[c-nsp] Cat4500 High CPU with Multicast Stream
Antonio Soares
amsoares at netcabo.pt
Wed Jul 13 11:03:05 EDT 2011
It seems I found an explanation:
http://www.ryanhicks.net/blog/2008/12/cisco-4500-intermittant-high-cpu-utilization---part-2.html
"The 4500 is capable of handling much higher volumes of multicast traffic, and it has distributed hardware processing of multicast. It turns out that the 224.0.0.0/24 range is reserved for L2 local multicast, such as routing protocols, All routers, All hosts, etc. Because of this fact, the 4500 was designed to send all multicast traffic destined to any address in this range directly to the CPU weather it was needed/subscribed, or not. I think an inbound 224.0.0.0/24 multicast filter should be considered a basic security requirement for every network in order to prevent inadvertant or intentional DoS against the switched infrastructure regardless of weather multicast is officially in use on the network! "
Now my question, is this limitation specific to the 4500's ? Or does it mean that we can bring down any catalyst network with a good multicast stream ???
This is scaring... Guys, what methods do you use to control this ?
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net
-----Original Message-----
From: Antonio Soares [mailto:amsoares at netcabo.pt]
Sent: quarta-feira, 13 de Julho de 2011 15:54
To: 'Peter Rathlev'; 'Alexander Clouter'
Cc: 'cisco-nsp at puck.nether.net'
Subject: RE: [c-nsp] Cat4500 High CPU with Multicast Stream
It seems I need some sort of CoPP protection. I found a very nice document:
Infrastructure Protection on Cisco Catalyst 6500 and 4500 Series Switches
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf
I'm now reading the section "CoPP on Catalyst 4500".
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net
-----Original Message-----
From: Peter Rathlev [mailto:peter at rathlev.dk]
Sent: quarta-feira, 13 de Julho de 2011 14:20
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat4500 High CPU with Multicast Stream
On Wed, 2011-07-13 at 12:59 +0100, Antonio Soares wrote:
> Usually the multicast streams are destined to 224.x.x.x. The end users do
> not respect the 239 rule.
Beware that traffic to 224.0.0.0/24 (Local Network Control Block) is
_always_ process switched and will never be blocked by any switch. As
long as these addresses are used the traffic will be punted.
I could imagine that the LNCB addresses were used exactly because
they're always forwarded. They might have tried using 239-addresses
(Organization-Local Scope) but maybe couldn't get it to work. Typically
Cisco access switches are running IGMP Snooping, and will not forward
multicast traffic without either an IGMP Snooping Querier or a PIM
enabled device on the VLAN (unless it's LNCB). If all traffic is
intra-VLAN you could just add "ip igmp snooping querier" to the relevant
SVI and move the clients to 239.x.y.z addresses.
You could also block traffic to these multicast addresses on the SVIs
with (hardware) ACLs. Beware that OSPF, HSRP et cetera actually use LNCB
addresses, and it's probably not smart to block these.
--
Peter
More information about the cisco-nsp
mailing list