Table Of Contents
Configuring Multicast Admission Control
Prerequisites for Configuring Multicast Admission Control
Information About Configuring Multicast Admission Control
Multicast Admission Control Features
Global and Per MVRF Mroute State Limit
Global and Per MVRF Mroute State Limit Feature Design
Mechanics of Global and Per MVRF Mroute State Limiters
Tips for Configuring MSDP SA Limiters
IGMP State Limit Feature Design
Mechanics of IGMP State Limiters
Per Interface Mroute State Limit
Per Interface Mroute State Limit Feature Design
Mechanics of Per Interface Mroute State Limiters
Tips for Configuring Per Interface Mroute State Limiters
Bandwidth-Based CAC for IP Multicast
Bandwidth-Based CAC for IP Multicast Feature Design
Mechanics of the Bandwidth-Based Multicast CAC Policies
Tips for Configuring Bandwidth-Based CAC Policies for IP Multicast
How to Configure Multicast Admission Control
Configuring Global and Per MVRF Mroute State Limiters
Configuring a Global Mroute State Limiter
Configuring Per MVRF Mroute State Limiters
Configuring IGMP State Limiters
Configuring Global IGMP State Limiters
Configuring Per Interface IGMP State Limiters
Configuring Per Interface Mroute State Limiters
Configuring Bandwidth-Based Multicast CAC Policies
Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies
Configuration Examples for Configuring Multicast Admission Control
Configuring Global and Per MVRF Mroute State Limiters: Example
Configuring MSDP SA Limiters: Example
Configuring IGMP State Limiters: Example
Configuring Per Interface Mroute State Limiters: Example
Configuring Bandwidth-Based Multicast CAC Policies: Example
Feature Information for Configuring Multicast Admission Control
Configuring Multicast Admission Control
First Published: November 14, 2008Last Updated: July 30, 2010This module describes how to implement multicast admission control in an IP multicast network. Multicast admission control features are configured on multicast-enabled routers to prevent control plane overload, ensure proper resource allocation, and provide multicast Call Admission Control (CAC) capabilities.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring Multicast Admission Control" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for Configuring Multicast Admission Control
•Information About Configuring Multicast Admission Control
•How to Configure Multicast Admission Control
•Configuration Examples for Configuring Multicast Admission Control
•Feature Information for Configuring Multicast Admission Control
•Feature Information for Configuring Multicast Admission Control
Prerequisites for Configuring Multicast Admission Control
•Before performing the tasks in this module, you should be familiar with the concepts explained in the "IP Multicast Technology Overview" module.
•The tasks in this module assume that IP multicast has been enabled and that the Protocol Independent Multicast (PIM) interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.
Information About Configuring Multicast Admission Control
Before configuring multicast admission control, you should understand the following concepts:
•Multicast Admission Control Features
•Global and Per MVRF Mroute State Limit
•Per Interface Mroute State Limit
•Bandwidth-Based CAC for IP Multicast
Multicast Admission Control
As the popularity of network video applications grows among consumers, admission control functions—which govern transmission and reception of multicast traffic based on available network resources—are vital. Without admission control, some users may receive degraded multicast streams, rendering programs unwatchable, and others may receive a "Network Busy" message or nothing at all as network resources are overtaxed. Network admission control is important in maintaining a high quality of experience for digital video consumers.
The goals of multicast admission control features, therefore, are as follows:
•Protect the router from control plane overload to ensure that memory and CPU resources on multicast-enabled routers are not overrun by multicast route (mroute) states or denial-of-service (DoS) attacks from multicast packets.
•Enable proper resource allocation (on a global, per MVRF, or per interface basis) to ensure that multicast services are delivered to subscribers per their IP Service Level Agreements (SLAs) and to minimize the effects of DoS attacks on subscribers.
•Provide multicast CAC capabilities to prevent bandwidth resources (interfaces, subnetworks) from being congested and to enable service providers to offer more flexible and refined content and subscriber-based policies.
Multicast Admission Control Features
The Cisco IOS software supports the following multicast admission control features:
•Global and Per MVRF Mroute State Limit
The ip multicast route-limit command allows for the configuration of global and per MVRF state limiters, which impose limits on the number of multicast routes (mroutes) that can be added to the global table or to a particular Multicast Virtual Routing and Forwarding (MVRF) table.
