- Read Me First
- Optimizing PIM Sparse Mode in a Large IP Multicast Deployment
- Multicast Subsecond Convergence
- IP Multicast Load Splitting across Equal-Cost Paths
- Configuring Multicast Admission Control
- Per Interface Mroute State Limit
- SSM Channel Based Filtering for Multicast Boundaries
- IPv6 Multicast: Bandwidth-Based Call Admission Control
- PIM Dense Mode State Refresh
- Finding Feature Information
- Prerequisites for Configuring Multicast Admission Control
- Information About Configuring Multicast Admission Control
- Configuring Global and Per MVRF Mroute State Limiters
- Configuring MSDP SA Limiters
- Configuring IGMP State Limiters
- Configuring Per Interface Mroute State Limiters
- Configuring Bandwidth-Based Multicast CAC Policies
- Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies
Configuring Multicast Admission Control
This module describes how to implement multicast admission control in an IP multicast network. Multicast admission control features are configured on multicast-enabled routers to prevent control plane overload, ensure proper resource allocation, and provide multicast Call Admission Control (CAC) capabilities.
- Finding Feature Information
- Prerequisites for Configuring Multicast Admission Control
- Information About Configuring Multicast Admission Control
- How to Configure Multicast Admission Control
- Configuration Examples for Configuring Multicast Admission Control
- Additional References
- Feature Information for Configuring Multicast Admission Control
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring Multicast Admission Control
IP multicast is enabled and the Protocol Independent Multicast (PIM) interfaces are configured using the tasks described in the “Configuring Basic IP Multicast” module.
Information About Configuring Multicast Admission Control
- Multicast Admission Control
- Multicast Admission Control Features
- Global and Per MVRF Mroute State Limit
- MSDP SA Limit
- IGMP State Limit
- Per Interface Mroute State Limit
- Bandwidth-Based CAC for IP Multicast
Multicast Admission Control
As the popularity of network video applications grows among consumers, admission control functions--which govern transmission and reception of multicast traffic based on available network resources--are vital. Without admission control, some users may receive degraded multicast streams, rendering programs unwatchable, and others may receive a “Network Busy” message or nothing at all as network resources are overtaxed. Network admission control is important in maintaining a high quality of experience for digital video consumers.
The goals of multicast admission control features, therefore, are as follows:
Protect the router from control plane overload to ensure that memory and CPU resources on multicast-enabled routers are not overrun by multicast route (mroute) states or denial-of-service (DoS) attacks from multicast packets.
Enable proper resource allocation (on a global, per MVRF, or per interface basis) to ensure that multicast services are delivered to subscribers per their IP Service Level Agreements (SLAs) and to minimize the effects of DoS attacks on subscribers.
Provide multicast CAC capabilities to prevent bandwidth resources (interfaces, subnetworks) from being congested and to enable service providers to offer more flexible and refined content and subscriber-based policies.
Multicast Admission Control Features
The Cisco IOS software supports the following multicast admission control features:
The ip multicast route-limit command allows for the configuration of global and per MVRF state limiters, which impose limits on the number of multicast routes (mroutes) that can be added to the global table or to a particular Multicast Virtual Routing and Forwarding (MVRF) table.
This feature allows for the configuration of IGMP state limiters, which impose limits on mroute states resulting from Internet Group Management Protocol (IGMP) membership reports (IGMP joins).
This feature allows for the configuration of per interface mroute state limiters, which impose mroute state limits for different access control list (ACL)-classified sets of multicast traffic on an interface.
This feature allows for the configuration of bandwidth-based multicast CAC policies, which allow for bandwidth-based CAC on a per interface basis.
These admission control features may be invoked by service providers and enterprise network administrators based on different criteria, including the service package an end user has purchased or the privileges an enterprise user is entitled to.
Global and Per MVRF Mroute State Limit
The ip multicast route-limit command allows for the configuration of global and per MVRF mroute state limiters, which impose limits on the number of mroutes that can be added to the global table or to a particular MVRF table, respectively.
Global mroute state limiters are used to limit the number of mroutes that can be added to the global table on a router. Configuring a global mroute state limiter can protect a router in the event of a multicast DoS attack (by preventing mroutes from overrunning the router).
Per VRF mroute state limiters are used to limit the number of mroutes that can be added to an MVRF table on a Multicast VPN (MVPN) provider edge (PE) router. Configuring per MVRF mroute state limits can be used to ensure the fair sharing of mroutes between different MVRFs on an MVPN PE router.
- Global and Per MVRF Mroute State Limit Feature Design
- Mechanics of Global and Per MVRF Mroute State Limiters
Global and Per MVRF Mroute State Limit Feature Design
Global and per MVRF mroute state limiters are configured using the ip multicast route-limit command in global configuration mode. The syntax of the ip multicast route-limit command is as follows:
ip multicast [vrf vrf-name] route-limit limit [threshold]
Issuing the ip multicast route-limitcommand without the optional vrf keyword and vrf-name arguments configures a global mroute state limiter. The optional vrf keyword and vrf-name arguments are used with the ip multicast limit command to configure per MVRF mroute state limiters.
Note | When configuring global and per VRF mroute state limiters, you can only configure one limit for the global table and one limit per MVRF table. |
The value specified for the required limit argument defines the maximum number of mroutes that can be added to either the global table or a particular MVRF table, respectively.
Note | Global and per MVRF mroute state limiters operate independently and can be used alone or together, depending upon the admission control requirements of your network. |
In addition, for both global and per MVRF mroute state limiters, the optional threshold argument is available to set mroute threshold limits.
Mechanics of Global and Per MVRF Mroute State Limiters
The mechanics of global and per MVRF mroute state limiters are as follows:
Each time the state for an mroute is created on a router, the Cisco IOS software checks to see if the limit for the global mroute state limiter (if the mroute is associated with the global table) or the limit for the per MVRF mroute state limiter (if the mroute is associated with the MVRF table) has been reached.
