Downloads |
Table Of Contents
Prerequisites for IGMP State Limit
Information About IGMP State Limit
Feature Design of IGMP State Limit
How to Configure IGMP State Limit
Configuring IGMP State Limit on an Interface
Configuring IGMP State Limit Globally
Configuration Examples for IGMP State Limit
Configuring IGMP State Limit on an Interface Example
Configuring IGMP State Limit Globally Example
IGMP State Limit
The IGMP State Limit feature provides protection against denial of service (DoS) attacks caused by Internet Group Management Protocol (IGMP) packets. The new command-line interface (CLI) introduced by this feature allows you to configure a limit on the number of IGMP states that results from IGMP, IGMP Version 3 lite (IGMP v3lite), and URL Rendezvous Directory (URD) membership reports on a per-interface or global basis. Membership reports in excess of the configured limits will not be entered in the IGMP cache, and traffic for those excess membership reports will not be forwarded.
Feature Specifications for the IGMP State Limit Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for IGMP State Limit
•
•
•
•
Prerequisites for IGMP State Limit
Before this feature can be enabled, multicast routing must be enabled on the router, Protocol Independent Multicast (PIM) must be enabled on the router's interfaces, and the router must be configured to be part of a multicast group.
Information About IGMP State Limit
To configure the IGMP State Limit feature, you need to understand the following concepts:
•
Benefits of IGMP State Limit
The IGMP State Limit feature limits the vulnerability of a router to DoS attacks with IGMP packets. A high rate of IGMP messages sent to a router can pose a DoS attack scenario because the router processes IGMP, IGMP v3lite, and URD messages at the process level.
The IGMP State Limit feature enables you to limit the number of multicast streams sent to a router to a level that is sustainable by the router. You can limit the number of multicast streams per interface, per subinterface, or globally.
Feature Design of IGMP State Limit
The IGMP State Limit feature limits the number of IGMP states that can be joined to a router on a per-interface, per-subinterface, or global level. Use the ip igmp limit command to configure a limit on the number of IGMP states that can be joined to a router from IGMP, IGMP v3lite, and URD membership reports. Membership reports exceeding the configured limits are not entered into the IGMP cache and traffic for the excess membership reports is not forwarded.
Per-interface and global IGMP limits operate independently of each other. Both per-interface and global IGMP limits can be configured on the same router. A membership report that exceeds either the per-interface or the global state limit is ignored.
Use the except access-list keyword and attribute to exclude certain groups or channels from being counted against the IGMP limit so that they can be joined to an interface without counting against the interface limit.
IGMP State Limit and SSM
The IGMP State Limit feature is available with Source Specific Multicast (SSM).
When the IGMP State Limit feature is used with routers configured for SSM, counting rules apply to both the per-interface and global counting. These counters are kept separate and may be associated with different access control lists.
If the IGMP State Limit feature is configured without the access-list attribute of the ip igmp limit command, for either a system counter or an interface counter, the default access list is used to match all states.
An IGMP group state for (G) needs to be counted (either per interface or globally) if (0.0.0.0, G) is permitted by the default or configured by the access-list attribute. The IGMP group state for (G) is not counted if it is denied by the access list.
When the IGMP State Limit feature is configured, an IGMP state is accounted for only if it is associated with IGMP, IGMP v3lite, or URD. The IGMP State Limit feature does not enforce a limit on IGMP state messages created through explicit configuration in the router. Any state that is both requested by a host via IGMPv3Lite or URD, but that is also explicitly configured, is accounted.
An IGMP group state for (G) that is in INCLUDE mode is accounted for only if there is no source record associated with it and if (G) is permitted by the default or configured access control list.
How to Configure IGMP State Limit
This section contains the following procedures:
•
Configuring IGMP State Limit on an Interface
Perform this task to configure IGMP state limiting to limit the number of IGMP membership reports sent to an interface or subinterface of a router to a level sustainable by the router.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
If you want to configure IGMP state limiting globally, proceed to the "Configuring IGMP State Limit Globally" section. Otherwise, proceed to the "Verifying IGMP State Limit" section.