•MSDP SA Limit
The ip msdp sa-limit command allows for the configuration of MSDP SA limiters, which impose limits on the number of Multicast Source Discovery Protocol (MSDP) Source Active (SA) messages that can be cached on a router.
For more information about MSDP, see the "Using MSDP to Interconnect Multiple PIM-SM Domains" module.
•IGMP State Limit
This feature allows for the configuration of IGMP state limiters, which impose limits on mroute states resulting from Internet Group Management Protocol (IGMP) membership reports (IGMP joins).
•Per Interface Mroute State Limit
This feature allows for the configuration of per interface mroute state limiters, which impose mroute state limits for different access control list (ACL)-classified sets of multicast traffic on an interface.
•Bandwidth-Based CAC for IP Multicast
This feature allows for the configuration of bandwidth-based multicast CAC policies, which allow for bandwidth-based CAC on a per interface basis.
These admission control features may be invoked by service providers and enterprise network administrators based on different criteria, including the service package an end user has purchased or the privileges an enterprise user is entitled to.
Global and Per MVRF Mroute State Limit
The ip multicast route-limit command allows for the configuration of global and per MVRF mroute state limiters, which impose limits on the number of mroutes that can be added to the global table or to a particular MVRF table, respectively.
Global mroute state limiters are used to limit the number of mroutes that can be added to the global table on a router. Configuring a global mroute state limiter can protect a router in the event of a multicast DoS attack (by preventing mroutes from overrunning the router).
Per VRF mroute state limiters are used to limit the number of mroutes that can be added to an MVRF table on a Multicast VPN (MVPN) provider edge (PE) router. Configuring per MVRF mroute state limits can be used to ensure the fair sharing of mroutes between different MVRFs on an MVPN PE router.
Global and Per MVRF Mroute State Limit Feature Design
Global and per MVRF mroute state limiters are configured using the ip multicast route-limit command in global configuration mode. The syntax of the ip multicast route-limit command is as follows:
ip multicast [vrf vrf-name] route-limit limit [threshold]
Issuing the ip multicast route-limit command without the optional vrf keyword and vrf-name arguments configures a global mroute state limiter. The optional vrf keyword and vrf-name arguments are used with the ip multicast limit command to configure per MVRF mroute state limiters.
Note When configuring global and per VRF mroute state limiters, you can only configure one limit for the global table and one limit per MVRF table.
The value specified for the required limit argument defines the maximum number of mroutes that can be added to either the global table or a particular MVRF table, respectively.
Note Global and per MVRF mroute state limiters operate independently and can be used alone or together, depending upon the admission control requirements of your network.
In addition, for both global and per MVRF mroute state limiters, the optional threshold argument is available to set mroute threshold limits.
Mechanics of Global and Per MVRF Mroute State Limiters
The mechanics of global and per MVRF mroute state limiters are as follows:
•Each time the state for an mroute is created on a router, the Cisco IOS software checks to see if the limit for the global mroute state limiter (if the mroute is associated with the global table) or the limit for the per MVRF mroute state limiter (if the mroute is associated with the MVRF table) has been reached.
•States for mroutes that exceed the configured limit for the global or the per MVRF mroute state limiter are not created on the router, and a warning message in the following format is generated:
% MROUTE-4-ROUTELIMIT : <current mroute count> exceeded multicast route-limit of <mroute limit value>•When an mroute threshold limit is also configured for the global or the per MVRF mroute state limiter, each time the state for an mroute is created on a router, the Cisco IOS software also checks to see if the mroute threshold limit has been reached. If the mroute threshold limit is exceeded, a warning message in the following format is generated:
% MROUTE-4-ROUTELIMITWARNING : multicast route-limit warning <current mroute count> threshold <mroute threshold value>Warning messages continue to be generated until the number of mroutes exceeds the configured limit or until the number of mroute states falls below the configured mroute threshold limit.
MSDP SA Limit
The ip msdp sa-limit command allows for the configuration of MSDP SA limiters, which impose limits on the number of MSDP Source Active (SA) messages that an MSDP-enabled router can accept (can be cached) from an MSDP peer. This command provides a means to protect an MSDP-enabled router from denial of service (DoS) attacks.