States for mroutes that exceed the configured limit for the global or the per MVRF mroute state limiter are not created on the router, and a warning message in the following format is generated:
% MROUTE-4-ROUTELIMIT : <current mroute count> exceeded multicast route-limit of <mroute limit value>
When an mroute threshold limit is also configured for the global or the per MVRF mroute state limiter, each time the state for an mroute is created on a router, the Cisco IOS software also checks to see if the mroute threshold limit has been reached. If the mroute threshold limit is exceeded, a warning message in the following format is generated:
% MROUTE-4-ROUTELIMITWARNING : multicast route-limit warning <current mroute count> threshold <mroute threshold value>
Warning messages continue to be generated until the number of mroutes exceeds the configured limit or until the number of mroute states falls below the configured mroute threshold limit.
MSDP SA Limit
The ip msdp sa-limit command allows for the configuration of MSDP SA limiters, which impose limits on the number of MSDP Source Active (SA) messages that an MSDP-enabled router can accept (can be cached) from an MSDP peer. This command provides a means to protect an MSDP-enabled router from denial of service (DoS) attacks.
MSDP SA Limit Feature Design
MSDP SA limiters are configured using the ip msdp sa-limit command in global configuration mode. The syntax of the ip msdp sa-limit command is as follows:
ip msdp [vrf vrf-name] sa-limit {peer-address | peer-name} sa-limit
For the required peer-address argument or peer-name argument, specify either the MSDP peer address or MSDP peer name of the peer to be limited.
For the required sa-limit argument, specify the maximum number of SA messages that can be accepted (cached) from the specified peer. The range is from 1 to 2147483646.
Note | In an MVPN environment, the optional vrf keyword and vrf-name argument are used to specify the MVRF associated with the MSDP peer. When an MVRF is specified, the MSDP SA limiter is applied to the specified MSDP peer associated with the specified MVRF. |
Mechanics of MSDP SA Limiters
When MSDP SA limiters are configured, the router maintains a per-peer count of SA messages stored in the SA cache.
SA messages that exceed the limit configured for an MSDP peer are ignored.
If the router receives SA messages in excess of the configured limit from an MSDP peer, a warning in the following format is generated (once a minute) until the cache is cleared:
%MSDP-4-SA_LIMIT: SA from peer <peer address or name>, RP <RP address> for <mroute> exceeded sa-limit of <configured SA limit for MSDP peer>
Tips for Configuring MSDP SA Limiters
We recommended that you configure MSDP SA limiters for all MSDP peerings on the router.
An appropriately low MSDP SA limit should be configured on peerings with a stub MSDP region (an MSDP peer that may have some further downstream peers but does not act as a transit for SA messages across the rest of the Internet).
An appropriately high SA limit should be configured for all MSDP peerings that act as transits for MSDP SA messages across the Internet.
IGMP State Limit
The IGMP State Limit feature allows for the configuration of IGMP state limiters, which impose limits on mroute states resulting from IGMP membership reports (IGMP joins) on a global or per interface basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. This feature can be used to prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.
Note | IGMP state limiters impose limits on the number of mroute states resulting from IGMP, IGMP v3lite, and URL Rendezvous Directory (URD) membership reports on a global or per interface basis. |
IGMP State Limit Feature Design
Configuring IGMP state limiters in global configuration mode specifies a global limit on the number of IGMP membership reports that can be cached.
Configuring IGMP state limiters in interface configuration mode specifies a limit on the number of IGMP membership reports on a per interface basis.
Use ACLs to prevent groups or channels from being counted against the interface limit. A standard or an extended ACL can be specified. A standard ACL can be used to define the (*, G) state to be excluded from the limit on an interface. An extended ACLs can be used to define the (S, G) state to be excluded from the limit on an interface. An extended ACL also can be used to define the (*, G) state to be excluded from the limit on an interface, by specifying 0.0.0.0 for the source address and source wildcard--referred to as (0, G)--in the permit or deny statements that compose the extended access list.
You can only configure one global limit per device and one limit per interface.
Mechanics of IGMP State Limiters
The mechanics of IGMP state limiters are as follows:
Each time a router receives an IGMP membership report for a particular group or channel, the Cisco IOS software checks to see if either the limit for the global IGMP state limiter or the limit for the per interface IGMP state limiter has been reached.
If only a global IGMP state limiter has been configured and the limit has not been reached, IGMP membership reports are honored. When the configured limit has been reached, subsequent IGMP membership reports are then ignored (dropped) and a warning message in one of the following formats is generated: If only per interface IGMP state limiters are configured, then each limit is only counted against the interface on which it was configured.
If both a global IGMP state limiter and per interface IGMP state limiters are configured, the limits configured for the per interface IGMP state limiters are still enforced but are constrained by the global limit.
Per Interface Mroute State Limit
The Per Interface Mroute State Limit feature provides the capability to limit the number of mroute states on an interface for different ACL-classified sets of multicast traffic. This feature can be used to prevent DoS attacks or to provide a multicast CAC mechanism when all the multicast flows roughly utilize the same amount of bandwidth.
The Per Interface Mroute State Limit feature essentially is a complete superset of the IGMP State Limit feature (with the exception that it does not support a global limit). The Per Interface Mroute State Limit feature, moreover, is more flexible and powerful (albeit more complex) than the IGMP State Limit feature but is not intended to be a replacement for it because there are applications that suit both features.
The main differences between the Per Interface Mroute State Limit feature and the IGMP State Limit feature are as follows:
The Per Interface Mroute State Limit feature allows multiple limits to be configured on an interface, whereas the IGMP State Limit feature allows only one limit to be configured on an interface. The Per Interface Mroute State Limit feature, thus, is more flexible than the IGMP State Limit feature in that it allows multiple limits to be configured for different sets of multicast traffic on an interface.
