[c-nsp] SUP720 - 12.2(18)SXF17
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 5 05:43:03 EDT 2009
Alan Buxey wrote:
> Hi,
>> Not to fault Cisco, or anyone else for that matter but shouldn't switches that cost a quarter of a million dollars be able to protect themselves from these sorts of things just as a default?
>
> turn off multicast for that VLAN - its its TTL=1 then it didnt really want to multicast
> anyway - thats a broadcast :-)
>
> alan
Alternatively, we do this:
interface Vlan55
vrf forwarding xxx
ip verify unicast source reachable-via rx
no ip proxy-arp
ip flow ingress
ip pim sparse-mode
ip multicast boundary MULTICAST-in
ip igmp access-group MULTICAST-in
ip access-list standard MULTICAST-in
deny 224.0.1.60
deny 224.77.0.0 0.0.255.255
deny 226.77.0.0 0.0.255.255
permit 239.192.0.0 0.3.255.255
deny 239.0.0.0 0.255.255.255
permit 224.0.0.0 15.255.255.255
mls rate-limit all ttl-failure 100 10
mls rate-limit all mtu-failure 100 10
There's no reason not to have the TTL failure rate limit enabled AFAIK.
Choose a value appropriate to you, obviously.
More information about the cisco-nsp
mailing list