[c-nsp] Stopping MLD responses & protecting CPU from MLD queries
Enno Rey
erey at ernw.de
Thu Jan 26 03:42:26 EST 2017
Hi,
On Wed, Jan 25, 2017 at 06:35:19PM +0000, James A. T. Rice wrote:
> Hi Folks,
>
> I'm trying to gather information on how to disable MLD reports for various Cisco devices in use at IXPs - where MLD queries and reports are often both prohibited traffic.
>
> There doesn't seem to be a configuration line to disable replying to MLD queries with MLD reports.
from the top of my head "no ipv6 mld join-group" should achieve that (whereas "no ipv6 mld router" disables the querier side of things).
have you tried that (the former)?
A while ago a bunch of guys (incl. myself) tried to suggest an "RA guard" similar thing called "MLD guard" but the draft never gained much ground. [see https://www.ietf.org/archive/id/draft-vyncke-pim-mld-security-01.txt]
So an ACL like the one you suggested below actually is the best/only way to go when it comes to filtering.
best
Enno
>
> I've been testing workarounds based upon filtering the incoming MLD query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco 6500 w. SUP720-3B running 15.1(2)SY).
>
> Using the following ACL:
> ########
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface <x>
> ipv6 traffic-filter v6-denymldquery-in in
> ########
> works on both the 4500 and 6500, when applied to the SVI/L3 interface.
> However, on the 4500 when applied to the SVI/L3 interface this gets processed in CPU. It's better to use an SVI, and have the ACL applied on the L2 port, or in a VLAN map, in which case the traffic is filtered in hardware.
> Conversely, on the 6500, it appears better to not use an SVI, since with a L3 port the SP CPU isn't hit. I've not found a way to filter the traffic such that it doesn't hit the RP CPU.
> Configuration lines from after write erase, reload, for each test case, are in the attached file, in case anyone would like to repeat this.
>
> prevents MLD responses [a] SVI/L3 ACL [b] L2 port ACL [c] VLAN map ACL
> / cpu at 3kpps
> [1] 4500 L3 port yes n/a no
> 60%cpu
> [2] 4500 SVI + L2 access yes yes yes
> 60%cpu 0%cpu 0%cpu
> [3] 4500 SVI + L2 trunk yes yes yes
> 60%cpu 0%cpu 0%cpu
> [4] 6500 L3 port yes n/a n/a
> 20%rp 0%sp
> [5] 6500 SVI + L2 access yes no no
> 20%rp 40%sp
> [6] 6500 SVI + L3 trunk yes no no
> 20%rp 40%sp
>
>
> Does anyone have any better configurations for blocking MLD queries (i.e. on the 6500 is there a way to make it process the ACL in HW, thus not affect RP or the SP CPU)?
>
> Does anyone have any configurations for the best way of stopping MLD responses on other platforms, and whether it's possible for these to be applied entirely in hardware? I don't have any more platforms to test on, but ASR1K/ASR9K both seem to be popular peering platforms, and 7201 isn't unheard of.
>
> Bizarrely, one way of making the 6500 stop responding to MLD queries seems to be to send 3000 pps of queries towards it for about 100 seconds, around which point it will stop responding to any more until a chassis reload.
>
> Thanks
> James Rice
> Jump Networks Ltd.
> prevents MLD responses [a] SVI/L3 ACL [b] L2 port ACL [c] VLAN map ACL
> / cpu at 3kpps
> [1] 4500 L3 port yes n/a no
> 60%cpu
> [2] 4500 SVI + L2 access yes yes yes
> 60%cpu 0%cpu 0%cpu
> [3] 4500 SVI + L2 trunk yes yes yes
> 60%cpu 0%cpu 0%cpu
> [4] 6500 L3 port yes n/a n/a
> 20%rp 0%sp
> [5] 6500 SVI + L2 access yes no no
> 20%rp 40%sp
> [6] 6500 SVI + L3 trunk yes no no
> 20%rp 40%sp
>
>
>
> [1] 4500 with L3 port
> ipv6 unicast-routing
> int g1/48
> no switchport
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ipv6 address 2001:DB8:4:1::22EF:2/64
> ipv6 nd ra suppress all
> no ipv6 redirects
> no ipv6 unreachables
> no cdp enable
> [1.a]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface g1/48
> ipv6 traffic-filter v6-denymldquery-in in
> [1.c]
> do show vlan internal usage
> ipv6 access-list match-mld-query
> permit icmp any host ff02::1 mld-query
> vlan access-map drop-mld-query
> match ipv6 address match-mld-query
> action drop
> vlan filter drop-mld-query vlan-list 1006
>
> [2] 4500 with SVI + access port
> ipv6 unicast-routing
> vlan 1201
> interface g1/48
> switchport access vlan 1201
> switchport mode access
> switchport nonegotiate
> no cdp enable
> spanning-tree portfast
> spanning-tree bpdufilter enable