The Per Interface Mroute State Limit feature can be used to limit both IGMP and PIM joins, whereas the IGMP State Limit feature can only be used to limit IGMP joins. The IGMP State Limit feature, thus, is more limited in application in that it is best suited to be configured on an edge router to limit the number of groups that receivers can join on an outgoing interface. The Per Interface Mroute State Limit feature has a wider application in that it can be configured to limit IGMP joins on an outgoing interface, to limit PIM joins (for Any Source Multicast [ASM] groups or Source Specific Multicast [SSM] channels) on an outgoing interface connected to other routers, to limit sources behind an incoming interface from sending multicast traffic, or to limit sources directly connected to an incoming interface from sending multicast traffic.
Note | Although the PIM Interface Mroute State Limit feature allows you to limit both IGMP and PIM joins, it does not provide the capability to limit PIM or IGMP joins separately because it does not take into account whether the state is created as a result of an IGMP or PIM join. As such, the IGMP State Limit feature is more specific in application because it specifically limits IGMP joins. |
The Per Interface Mroute State Limit feature allows you to specify limits according to the direction of traffic; that is, it allows you to specify limits for outgoing interfaces, incoming interfaces, and for incoming interfaces having directly connected multicast sources. The IGMP State Limit feature, however, only can be used to limit outgoing interfaces. The Per Interface State Mroute State Limit feature, thus, is wider in scope in that it can be used to limit mroute states for both incoming and outgoing interfaces from both sources and receivers, whereas the IGMP State Limit feature is more narrow in scope in that it can only be used to limit mroute states for receivers on an LAN by limiting the number of IGMP joins on an outgoing interface.
Both the IGMP State Limit and Per Interface Mroute State Limit features provide a rudimentary multicast CAC mechanism that can be used to provision bandwidth utilization on an interface when all multicast flows roughly utilize the same amount of bandwidth. The Bandwidth-Based CAC for IP Multicast feature, however, offers a more flexible and powerful alternative for providing multicast CAC in network environments where IP multicast flows utilize different amounts of bandwidth.
Note | For more information about the Bandwidth-Based CAC for IP Multicast feature, see the Bandwidth-Based CAC for IP Multicast. |
- Per Interface Mroute State Limit Feature Design
- Mechanics of Per Interface Mroute State Limiters
- Tips for Configuring Per Interface Mroute State Limiters
Per Interface Mroute State Limit Feature Design
The Per Interface Mroute State Limit feature is configured using the ip multicast limit command in interface configuration mode. An ip multicast limit command configured on an interface is called an per interface mroute state limiter. A per interface mroute state limiter is defined by direction, ACL, and maximum number of mroutes. Each per interface mroute state limiter maintains a counter to ensure that the maximum number of mroutes is not exceeded.
The following forms of the ip multicast limitcommand are available to configure per interface mroute state limiters:
ip multicast limit access-list max-entries
This command limits mroute state creation for an ACL-classified set of traffic on an interface when the interface is an outgoing (egress) interface, and limits mroute outgoing interface list (olist) membership when the interface is an incoming (ingress) Reverse Path Forwarding (RPF) interface.
This type of per interface mroute state limiter limits mroute state creation--by accounting each time an mroute permitted by the ACL is created or deleted--and limits mroute olist membership--by accounting each time that an mroute olist member permitted by the ACL is added or removed.
Entering this form of the command (that is, with no optional keywords) is equivalent to specifying the ip multicast limit rpfand ip multicast limit out forms of the command.
ip multicast limit connected access-list max-entries
This command limits mroute state creation for an ACL-classified set of multicast traffic on an incoming (RPF) interface that is directly connected to a multicast source by accounting each time that an mroute permitted by the ACL is created or deleted.
ip multicast limit out access-list max-entries
This command limits mroute olist membership on an outgoing interface for an ACL-classified set of multicast traffic by accounting each time that an mroute olist member permitted by the ACL is added or removed.
ip multicast limit rpf access-list max-entries
This command limits mroute state creation for an ACL-classified set of multicast traffic on an incoming (RPF) interface by accounting each time an mroute permitted by the ACL is created or deleted.
For the required access-list argument, specify the ACL that defines the IP multicast traffic to be limited on an interface. A standard or extended ACL can be specified. Standard ACLs can be used to define the (*, G) state to be limited on an interface. Extended ACLs can be used to define the (S, G) state to be limited on an interface. Extended ACLs also can be used to define the (*, G) state to be limited on an interface, by specifying 0.0.0.0 for the source address and source wildcard--referred to as (0, G)--in the permit or deny statements that compose the extended access list.
Mechanics of Per Interface Mroute State Limiters
The mechanics of per interface mroute state limiters are as follows:
Each time the state for an mroute is created or deleted and each time an olist member is added or removed, the software searches for a corresponding per interface mroute state limiter that matches the mroute.
When an mroute is created or deleted, the software searches for a per interface mroute state limiter configured on the incoming (RPF) interface that matches the mroute to be created or deleted. When an olist member is added or removed, the software searches for a per interface mroute state limiter configured on the outgoing interface that matches the mroute to be added or removed.
A top-down search is performed using the list of configured per interface mroute state limiters. Only per interface mroute state limiters that match the direction of traffic are considered. The first per interface mroute state limiter that matches is used for limiting (sometimes referred to as accounting). A match is found when the ACL permits the mroute state.
When a match is found, the counter of the per interface mroute state limiter is updated (increased or decreased). If no per interface mroute state limiter is found that matches an mroute, no accounting is performed for the mroute (because there is no counter to update).
The amount with which to update the counter is called the cost (sometimes referred to as the cost multiplier). The default cost is 1.
Note | A per interface mroute state limiter always allows the deletion of an mroute or the removal of an interface from the olist. In those cases, the respective per interface mroute state limiter decreases the counter by the value of the cost multiplier. In addition, RPF changes to an existing mroute are always allowed (in order to not affect existing traffic). However, a per interface mroute state limiter only allows the creation of an mroute or the addition of an mroute olist member if adding the cost does not exceed the maximum number of mroutes permitted. |
Tips for Configuring Per Interface Mroute State Limiters
To ensure that all mroutes are accounted, you can configure a per interface mroute state limiter whose ACL contains a permit-any statement and set the value of zero (0) for maximum entries. Configuring an mroute state limiter in this manner effectively denies all fall through states, which may be a way to prevent a multicast DoS attack in and out of the interface.