MSDP SA Limit Feature Design
MSDP SA limiters are configured using the ip msdp sa-limit command in global configuration mode. The syntax of the ip msdp sa-limit command is as follows:
ip msdp [vrf vrf-name] sa-limit {peer-address | peer-name} sa-limit
For the required peer-address argument or peer-name argument, specify either the MSDP peer address or MSDP peer name of the peer to be limited.
For the required sa-limit argument, specify the maximum number of SA messages that can be accepted (cached) from the specified peer. The range is from 1 to 2147483646.
Note In an MVPN environment, the optional vrf keyword and vrf-name argument are used to specify the MVRF associated with the MSDP peer. When an MVRF is specified, the MSDP SA limiter is applied to the specified MSDP peer associated with the specified MVRF.
Mechanics of MSDP SA Limiters
•When MSDP SA limiters are configured, the router maintains a per-peer count of SA messages stored in the SA cache.
•SA messages that exceed the limit configured for an MSDP peer are ignored.
•If the router receives SA messages in excess of the configured limit from an MSDP peer, a warning in the following format is generated (once a minute) until the cache is cleared:
%MSDP-4-SA_LIMIT: SA from peer <peer address or name>, RP <RP address> for <mroute> exceeded sa-limit of <configured SA limit for MSDP peer>Tips for Configuring MSDP SA Limiters
•We recommended that you configure MSDP SA limiters for all MSDP peerings on the router.
•An appropriately low MSDP SA limit should be configured on peerings with a stub MSDP region (an MSDP peer that may have some further downstream peers but does not act as a transit for SA messages across the rest of the Internet).
•An appropriately high SA limit should be configured for all MSDP peerings that act as transits for MSDP SA messages across the Internet.
IGMP State Limit
The IGMP State Limit feature allows for the configuration of IGMP state limiters, which impose limits on mroute states resulting from IGMP membership reports (IGMP joins) on a global or per interface basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. This feature can be used to prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.
Note IGMP state limiters impose limits on the number of mroute states resulting from IGMP, IGMP v3lite, and URL Rendezvous Directory (URD) membership reports on a global or per interface basis.
IGMP State Limit Feature Design
IGMP state limiters are configured using the ip igmp limit command:
•Configuring the ip igmp limit command in global configuration mode specifies a global limit on the number of IGMP membership reports that can be cached. The syntax of the ip igmp limit command in global configuration mode is as follows:
ip igmp limit number
For the required number argument, specify a global limit on the number of IGMP membership reports that can be cached. The range is from 1 to 64000.
•Configuring the ip igmp limit command in interface configuration mode specifies a limit on the number of IGMP membership reports on a per interface basis. The syntax of the ip igmp limit command in interface configuration mode is as follows:
ip igmp limit number [except access-list]
For the required number argument, specify a limit on the number of IGMP membership reports that can be cached for the specified interface. The range is from 1 to 64000.
Use the optional except access-list keyword and argument to prevent groups or channels from being counted against the interface limit. A standard or an extended ACL can be specified.
–A standard ACL can be used to define the (*, G) state to be excluded from the limit on an interface.
–An extended ACLs can be used to define the (S, G) state to be excluded from the limit on an interface. An extended ACL also can be used to define the (*, G) state to be excluded from the limit on an interface, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.
Note When configuring IGMP state limiters, you can only configure one global limit on a router and one limit per interface.
Mechanics of IGMP State Limiters
The mechanics of IGMP state limiters are as follows:
•Each time a router receives an IGMP membership report for a particular group or channel, the Cisco IOS software checks to see if either the limit for the global IGMP state limiter or the limit for the per interface IGMP state limiter has been reached.
–If only a global IGMP state limiter has been configured and the limit has not been reached, IGMP membership reports are honored. When the configured limit has been reached, subsequent IGMP membership reports are then ignored (dropped) and a warning message in one of the following formats is generated:
%IGMP-6-IGMP_GROUP_LIMIT: IGMP limit exceeded for <group (*, group address)> on <interface type number> by host <ip address>or
%IGMP-6-IGMP_CHANNEL_LIMIT: IGMP limit exceeded for <channel (source address, group address)> on <interface type number> by host <ip address>–If only per interface IGMP state limiters are configured, then each limit is only counted against the interface on which it was configured.
