[c-nsp] Stopping MLD responses & protecting CPU from MLD queries

James A. T. Rice james_r-cnsp at jump.org.uk
Wed Jan 25 13:35:19 EST 2017 

Hi Folks,

I'm trying to gather information on how to disable MLD reports for various Cisco devices in use at IXPs - where MLD queries and reports are often both prohibited traffic.

There doesn't seem to be a configuration line to disable replying to MLD queries with MLD reports.

I've been testing workarounds based upon filtering the incoming MLD query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco 6500 w. SUP720-3B running 15.1(2)SY).

Using the following ACL:
########
ipv6 access-list v6-denymldquery-in
deny icmp any host ff02::1 mld-query
permit ipv6 any any
interface <x>
ipv6 traffic-filter v6-denymldquery-in in
########
works on both the 4500 and 6500, when applied to the SVI/L3 interface.
However, on the 4500 when applied to the SVI/L3 interface this gets processed in CPU. It's better to use an SVI, and have the ACL applied on the L2 port, or in a VLAN map, in which case the traffic is filtered in hardware.
Conversely, on the 6500, it appears better to not use an SVI, since with a L3 port the SP CPU isn't hit. I've not found a way to filter the traffic such that it doesn't hit the RP CPU.
Configuration lines from after write erase, reload, for each test case, are in the attached file, in case anyone would like to repeat this.

prevents MLD responses    [a] SVI/L3 ACL  [b] L2 port ACL  [c] VLAN map ACL
/ cpu at 3kpps
[1] 4500 L3 port          yes             n/a              no
                          60%cpu
[2] 4500 SVI + L2 access  yes             yes              yes
                          60%cpu          0%cpu            0%cpu
[3] 4500 SVI + L2 trunk   yes             yes              yes
                          60%cpu          0%cpu            0%cpu
[4] 6500 L3 port          yes             n/a              n/a
                          20%rp 0%sp
[5] 6500 SVI + L2 access  yes             no               no
                          20%rp 40%sp
[6] 6500 SVI + L3 trunk   yes             no               no
                          20%rp 40%sp


Does anyone have any better configurations for blocking MLD queries (i.e. on the 6500 is there a way to make it process the ACL in HW, thus not affect RP or the SP CPU)?

Does anyone have any configurations for the best way of stopping MLD responses on other platforms, and whether it's possible for these to be applied entirely in hardware? I don't have any more platforms to test on, but ASR1K/ASR9K both seem to be popular peering platforms, and 7201 isn't unheard of.

Bizarrely, one way of making the 6500 stop responding to MLD queries seems to be to send 3000 pps of queries towards it for about 100 seconds, around which point it will stop responding to any more until a chassis reload.

Thanks
James Rice
Jump Networks Ltd.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 4500-6500-stopmldresponses.txt
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20170125/d5c86ec0/attachment.txt>

More information about the cisco-nsp mailing list