When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny-any statement for everything if it did not find a match before reaching the end.
An explicit deny statement for a specific mroute in an ACL can be used to specify the state that will not match the ACLwhich will prevent the ACL from being accounted. If an mroute matches a deny statement, the search immediately continues to the next configured mroute state limiter. Configuring an explicit deny statement in an ACL can be more efficient than forcing the mroute to fall through an ACL by using an implicit deny-any statement at the end of the ACL.
Bandwidth-Based CAC for IP Multicast
The Bandwidth-Based CAC for IP Multicast feature enhances the Per Interface Mroute State Limit feature by implementing a way to count per interface mroute state limiters using cost multipliers (referred to as bandwidth-based multicast CAC policies). This feature can be used to provide bandwidth-based multicast CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth.
- Bandwidth-Based CAC for IP Multicast Feature Design
- Mechanics of the Bandwidth-Based Multicast CAC Policies
- Tips for Configuring Bandwidth-Based CAC Policies for IP Multicast
Bandwidth-Based CAC for IP Multicast Feature Design
Bandwidth-based multicast CAC policies are configured using the ip multicast limit cost command in global configuration mode. The syntax of the ip multicast limit cost command is as follows:
ip multicast [vrf vrf-name] limit cost access-list cost-multiplier
For the required access-list argument, specify the ACL that defines the IP multicast traffic for which to apply a cost. A standard or extended ACL can be specified. Standard ACLs can be used to define the (*, G) state. Extended ACLs can be used to define the (S, G) state. Extended ACLs also can be used to define the (*, G) state, by specifying 0.0.0.0 for the source address and source wildcard--referred to as (0, G)--in the permit or deny statements that compose the extended access list.
For the required cost-multiplier argument, specify the cost value to be applied to mroutes that match the ACL associated with the bandwidth-based multicast CAC policy. The range is 0 to 2147483647.
Note | In an MVPN environment, the optional vrf keyword and vrf-name argument are used to specify that the cost be applied only to mroutes associated with MVRF specified for the vrf-name argument. |
Mechanics of the Bandwidth-Based Multicast CAC Policies
The mechanics of bandwidth-based multicast CAC policies are as follows:
Once an mroute matches an ACL configured for a per interface mroute state limiter, the Cisco IOS software performs a top-down search from the global or per MVRF list of configured bandwidth-based multicast CAC policies to determine if a cost should be applied to the mroute.
A cost is applied to the first bandwidth-based CAC policy that matches the mroute. A match is found when the ACL applied to the bandwidth-based CAC policy permits the mroute state.
The counter for the mroute state limiter either adds or subtracts the cost configured for the cost-multiplier argument. If no costs are configured or if the mroute does not match any of the configured bandwidth-based CAC polices, the default cost of 1 is used.
Tips for Configuring Bandwidth-Based CAC Policies for IP Multicast
To ensure that a particular cost applies to all mroutes being limited, you can configure a bandwidth-based CAC policy whose ACL contains a permit any statement. Configuring a bandwidth-based CAC policy in this manner effectively ensures that the default cost is not applied to any mroutes being limited.
Configuring a bandwidth-based CAC policy with a cost of 0 for the cost-multiplier argument can be used to skip the accounting of certain mroutes (for example, to prevent Auto-RP groups or a specific multicast channel from being accounted).
An explicit deny statement for a specific mroute in an ACL can be used to specify the state that will not match the ACL (thus, preventing the ACL from being accounted). If an mroute matches a deny statement, the search immediately continues to the next configured bandwidth-based CAC policy. Configuring an explicit deny statement in an ACL can be more efficient than forcing the mroute to fall through an ACL (by means of the implicit deny any statement at the end of the ACL).
How to Configure Multicast Admission Control
- Configuring Global and Per MVRF Mroute State Limiters
- Configuring MSDP SA Limiters
- Configuring IGMP State Limiters
- Configuring Per Interface Mroute State Limiters
- Configuring Bandwidth-Based Multicast CAC Policies
- Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies
Configuring Global and Per MVRF Mroute State Limiters
Perform the following optional tasks to configure global and per MVRF mroute state limiters.
Global mroute state limiters are used to limit the number of mroutes that can be added to the global table on a router. Configuring a global mroute state limiter can protect a router in the event of a multicast DoS attack (by preventing mroutes from overrunning the router).
Per VRF mroute state limiters are used to limit the number of mroutes that can be added to an MVRF table on an MVPN PE router. Configuring per MVRF mroute state limits can be used to ensure the fair sharing of mroutes between different MVRFs on an MVPN PE router.
Note | Global and per MVRF mroute state limiters operate independently and can be used alone or together, depending upon the admission control requirements of your network. |
Note | When configuring global and per VRF mroute state limiters, you can only configure one limit for the global table and one limit per MVRF table. |
The following tasks explain how to configure global and per MVRF mroute state limiters:
- Prerequisites
- Configuring a Global Mroute State Limiter
- What to Do Next
- Configuring Per MVRF Mroute State Limiters
Prerequisites
These tasks assume that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the “ Configuring Basic IP Multicast ” module.
Before configuring per MVRF mroute state limiters, the MVRFs on the PE router must be configured using the tasks described in the “ Configuring Multicast VPN ” module.
Configuring a Global Mroute State Limiter
Perform this task to limit the number of mroutes that can be added to the global table. States for mroutes that exceed the global mroute limit will not be created.
1.
enable
2.
configure
terminal
3.
ip
multicast
route-limit
limit
[threshold]
4.
end
5.
show
ip
mroute
count
DETAILED STEPS
What to Do Next
Proceed to the Configuring Per MVRF Mroute State Limiters task to configure per MVRF mroute state limiters on a PE router.
