[c-nsp] ip multicast rate-limit

Arie Vayner (avayner) avayner at cisco.com
Wed Jun 18 11:54:37 EDT 2008


Zenon,

Sorry for the delay, as I was a bit overloaded.

Looking at the following link, I see that SDP/SAP is assigned the range of 224.2.0.0/16:
http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a00802d4643.shtml#wp1005088

So you can use the configuration example below to rate limit it to 100Kbps:

class-map match-all SDP-SAP-MCAST
  match access-group name SDP-SAP-MCAST
!
policy-map GENERIC-INGRESS
  class SDP-SAP-MCAST
   police 100000
!
! Should be applied on any untrusted interface
interface GigaEthernet0/1
 service-policy input GENERIC-INGRESS
!
ip access-list extended SDP-SAP-MCAST
 permit ip any 224.2.0.0 0.0.255.255
!

Actually, in your case I would recommend building a more general policy, filtering any unwanted multicast traffic. You could do it by building a longer ACL with groups which you should not be there.
The link above could be a good reference.

Thanks
Arie

-----Original Message-----
From: Zenon Mousmoulas [mailto:zmousm at admin.grnet.gr] 
Sent: Sunday, June 15, 2008 23:19 PM
To: Arie Vayner (avayner)
Cc: Hank Nussbacher; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ip multicast rate-limit

Last week there was an incident where high-speed video was traffic sent to the well known SAP group, which was noticed across Internet2, GEANT and other academic (multicast-enabled) networks. Many folks expressed interest to rate-limit flows to this group, as a means to protect downstream systems (apart from the standard advisory to disable "ip sap listen" etc. on routers). It so happened that I suggested this command (ip multicast rate-limit), because it (still) works for me (recently tested on a 7300 running 12.4T), but it turns out it has become obsolete, so we've been looking for functionally equivalent alternatives...

Z.

On 15 Ιουν 2008, at 10:54 ΜΜ, Arie Vayner (avayner) wrote:

> Zenon,
>
> Can you please explain specifically what you want to rate limit...
> Maybe a show ip mroute could be helpful...
>
> Arie
>
> -----Original Message-----
> From: Zenon Mousmoulas [mailto:zmousm at admin.grnet.gr]
> Sent: Sunday, June 15, 2008 22:48 PM
> To: Arie Vayner (avayner)
> Cc: Hank Nussbacher; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ip multicast rate-limit
>
> Hi Arie,
>
> I would like to ask you something:
>
> The ip multicast rate-limit command, when used with a group-list and/ 
> or source-list argument, does policing on a per-mroute (S,G or
> *,G) basis. This is according to relevant IOS documentation and this
> document:
>
> ftp://ftpeng.cisco.com/ipmulticast/config-notes/multicast-rate-limit.t
> xt
>
> The above (perhaps outdated) document suggests (in section "Status") 
> to use CAR for per-interface (aggregate) traffic rate-limiting, but to 
> keep using this command for per-mroute applications. Has this changed 
> since 2001?
>
> Could you suggest how to build a policy that would apply at per- 
> mroute (or higher, i.e. per-flow) granularity, instead of being 
> applied on the aggregate matched traffic?
>
> Would this sort of granular policing fall within the scope of the 
> microflow policing feature, which is available on some 7600 and 
> Catalyst 6500 hardware?
>
> Best regards,
> Zenon Mousmoulas
> GRNET
>
> On 14 Ιουν 2008, at 9:52 ΜΜ, Arie Vayner (avayner) wrote:
>
>> I suggest you try using a regular policy map, building a class with 
>> the traffic matched in an ACL, and apply a regular police policy on 
>> that class...
>> Arie
>>
>> -----Original Message-----
>> From: Hank Nussbacher [mailto:hank at efes.iucc.ac.il]
>> Sent: Saturday, June 14, 2008 21:50 PM
>> To: Arie Vayner (avayner)
>> Cc: cisco-nsp at puck.nether.net; Zenon Mousmoulas
>> Subject: RE: [c-nsp] ip multicast rate-limit
>>
>> On Sat, 14 Jun 2008, Arie Vayner (avayner) wrote:
>>
>>> Hank,
>>>
>>> What are you trying to achieve?
>>> Can you please share "show module"?
>>
>> Trying to limit SAP storms.
>>
>> 11    0  4-subslot SPA Interface Processor-400  7600-SIP-400
>> JAE12035DJ5
>> 11/0 1xOC48 POS/RPR SPA          SPA-1XOC48POS/RPR  JAE11441NKV  2.3
>> Ok
>>
>> -Hank
>>
>>>
>>> Thanks
>>> Arie
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net 
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank 
>>> Nussbacher
>>> Sent: Thursday, June 12, 2008 16:02 PM
>>> To: cisco-nsp at puck.nether.net
>>> Cc: Zenon Mousmoulas
>>> Subject: [c-nsp] ip multicast rate-limit
>>>
>>> http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/
>>> imc_03.h
>>> tm
>>> l#wp1016097
>>> In 12.2(18)SXF11:
>>>
>>> petach-tikva-gp(config)#int pos11/0/0 petach-tikva-gp(config-if)#ip 
>>> multicast rate-limit in group-list SAP-mcast-group 1000  "ip 
>>> multicast rate-limit" command is not supported
>>>
>>> So I go to:
>>> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/
>>> 12.2SXF/
>>> na
>>> tive/release/notes/OL_4164.html
>>> where it says:
>>> "The ip multicast rate-limit command is not supported on LAN ports.
>>> (CSCds22281)"
>>>
>>> So what 12.2SX version supports ip multicast rate-limit on a POS 
>>> interface?
>>>
>>> Thanks,
>>> Hank
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>



More information about the cisco-nsp mailing list