Configuring IGMP State Limit Globally
Perform this task to configure IGMP state limiting to limit the number of IGMP membership reports sent to a router to a level sustainable by the router.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
What to Do Next
Proceed to the "Verifying IGMP State Limit" section.
Verifying IGMP State Limit
Perform this task to verify the configured global or per-interface IGMP state limits.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
This section provides an output example of the show ip igmp interface command, which displays the global configured and reached IGMP state limits:
Router# show ip igmp interfaceGlobal IGMP state limit: 300 active out of 500 maxEthernet0 is up, line protocol is upInternet address is 192.168.37.6, subnet mask is 255.255.255.0IGMP is enabled on interfaceIGMP query interval is 60 secondsInterface IGMP state limit: 1 active out of 1 maxInbound IGMP access group is not setMulticast routing is enabled on interfaceMulticast TTL threshold is 0Multicast designated router (DR) is 192.168.37.33No multicast groups joinedEthernet1 is up, line protocol is upInternet address is 192.168.36.129, subnet mask is 255.255.255.0IGMP is enabled on interfaceIGMP query interval is 60 secondsInbound IGMP access group is not setMulticast routing is enabled on interfaceMulticast TTL threshold is 0Multicast designated router (DR) is 192.168.36.131Multicast groups joined: 225.2.2.2 226.2.2.2Tunnel0 is up, line protocol is upInternet address is 10.1.37.2, subnet mask is 255.255.0.0IGMP is enabled on interfaceIGMP query interval is 60 secondsInbound IGMP access group is not setMulticast routing is enabled on interfaceMulticast TTL threshold is 0No multicast groups joinedConfiguration Examples for IGMP State Limit
This section provides the following configuration examples:
•
•
Configuring IGMP State Limit on an Interface Example
The following example shows how to limit the number of IGMP membership reports on Ethernet interface 0:
interface ethernet 0ip igmp limit 100The following example shows how to limit the number of IGMP membership reports on Ethernet interface 0. In this example, any IGMP membership reports from access list 0.0.0.1 do not count toward the configured state limit:
interface ethernet 0ip igmp limit 100 except 0.0.0.1Configuring IGMP State Limit Globally Example
The following example shows how to limit the number of IGMP membership reports globally on a router. In this example, a global limit of 30 is configured and all IGMP states resulting from IGMP, IGMP v3lite, and URD membership reports are limited.
ip igmp limit 30Where to Go Next
Cisco IOS software provides other features that can enhance the traffic control of IP multicast traffic, including Committed Access Rate (CAR), priority queueing, IP multicast rate limiting, IGMP access groups, and RP level access control. Refer to the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2 and the Cisco IOS IP Command Reference, Volume 3 of 3: Multicast, Release 12.2 for more information about these features.
Additional References
For additional information related to the IGMP State Limit feature, see the following sections:
•
•
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
No new or modified MIBs are supported by this feature and support existing MIBs has not been modified by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
No new or modified RFCs are supported by this feature and support existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.
ip igmp limit (global)
To globally limit the number of Internet Group Management Protocol (IGMP) states resulting from IGMP, IGMP Version 3 lite (IGMP v3lite), and URL Rendezvous Directory (URD) membership states, use the ip igmp limit command in global configuration mode. To disable a configured IGMP state limit, use the no form of this command.
ip igmp limit number
no ip igmp limit number
Syntax Description
Defaults
This command is not configured by default. There is no default number of IGMP limits configured. You must configure the number of maximum IGMP states allowed globally on a router when you configure this command.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to configure a limit on the number of IGMP states resulting from IGMP, IGMP v3lite, and URD membership reports on a global basis. Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic for the excess membership reports is not forwarded.
Use the ip igmp limit (interface) command to configure the per-interface IGMP state limit.
Per-interface and per-system limits operate independently of each other and can enforce different configured limits. A membership state will be ignored if it exceeds either the per-interface limit or global limit.