Configuring Per MVRF Mroute State Limiters
Perform this optional task to configure per MVRF mroute state limiters to limit the number of mroutes that can be added to a particular MVRF table. This feature can be configured on a PE router to ensure the fair sharing of mroutes between different MVRFs on the router. States for mroutes that exceed the per MVRF mroute limiter are not created.
1.
enable
2.
configure
terminal
3.
ip
multicast
vrf
vrf-name
route-limit
limit
[threshold]
4. Repeat Step 3 to configure additional per VRF mroute state limiters for other VRFs on an MVPN PE router.
5.
end
6.
show
ip
mroute
vrf
vrf-name
count
DETAILED STEPS
Configuring MSDP SA Limiters
Perform this optional task to limit the overall number of SA messages that the router can accept from specified MSDP peers. Performing this task protects an MSDP-enabled router from distributed DoS attacks.
Note | We recommend that you perform this task for all MSDP peerings on the router. |
This task assumes that you are running MSDP and have configured MSDP peers using the tasks described in the “ Using MSDP to Interconnect Multiple PIM-SM Domains ” module.
1.
enable
2.
configure
terminal
3.
ip
msdp
[vrf
vrf-name]
sa-limit {peer-address |
peer-name}
sa-limit
4. Repeat Step 3 to configure additional per MVRF mroute state limiters for other MVRFs on an MVPN PE router.
5.
end
6.
show
ip
msdp
count
7.
show
ip
msdp
peer
[peer-address |
peer-name]
8.
show
ip
msdp
summary
DETAILED STEPS
Configuring IGMP State Limiters
Note | IGMP state limiters impose limits on the number of mroute states resulting from IGMP, IGMP v3lite, and URD membership reports on a global or per interface basis. |
- Prerequisites
- Configuring Global IGMP State Limiters
- What to Do Next
- Configuring Per Interface IGMP State Limiters
Prerequisites
These tasks assume that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the “ Configuring Basic IP Multicast ” module.
All ACLs you intend to apply to per interface IGMP state limiters should be configured prior to beginning this configuration task; otherwise, IGMP membership reports for all groups and channels are counted against the configured limits. For information about how to configure ACLs, see the “ Creating an IP Access List and Applying It to an Interface ” module.
Configuring Global IGMP State Limiters
Perform this optional task to configure one global IGMP state limiter per device.
1.
enable
2.
configure
terminal
3.
ip
igmp
limit
number
4.
end
5.
show
ip
igmp
groups
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 |
ip
igmp
limit
number
Example: Device(config)# ip igmp limit 150 |
Configures a global limit on the number of mroute states resulting from IGMP membership reports (IGMP joins). |
Step 4 |
end
Example: Device(config-if)# end |
Ends the current configuration session and returns to privileged EXEC mode. |
Step 5 |
show
ip
igmp
groups
Example: Device# show ip igmp groups |
(Optional) Displays the multicast groups with receivers that are directly connected to the device and that were learned through IGMP. |
What to Do Next
Proceed to the Configuring Per Interface IGMP State Limiters task to configure per interface IGMP state limiters.
Configuring Per Interface IGMP State Limiters
Perform this optional task to configure a per interface IGMP state limiter.
1.
enable
2.
configure
terminal
3.
interface
type
number
4.
ip
igmp
limit
number
[except
access-list]
6.
show
ip
igmp
interface
[type
number]
7.
show
ip
igmp
groups
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 |
interface
type
number
Example: Device(config)# interface GigabitEthernet0/0 |
Enters interface configuration mode. |
Step 4 |
ip
igmp
limit
number
[except
access-list]
Example: Device(config-if)# ip igmp limit 100 |
Configures a per interface limit on the number of mroutes states created as a result of IGMP membership reports (IGMP joins). |
Step 5 |
Do one of the following:
Example: Device(config-if)# exit Device(config-if)# end | |
Step 6 |
show
ip
igmp
interface
[type
number]
Example: Device# show ip igmp interface |
(Optional) Displays information about the status and configuration of IGMP and multicast routing on interfaces. |
Step 7 |
show
ip
igmp
groups
Example: Device# show ip igmp groups |
(Optional) Displays the multicast groups with receivers that are directly connected to the device and that were learned through IGMP. |
Configuring Per Interface Mroute State Limiters
Perform this task to prevent DoS attacks or to provide a multicast CAC mechanism for controling bandwidth when all multicast flows utilize approximately the same amount of bandwidth.
All ACLs to be applied to per interface mroute state limiters must be configured prior to beginning this configuration task; otherwise, the limiters are ignored. For information about how to configure ACLs, see the “ Creating an IP Access List and Applying It to an Interface ” module of the Security Configuration Guide: Access Control Lists guide.
1.
enable
2.
configure
terminal
3.
interface
type
number
4.
ip
multicast
limit
[connected |
out |
rpf]
access-list
max-entries
5. Repeat Step 4 to configure additional per interface mroute state limiters on this interface.
6. Repeat Steps 3 and Step 4 to configure per interface mroute state limiters on additional interfaces.
7.
end
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 |
interface
type
number
Example: Device(config)# interface GigabitEthernet0/0 |
Enters interface configuration mode for the specified interface type and number. |
Step 4 |
ip
multicast
limit
[connected |
out |
rpf]
access-list
max-entries
Example: Device(config-if)# ip multicast limit 15 100 |
Configures per interface mroute state limiters. |
Step 5 | Repeat Step 4 to configure additional per interface mroute state limiters on this interface. |
-- |
Step 6 | Repeat Steps 3 and Step 4 to configure per interface mroute state limiters on additional interfaces. |
-- |
Step 7 |
end
Example: Device(config-if)# end |
Returns to privileged EXEC mode. |
What to Do Next
Proceed to the Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies task to monitor per interface mroute state limiters.
Configuring Bandwidth-Based Multicast CAC Policies
Perform this optional task to configure bandwidth-based multicast CAC policies. Bandwidth-based multicast CAC policies provide the capability to assign costs to mroutes that are being limited by per interface mroute state limiters. This task can be used to provide bandwidth-based multicast CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth. Bandwidth-based multicast CAC policies can be applied globally or per MVRF.
