[c-nsp] SUP720 - 12.2(18)SXF17

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 5 05:43:03 EDT 2009


Alan Buxey wrote:
> Hi,
>> Not to fault Cisco, or anyone else for that matter but shouldn't switches that cost a quarter of a million dollars be able to protect themselves from these sorts of things just as a default?
> 
> turn off multicast for that VLAN - its its TTL=1 then it didnt really want to multicast
> anyway - thats a broadcast  :-)
> 
> alan

Alternatively, we do this:

interface Vlan55
  vrf forwarding xxx
  ip verify unicast source reachable-via rx
  no ip proxy-arp
  ip flow ingress
  ip pim sparse-mode
  ip multicast boundary MULTICAST-in
  ip igmp access-group MULTICAST-in


ip access-list standard MULTICAST-in
  deny   224.0.1.60
  deny   224.77.0.0 0.0.255.255
  deny   226.77.0.0 0.0.255.255
  permit 239.192.0.0 0.3.255.255
  deny   239.0.0.0 0.255.255.255
  permit 224.0.0.0 15.255.255.255

mls rate-limit all ttl-failure 100 10
mls rate-limit all mtu-failure 100 10

There's no reason not to have the TTL failure rate limit enabled AFAIK. 
Choose a value appropriate to you, obviously.


More information about the cisco-nsp mailing list