Examples
The following example shows how to limit the number of IGMP states on a router to 300:
ip igmp limit 300Related Commands
ip igmp limit (interface)
To limit the number of Internet Group Management Protocol (IGMP) states resulting from IGMP, IGMP Version 3 lite (IGMP v3lite), and URL Rendezvous Directory (URD) membership states on a per-interface basis, use the ip igmp limit command in interface configuration mode. To disable a configured IGMP state limit, use the no form of this command.
ip igmp limit number [except access-list]
no ip igmp limit number [except access-list]
Syntax Description
Defaults
This command is not configured by default. There is no default number of IGMP limits configured. You must configure the number of maximum IGMP states allowed per interface on a router when you configure this command.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to configure a limit on the number of IGMP states resulting from IGMP, IGMP v3lite, and URD membership reports on a per-interface basis. Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic for the excess membership reports is not forwarded.
Use the ip igmp limit (global) command to configure the global IGMP state limit.
Per-interface and per-system limits operate independently of each other and can enforce different configured limits. A membership state will be ignored if it exceeds either the per-interface limit or global limit.
If you do not configure the except access-list keyword and attribute, all IGMP states resulting from IGMP, IGMP v3lite, or URD are counted toward the configured cache limit on an interface. Use the except access-list keyword and attribute to exclude particular groups or channels from counting toward the IGMP cache limit. An IGMP membership report is counted against the per-interface limit if it is permitted by the extended access list specified by the except access-list keyword and attribute.
Examples
The following example shows how to limit the number of IGMP membership reports on Ethernet interface 0:
interface ethernet 0ip igmp limit 100The following example shows how to limit the number of IGMP membership reports on Ethernet interface 0. In this example, any IGMP membership reports from access list 0.0.0.1 do not count toward the configured state limit:
interface ethernet 0ip igmp limit 100 except 0.0.0.1Related Commands
show ip igmp interface
To display multicast-related information about an interface, use the show ip igmp interface command in EXEC mode.
show ip igmp [vrf vrf-name] interface [type number]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
If you omit the optional arguments, the show ip igmp interface command displays information about all interfaces.
This command also displays information about dynamically learned Distance Vector Multicast Routing Protocol (DVMRP) routers on the interface.
Examples
The following is sample output from the show ip igmp interface command:
Router# show ip igmp interfaceGlobal IGMP State Limit :0 active out of 100 maxEthernet0/0 is up, line protocol is upInternet address is 192.168.0.0IGMP is enabled on interfaceCurrent IGMP host version is 2Current IGMP router version is 2IGMP query interval is 60 secondsIGMP querier timeout is 120 secondsIGMP max query response time is 10 secondsLast member query count is 2Last member query response interval is 1000 msInbound IGMP access group is not setIGMP activity:1 joins, 0 leavesInterface IGMP State Limit :0 active out of 10 max <<<<<<<<<<<<Ethernet1 is up, line protocol is upInternet address is 192.168.36.129, subnet mask is 255.255.255.0IGMP is enabled on interfaceIGMP query interval is 60 secondsInbound IGMP access group is not setMulticast routing is enabled on interfaceMulticast TTL threshold is 0Multicast designated router (DR) is 192.168.36.131Multicast groups joined: 225.2.2.2 226.2.2.2Tunnel0 is up, line protocol is upInternet address is 10.1.37.2, subnet mask is 255.255.0.0IGMP is enabled on interfaceIGMP query interval is 60 secondsInbound IGMP access group is not setMulticast routing is enabled on interfaceMulticast TTL threshold is 0No multicast groups joinedTable 1 describes the significant fields shown in the display.
Related Commands
Glossary
IGMP—Internet Group Management Protocol. Used by IP hosts to report their multicast group memberships to an adjacent multicast router.
IGMPv3—IGMP Version 3. Adds support in Cisco IOS software for "source filtering," which enables a multicast receiver host to signal to a router which groups it wants to receive multicast traffic from, and from which sources this traffic is expected.
IGMP v3lite—A solution for application developers that allows immediate development of SSM receiver applications switching to IGMPv3 as soon as it becomes available.
SSM—Source Specific Multicast. An extension of IP multicast where datagram traffic is forwarded to receivers from only those multicast sources to which the receivers have explicitly joined.
URD—URL Rendezvous Directory. A solution for content providers and content aggregators that enables them to deploy receiver applications that are not yet SSM enabled (through support for IGMPv3).
Note