This task assumes that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the “ Configuring Basic IP Multicast ” module.
All ACLs you intend to apply to bandwidth-based multicast CAC policies should be configured prior to beginning this configuration task; otherwise, the limiters are ignored. For information about how to configure ACLs, see the “ Creating an IP Access List and Applying It to an Interface ” module.
You can omit Steps 3 to 7 if you have already configured the per interface mroute state limiters for which to apply costs.
Note
1.
enable
2.
configure
terminal
3.
interface
type
number
4.
ip
multicast
limit
[connected |
out |
rpf]
access-list
max-entries
5.
6.
7. Repeat Step 4 if you want to configure additional mroute state limiters on the interface.
8. Repeat Step 3 and Step 4 if you want to configure mroute state limiters on additional interfaces.
9.
exit
10.
ip
multicast
[vrf
vrf-name]
limit
cost
access-list
cost-multiplier
11. Repeat Step 8 if you want to apply additional costs to mroutes.
12.
end
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
interface
type
number
Example: Router(config)# interface GigabitEthernet 0/0 |
Enters interface configuration mode for the specified interface type and number. |
Step 4 |
ip
multicast
limit
[connected |
out |
rpf]
access-list
max-entries
Example: Router(config-if)# ip multicast limit acl-test 100 Example: |
Configures mroute state limiters on an interface.
|
Step 5 |
|
|
Step 6 |
|
|
Step 7 | Repeat Step 4 if you want to configure additional mroute state limiters on the interface. |
-- |
Step 8 | Repeat Step 3 and Step 4 if you want to configure mroute state limiters on additional interfaces. |
-- |
Step 9 |
exit
Example: Router(config-if)# exit |
Exits interface configuration mode, and returns to global configuration mode. |
Step 10 |
ip
multicast
[vrf
vrf-name]
limit
cost
access-list
cost-multiplier
Example: Router(config)# ip multicast limit cost acl-MP2SD-channels 4000 |
Applies costs to per interface mroute state limiters.
|
Step 11 | Repeat Step 8 if you want to apply additional costs to mroutes. |
-- |
Step 12 |
end
Example: Router(config-if)# end |
Exits interface configuration mode, and enters privileged EXEC mode. |
What to Do Next
Proceed to the Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies task to monitor bandwidth-based multicast CAC policies.
Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies
Perform this optional task to monitor per interface mroute state limiters and bandwidth-based multicast CAC policies.
1.
enable
2.
debug
ip
mrouting
limits
[group-address]
3.
show
ip
multicast
limit
type
number
4.
clear
ip
multicast
limit
[type
number]
DETAILED STEPS
Step 1 |
enable
Example: Device> enable Enables privileged EXEC mode. |
Step 2 |
debug
ip
mrouting
limits
[group-address]
Displays debugging information about configured per interface mroute state limiters and bandwidth-based multicast CAC policies. The following output is from the debug ip mrouting limits command. The output displays the following events:
Example: device# debug ip mrouting limits MRL(0): incr-ed acl ‘rpf-list’ to (13 < max 32), [n:0,p:0], (main) GigabitEthernet0/0, (10.41.0.41, 225.30.200.60) MRL(0): decr-ed acl ‘out-list’ to (10 < max 32), [n:0,p:0], (main) GigabitEthernet0/0, (*, 225.40.202.60) MRL(0): Add mroute (10.43.0.43, 225.30.200.60) denied for GigabitEthernet0/2, acl std-list, (16 = max 16) MRL(0): incr-ed limit-acl `rpf-list' to (12 < max 32), cost-acl 'cost-list' cost 2, [n:0,p:0], (main) GigabitEthernet0/0, (10.41.0.41, 225.30.200.60) MRL(0): decr-ed limit-acl `out-list' to (8 < max 32), cost-acl 'cost-list'' cost 2, [n:0,p:0], (main) GigabitEthernet0/0, (*, 225.40.202.60) |
Step 3 |
show
ip
multicast
limit
type
number
Displays counters related to mroute state limiters configured on the interfaces on the router. For each per interface mroute state limiter shown in the output, the following information is displayed:
The following is sample output from the show ip multicast limit command with the type number arguments. In this example, information about mroute state limiters configured on Gigabit Ethernet interface 0/0 is displayed. Example: Device# show ip multicast limit GigabitEthernet 0/0 Interface GigabitEthernet 0/0 Multicast Access Limits out acl out-list (1 < max 32) exceeded 0 rpf acl rpf-list (6 < max 32) exceeded 0 con acl conn-list (0 < max 32) exceeded 0 |
Step 4 |
clear
ip
multicast
limit
[type
number]
Resets the exceeded counter for per interface mroute state limiters. The following example shows how to reset exceeded counters for per interface mroute state limiters configured on Gigabit Ethernet interface 0/0: Example: Device# clear ip multicast limit interface GigabitEthernet 0/0 |
Configuration Examples for Configuring Multicast Admission Control
- Configuring Global and Per MVRF Mroute State Limiters Example
- Configuring MSDP SA Limiters Example
- Example: Configuring IGMP State Limiters
- Example Configuring Per Interface Mroute State Limiters
- Example: Configuring Bandwidth-Based Multicast CAC Policies
Configuring Global and Per MVRF Mroute State Limiters Example
The following example shows how to configure a global mroute state limiter. In this example, a global mroute state limiter is configured with an mroute limit of 1500 and an mroute threshold limit of 1460.
ip multicast route-limit 1500 1460
The following is a sample mroute threshold warning message. The output shows that the configured mroute threshold limit of 1460 has been exceeded by one mroute.
%MROUTE-4-ROUTELIMITWARNING : multicast route-limit warning 1461 threshold 1460
The following is a sample mroute exceeded warning message. The output shows that the configured mroute limit of 1500 has been exceeded by one mroute. States for mroutes that exceed the configured limit for the global mroute state limiter are not created on the router.