> int vlan 1201
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ipv6 address 2001:DB8:4:1::22EF:2/64
> ipv6 nd ra suppress all
> no ipv6 redirects
> no ipv6 unreachables
> no shutdown
> [2.a]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface vlan 1201
> ipv6 traffic-filter v6-denymldquery-in in
> [2.b]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface g1/48
> ipv6 traffic-filter v6-denymldquery-in in
> [2.c]
> ipv6 access-list match-mld-query
> permit icmp any host ff02::1 mld-query
> vlan access-map drop-mld-query
> match ipv6 address match-mld-query
> action drop
> vlan filter drop-mld-query vlan-list 1201
>
>
> [3] 4500 with SVI + trunk port
> ipv6 unicast-routing
> vlan 1201
> interface g1/48
> switchport trunk allowed vlan 1201
> switchport mode trunk
> switchport nonegotiate
> no cdp enable
> no vtp
> spanning-tree portfast trunk
> spanning-tree bpdufilter enable
> int vlan 1201
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ipv6 address 2001:DB8:4:1::22EF:2/64
> ipv6 nd ra suppress all
> no ipv6 redirects
> no ipv6 unreachables
> no shutdown
> [3.a]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface vlan 1201
> ipv6 traffic-filter v6-denymldquery-in in
> [3.b]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface g1/48
> ipv6 traffic-filter v6-denymldquery-in in
> [3.c]
> ipv6 access-list match-mld-query
> permit icmp any host ff02::1 mld-query
> vlan access-map drop-mld-query
> match ipv6 address match-mld-query
> action drop
> vlan filter drop-mld-query vlan-list 1201
>
>
>
> [4] 6500 with L3 port
> ipv6 unicast-routing
> int g1/2
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> media-type rj45
> ipv6 address 2001:DB8:4:1::22EF:2/64
> ipv6 nd ra suppress all
> no ipv6 redirects
> no ipv6 unreachables
> no cdp enable
> no shutdown
> [4.a]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface g1/2
> ipv6 traffic-filter v6-denymldquery-in in
>
>
>
> [5] 6500 with SVI + access port
> ipv6 unicast-routing
> vlan 1201
> int g1/2
> switchport
> switchport access vlan 1201
> switchport mode access
> switchport nonegotiate
> media-type rj45
> no cdp enable
> spanning-tree portfast edge
> spanning-tree bpdufilter enable
> no shutdown
> int vlan 1201
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ipv6 address 2001:DB8:4:1::22EF:2/64
> ipv6 nd ra suppress all
> no ipv6 redirects
> no ipv6 unreachables
> no shutdown
> [5.a]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface vlan 1201
> ipv6 traffic-filter v6-denymldquery-in in
> [5.b]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface g1/2
> ipv6 traffic-filter v6-denymldquery-in in
> [5.c]
> ipv6 access-list match-mld-query
> permit icmp any host ff02::1 mld-query
> vlan access-map drop-mld-query
> match ipv6 address match-mld-query
> action drop
> vlan filter drop-mld-query vlan-list 1201
>
>
>
>
> [6] 6500 with SVI + trunk port
> ipv6 unicast-routing
> vlan 1201
> int g1/2
> switchport
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 1201
> switchport mode trunk
> switchport nonegotiate
> media-type rj45
> no cdp enable
> no vtp
> spanning-tree portfast edge trunk
> spanning-tree bpdufilter enable
> no shutdown
> int vlan 1201
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ipv6 address 2001:DB8:4:1::22EF:2/64
> ipv6 nd ra suppress all
> no ipv6 redirects
> no ipv6 unreachables
> no shutdown
> [6.a]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface vlan 1201
> ipv6 traffic-filter v6-denymldquery-in in
> [6.b]
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface g1/2
> access-group mode prefer port
> ipv6 traffic-filter v6-denymldquery-in in
> [6.c]
> ipv6 access-list match-mld-query
> permit icmp any host ff02::1 mld-query
> vlan access-map drop-mld-query
> match ipv6 address match-mld-query
> action drop
> vlan filter drop-mld-query vlan-list 1201
> [6.d]
> mls qos
> ipv6 access-list match-mld-query
> permit icmp any host ff02::1 mld-query
> class-map class-mld-query
> match access-group name match-mld-query
> policy-map test-copp
> class class-mld-query
> police 32000 2000 conform-action drop exceed-action drop
> control-plane
> service-policy input test-copp
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Enno Rey
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================
More information about the cisco-nsp
mailing list