal Web server.

[RouterA] portal web-server spec

[RouterA-portal-websvr-spec] url http://[2005::2]:8080/portal

[RouterA-portal-websvr-spec] url-parameter user-ip source-address

[RouterA-portal-websvr-spec] quit

[RouterA] portal server spec

[RouterA-portal-server-spec] ipv6 2005::2 key simple 123456

[RouterA-portal-websvr-spec] quit

# Create an ISP domain named isp1, and specify the STB service for users in the ISP domain.

[RouterA] domain isp1

[RouterA-isp-isp1] service-type stb

# Configure AAA methods for ISP domain isp1.

[RouterA-isp-isp1] authentication portal radius-scheme spec

[RouterA-isp-isp1] authorization portal radius-scheme spec

[RouterA-isp-isp1] accounting portal radius-scheme spec

[RouterA-isp-isp1] quit

# Create an ISP domain named isp2, and specify the STB service for users in the ISP domain.

[RouterA] domain isp2

[RouterA-isp-isp2] service-type stb

# Configure AAA methods for ISP domain isp2.

[RouterA-isp-isp2] authentication portal radius-scheme spec

[RouterA-isp-isp2] authorization portal radius-scheme spec

[RouterA-isp-isp2] accounting portal radius-scheme spec

[RouterA-isp-isp2] quit

# Configure the portal service on GigabitEthernet 5/0.

[RouterA] interface gigabitethernet 5/0

[RouterA-GigabitEthernet5/0] portal ipv6 enable method direct

[RouterA-GigabitEthernet5/0] portal ipv6 domain isp2

[RouterA-GigabitEthernet5/0] portal ipv6 apply web-server spec

[RouterA-GigabitEthernet5/0] quit

# Configure the portal service on GigabitEthernet 6/0.

[RouterA] interface gigabitethernet 6/0

[RouterA-GigabitEthernet6/0] portal ipv6 enable method direct

[RouterA-GigabitEthernet6/0] portal ipv6 domain isp1

[RouterA-GigabitEthernet6/0] portal ipv6 apply web-server spec

[RouterA-GigabitEthernet6/0] quit

5.     Configure IPv6 multicast access control on the BRAS:

# Enable MLD, IPv6 multicast access control, and per-session IPv6 multicast forwarding on GigabitEthernet 5/0.

[RouterA] interface gigabitethernet 5/0

[RouterA-GigabitEthernet5/0] mld enable

[RouterA-GigabitEthernet5/0] mld authorization-enable

[RouterA-GigabitEthernet5/0] mld join-by-session

[RouterA-GigabitEthernet5/0] quit

# Enable MLD, IPv6 multicast access control, and per-session IPv6 multicast forwarding on GigabitEthernet 6/0.

[RouterA] interface gigabitethernet 6/0

[RouterA-GigabitEthernet6/0] mld enable

[RouterA-GigabitEthernet6/0] mld authorization-enable

[RouterA-GigabitEthernet6/0] mld join-by-session

[RouterA-GigabitEthernet6/0] quit

# Configure an access policy in user profile profile1 to authorize MLD users to join IPv6 multicast groups FF03::101 and FF03::102.

[RouterA] acl ipv6 basic 2000

[RouterA-acl-ipv6-basic-2000] rule permit source ff1e::101 128

[RouterA-acl-ipv6-basic-2000] rule permit source ff1e::102 128

[RouterA-acl-ipv6-basic-2000] quit

[RouterA] user-profile profile1

[RouterA-user-profile-profile1] mld access-policy 2000

[RouterA-user-profile-profile1] quit

# Specify user profile profile1 for users in ISP domain isp1.

[RouterA] domain isp1

[RouterA-isp-isp1] authorization-attribute user-profile profile1

[RouterA-isp-isp1] quit

# Configure an access policy in user profile profile2 to authorize MLD users to join IPv6 multicast groups FF03::102 and FF03::103.

[RouterA] acl ipv6 basic 2001

[RouterA-acl-ipv6-basic-2001] rule permit source ff1e::102 128

[RouterA-acl-ipv6-basic-2001] rule permit source ff1e::103 128

[RouterA-acl-ipv6-basic-2001] quit

[RouterA] user-profile profile2

[RouterA-user-profile-profile2] mld access-policy 2001

[RouterA-user-profile-profile2] quit

# Specify user profile profile2 for users in ISP domain isp2.

[RouterA] domain isp2

[RouterA-isp-isp2] authorization-attribute user-profile profile2

[RouterA-isp-isp2] quit

Verifying the configuration

# Display authorized MLD user information on Router A after Host A and Host C log in.

[RouterA] display mld user-authorization

 Authorized users in total: 2

 

   User name: user1@isp1

   Access type: Portal

   Interface: Multicast-UA1

   Access interface: GigabitEthernet6/0

   Maximum programs for order: 10

   User profile: profile1

   Authorized programs list:

 

   User name: user1@isp2

   Access type: Portal

   Interface: Multicast-UA2

   Access interface: GigabitEthernet5/0

   Maximum programs for order: 10

   User profile: profile2

   Authorized programs list:

Troubleshooting MLD

No member information exists on the receiver-side device

Symptom

When a host sends a message to announce that it is joining IPv6 multicast group G, no member information of multicast group G exists on the immediate device.

Solution

To resolve the problem:

1.     Use the display mld interface command to verify that the networking, interface connections, and IP address configuration are correct.

2.     Use the display current-configuration command to verify that the IPv6 multicast routing is enabled. If it is not enabled, use the ipv6 multicast routing command in system view to enable IPv6 multicast routing. In addition, verify that MLD is enabled on the associated interfaces.

3.     Use the display mld interface command to verify that the MLD version on the interface is lower than that on the host.

4.     Use the display current-configuration interface command to verify that no IPv6 multicast group policies have been configured to filter MLD reports for IPv6 multicast group G.

5.     If the problem persists, contact H3C Support.

Inconsistent membership information on the devices on the same subnet

Symptom

Different memberships are maintained on different MLD devices on the same subnet.

Solution

To resolve the problem:

1.     Use the display current-configuration command to verify the MLD information on the interface. Make sure the devices on the subnet have the same MLD settings on their interfaces.

2.     Use the display mld interface command on all devices on the same subnet to check the MLD timers for inconsistent configurations.

3.     Use the display mld interface command to verify that all devices are running the same MLD version.

4.     If the problem persists, contact H3C Support.