%MROUTE-4-ROUTELIMIT : 1501 routes exceeded multicast route-limit of 1500
Configuring MSDP SA Limiters Example
The following example shows how to configure an MSDP SA limiter. In this example, an MSDP SA limiter is configured that imposes a limit of 100 SA messages from the MSDP peer at 192.168.10.1.
ip msdp sa-limit 192.168.10.1 100
Example: Configuring IGMP State Limiters
The following example shows how to configure IGMP state limiters to provide multicast CAC in a network environment where all the multicast flows roughly utilize the same amount of bandwidth.
This example uses the topology illustrated in the figure.
In this example, a service provider is offering 300 Standard Definition (SD) TV channels. Each SD channel utilizes approximately 4 Mbps.
The service provider must provision the Gigabit Ethernet interfaces on the PE device connected to the Digital Subscriber Line Access Multiplexers (DSLAMs) as follows: 50% of the link’s bandwidth (500 Mbps) must be available to subscribers of the Internet, voice, and video on demand (VoD) service offerings while the remaining 50% (500 Mbps) of the link’s bandwidth must be available to subscribers of the SD channel offerings.
Because each SD channel utilizes the same amount of bandwidth (4 Mbps), per interface IGMP state limiters can be used to provide the necessary CAC to provision the services being offered by the service provider. To determine the required CAC needed per interface, the total number of channels is divided by 4 (because each channel utilizes 4 Mbps of bandwidth). The required CAC needed per interface, therefore, is as follows:
500Mbps / 4Mbps = 125 mroutes
Once the required CAC is determined, the service provider uses the results to configure the per IGMP state limiters required to provision the Gigabit Ethernet interfaces on the PE device. Based on the network’s CAC requirements, the service provider must limit the SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 125. Configuring a per interface IGMP state limit of 125 for the SD channels provisions the interface for 500 Mbps of bandwidth, the 50% of the link’s bandwidth that must always be available (but never exceeded) for the SD channel offerings.
The following configuration shows how the service provider uses a per interface mroute state limiter to provision interface Gigabit Ethernet 0/0 for the SD channels and Internet, Voice, and VoD services being offered to subscribers:
interface GigabitEthernet0/0 description --- Interface towards the DSLAM --- . . . ip igmp limit 125
Example Configuring Per Interface Mroute State Limiters
The following example shows how to configure per interface mroute state limiters to provide multicast CAC in a network environment where all the multicast flows roughly utilize the same amount of bandwidth.
This example uses the topology illustrated in the figure.
In this example, a service provider is offering 300 SD TV channels. The SD channels are being offered to customers in three service bundles (Basic, Premium, and Gold), which are available to customers on a subscription basis. Each bundle offers 100 channels to subscribers, and each channel utilizes approximately 4 Mbps of bandwidth.
The service provider must provision the Gigabit Ethernet interfaces on the PE device connected to DSLAMs as follows: 50% of the link’s bandwidth (500 Mbps) must be available to subscribers of their Internet, voice, and VoD service offerings while the remaining 50% (500 Mbps) of the link’s bandwidth must be available to subscribers of their SD channel bundle service offerings.
For the 500 Mbps of the link’s bandwidth that must always be available to (but must never be exceeded by) the subscribers of the SD channel bundles, the interface must be further provisioned as follows:
60% of the bandwidth must be available to subscribers of the basic service (300 Mbps).
20% of the bandwidth must be available to subscribers of the premium service (100 Mbps).
20% of the bandwidth must be available to subscribers of the gold service (100 Mbps).
Because each SD channel utilizes the same amount of bandwidth (4 Mbps), per interface mroute state limiters can be used to provide the necessary CAC to provision the services being offered by the service provider. To determine the required CAC needed per interface, the number of channels for each bundle is divided by 4 (because each channel utilizes 4 Mbps of bandwidth). The required CAC needed per interface, therefore, is as follows:
Once the required CAC required per SD channel bundle is determined, the service provider uses the results to configure the mroute state limiters required to provision the Gigabit Ethernet interfaces on the PE device for the services being offered to subscribers behind the DSLAMs:
For the Basic Services bundle, the service provider must limit the number of Basic Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 75. Configuring an mroute state limit of 75 for the SD channels offered in the Basic Service bundle provisions the interface for 300 Mbps of bandwidth (the 60% of the link’s bandwidth that must always be available to [but never exceeded by] the subscribers of the Basic Services bundle).
For the Premium Services bundle, the service provider must limit the number of Premium Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 25. Configuring an mroute state limit of 25 for the SD channels offered in the Premium Service bundle provisions the interface for 100 Mbps of bandwidth (the 20% of the link’s bandwidth that must always be available to [but never exceeded by] the subscribers of the Premium Service bundle).
For the Gold Services bundle, the service provider must limit the number of Gold Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 25. Configuring an mroute state limit of 25 for the SD channels offered in the Gold Service bundle provisions the interface for 100 Mbps of bandwidth (the 20% of the link’s bandwidth that must always be available to [but never exceeded by] the subscribers of the Gold Service bundle).
The service provider then configures three ACLs to be applied to per interface mroute state limiters. Each ACL defines the SD channels for each SD channel bundle to be limited on an interface:
acl-basic--The ACL that defines the SD channels offered in the basic service.
acl-premium--The ACL that defines the SD channels offered in the premium service.
acl-gold--The ACL that defines the SD channels offered in the gold service.
These ACLs are then applied to per interface mroute state limiters configured on the PE device’s Gigabit Ethernet interfaces.
For this example, three per interface mroute state limiters are configured on Gigabit Ethernet interface 0/0 to provide the multicast CAC needed to provision the interface for the SD channel bundles being offered to subscribers:
An mroute state limit of 75 for the SD channels that match acl-basic.
An mroute state limit of 25 for the SD channels that match acl-premium.
An mroute state limit of 25 for the SD channels that match acl-gold.
