[c-nsp] Stopping MLD responses & protecting CPU from MLD queries
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 26 06:54:31 EST 2017
On 26/01/17 08:18, Lukas Tribus wrote:
>> I've been testing workarounds based upon filtering the incoming MLD
>> query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco
>> 6500 w. SUP720-3B running 15.1(2)SY).
>
> Control Plane Policing is probably the way to address this (in case MLD
> cannot be properly disabled, I mean).
Worth noting that CoPP on sup720 is done in software for multicast and
broadcast. I assume it'll come before MLD processing so would stop the
queries arriving and thus replies being sent, but worth testing.
Although this is not the use-case OP has, we have tried and failed to
protect a sup720 from an MLD storm with CoPP. The puny CPU and software
CoPP just didn't help.
More information about the cisco-nsp
mailing list