The following configuration shows how the service provider uses per interface mroute state limiters to provision Gigabit Ethernet interface 0/0 for the SD channel bundles and Internet, Voice, and VoD services being offered to subscribers:
interface GigabitEthernet0/0 description --- Interface towards the DSLAM --- . . . ip multicast limit out acl-basic 75 ip multicast limit out acl-premium 25 ip multicast limit out acl-gold 25
Example: Configuring Bandwidth-Based Multicast CAC Policies
The following example shows how to configure bandwidth-based multicast CAC policies to provide multicast CAC in a network environment where the multicast flows utilize different amounts of bandwidth.
This example uses the topology illustrated in the figure.
In this example, three content providers are providing TV services across a service provider core. The content providers are broadcasting TV channels that utilize different amounts of bandwidth:
MPEG-2 SDTV channels--4 Mbps per channel.
MPEG-2 HDTV channels--18 Mbps per channel.
MPEG-4 SDTV channels--1.6 Mbps per channel.
MPEG-4 HDTV channels--6 Mbps per channel.
The service provider needs to provision the fair sharing of bandwidth between these three content providers to its subscribers across Gigabit Ethernet interfaces. The service provider, thus, determines that it needs to provision each Gigabit Ethernet interface on the PE device connected to the DSLAMs as follows:
The service provider then configures three ACLs:
acl-CP1-channels--The ACL that defines the channels being offered by the content provider CP1.
acl-CP2-channels--The ACL that defines the channels being offered by the content provider CP2.
acl-CP3-channels--The ACL that defines the channels being offered by the content provider CP3.
Because the content providers are broadcasting TV channels that utilize different amounts of bandwidth, the service provider needs to determine the values that need to be configured for the per interface mroute state limiters and bandwidth-based multicast CAC policies to provide the fair sharing of bandwidth required between the content providers.
Prior to the introduction of the Bandwidth-Based CAC for IP Multicast feature, per interface mroute state limiters were based strictly on the number of flows. The introduction of cost multipliers by the Bandwidth-Based CAC for IP Multicast feature expands how per interface mroute state limiters can be defined. Instead of defining the per interface mroute state limiters based on the number of multicast flows, the service provider looks for a common unit of measure and decides to represent the per interface mroute state limiters in kilobits per second (Kbps). The service provider then configures three per interface mroute state limiters, one per content provider. Because the link is a Gigabit, the service provider sets each limit to 250000 (because 250000 Kbps equals 250 Mbps, the number of bits that service provider needs to provision per content provider).
The service provider needs to further provision the fair sharing of bandwidth between the content providers, which can be achieved by configuring bandwidth-based multicast CAC policies. The service provider decides to create four bandwidth-based CAC policies, one policy per channel based on bandwidth. For these policies, the service provider configures the following ACLs:
acl-MP2SD-channels--Defines all the MPEG-2 SD channels offered by the three content providers.
acl-MP2HD-channels--Defines all the MPEG-2 HD channels offered by the three content providers.
acl-MP4SD-channels--Defines all the MPEG-4 SD channels offered by the three content providers.
acl-MP4HD-channels--Defines all the MPEG-4 HD channels offered by the three content providers.
For each policy, a cost multiplier (represented in Kbps) is defined for each ACL that is based on the bandwidth of the channels defined in the ACL:
4000--Represents the 4 Mbps MPEG-2 SD channels.
18000--Represents the 18 Mbps MPEG-2 HD channels.
1600--Represents the 1.6 Mbps MPEG-4 SD channels.
6000--Represents the 6 Mbps MPEG-4 HD channels.
The following configuration example shows how the service provider used per interface mroute state limiters with bandwidth-based multicast CAC policies to provision Gigabit Ethernet interface 0/0 for the fair sharing of bandwidth required between the three content providers:
! ip multicast limit cost acl-MP2SD-channels 4000 ip multicast limit cost acl-MP2HD-channels 18000 ip multicast limit cost acl-MP4SD-channels 1600 ip multicast limit cost acl-MP4HD-channels 6000 ! . . . ! interface GigabitEthernet0/0 ip multicast limit out acl-CP1-channels 250000 ip multicast limit out acl-CP2-channels 250000 ip multicast limit out acl-CP3-channels 250000 !
Additional References
The following sections provide references related to configuring multicast admission control.
Related Documents
Related Topic |
Document Title |
---|---|
Overview of the IP multicast technology area |
“ IP Multicast Technology Overview ” module |
Concepts, tasks, and examples for configuring an IP multicast network using PIM |
“ Configuring a Basic IP Multicast Network ” module |
Concepts, tasks, and examples for using MSDP to interconnection multiple PIM-SM domains |
“ Using MSDP to Interconnect Multiple PIM-SM Domains ” module |
Multicast commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS IP Multicast Command Reference |
Standards
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
MIBs |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFCs |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Configuring Multicast Admission Control
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Bandwidth-Based CAC for IP Multicast |
12.2(33)SRB 12.4(15)T 12.2(33)SXI |
The Bandwidth-Based CAC for IP Multicast feature enhances the Per Interface Mroute State Limit feature by implementing a way to count per interface mroute state limiters using cost multipliers. This feature can be used to provide bandwidth-based CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth. The following command was introduced by this feature: ip multicast limit cost. |
IGMP State Limit |
12.2(14)S 12.2(15)T 15.0(1)S |
The IGMP State Limit feature introduces the capability to limit the number of mroute states resulting from IGMP membership states on a per interface or global basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. This feature can be used to prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.
The following commands were introduced or modified by this feature: ip igmp limit(global), ip igmp limit(interface), show ip igmp interface. |
Per Interface Mroute State Limit |
12.3(14)T 12.2(33)SRB 12.2(33)SXI |
The Per Interface Mroute State Limit feature provides the capability to limit the number of mroute states on an interface for different ACL-classified sets of multicast traffic. This feature can be used to prevent DoS attacks, or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth. The following commands were introduced or modified by this feature: clear ip multicast limit, debug ip mrouting limits, ip multicast limit, show ip multicast limit. |