–If both a global IGMP state limiter and per interface IGMP state limiters are configured, the limits configured for the per interface IGMP state limiters are still enforced but are constrained by the global limit.
•If a per interface IGMP state limiter has been configured, the Cisco IOS software also checks to see if an ACL is specified (with the optional except keyword and access-list argument) to prevent groups or channels from being counted against the interface limit.
–If an ACL has been configured and the group or channel in the IGMP membership report matches, then the state for the IGMP membership is counted against the global limit and not the interface limit.
–If no ACL has been configured, the per interface IGMP state limiter accounts for all IGMP membership reports that do not exceed the configured limit.
Per Interface Mroute State Limit
The Per Interface Mroute State Limit feature provides the capability to limit the number of mroute states on an interface for different ACL-classified sets of multicast traffic. This feature can be used to prevent DoS attacks or to provide a multicast CAC mechanism when all the multicast flows roughly utilize the same amount of bandwidth.
The Per Interface Mroute State Limit feature essentially is a complete superset of the IGMP State Limit feature (with the exception that it does not support a global limit). The Per Interface Mroute State Limit feature, moreover, is more flexible and powerful (albeit more complex) than the IGMP State Limit feature but is not intended to be a replacement for it because there are applications that suit both features.
The main differences between the Per Interface Mroute State Limit feature and the IGMP State Limit feature are as follows:
•The Per Interface Mroute State Limit feature allows multiple limits to be configured on an interface, whereas the IGMP State Limit feature allows only one limit to be configured on an interface. The Per Interface Mroute State Limit feature, thus, is more flexible than the IGMP State Limit feature in that it allows multiple limits to be configured for different sets of multicast traffic on an interface.
•The Per Interface Mroute State Limit feature can be used to limit both IGMP and PIM joins, whereas the IGMP State Limit feature can only be used to limit IGMP joins. The IGMP State Limit feature, thus, is more limited in application in that it is best suited to be configured on an edge router to limit the number of groups that receivers can join on an outgoing interface. The Per Interface Mroute State Limit feature has a wider application in that it can be configured to limit IGMP joins on an outgoing interface, to limit PIM joins (for Any Source Multicast [ASM] groups or Source Specific Multicast [SSM] channels) on an outgoing interface connected to other routers, to limit sources behind an incoming interface from sending multicast traffic, or to limit sources directly connected to an incoming interface from sending multicast traffic.
Note Although the PIM Interface Mroute State Limit feature allows you to limit both IGMP and PIM joins, it does not provide the capability to limit PIM or IGMP joins separately because it does not take into account whether the state is created as a result of an IGMP or PIM join. As such, the IGMP State Limit feature is more specific in application because it specifically limits IGMP joins.
•The Per Interface Mroute State Limit feature allows you to specify limits according to the direction of traffic; that is, it allows you to specify limits for outgoing interfaces, incoming interfaces, and for incoming interfaces having directly connected multicast sources. The IGMP State Limit feature, however, only can be used to limit outgoing interfaces. The Per Interface State Mroute State Limit feature, thus, is wider in scope in that it can be used to limit mroute states for both incoming and outgoing interfaces from both sources and receivers, whereas the IGMP State Limit feature is more narrow in scope in that it can only be used to limit mroute states for receivers on an LAN by limiting the number of IGMP joins on an outgoing interface.
Both the IGMP State Limit and Per Interface Mroute State Limit features provide a rudimentary multicast CAC mechanism that can be used to provision bandwidth utilization on an interface when all multicast flows roughly utilize the same amount of bandwidth. The Bandwidth-Based CAC for IP Multicast feature, however, offers a more flexible and powerful alternative for providing multicast CAC in network environments where IP multicast flows utilize different amounts of bandwidth.
Note For more information about the Bandwidth-Based CAC for IP Multicast feature, see the "Bandwidth-Based CAC for IP Multicast" section.
Per Interface Mroute State Limit Feature Design
The Per Interface Mroute State Limit feature is configured using the ip multicast limit command in interface configuration mode. An ip multicast limit command configured on an interface is called an per interface mroute state limiter. A per interface mroute state limiter is defined by direction, ACL, and maximum number of mroutes. Each per interface mroute state limiter maintains a counter to ensure that the maximum number of mroutes is not exceeded.
The following forms of the ip multicast limit command are available to configure per interface mroute state limiters:
•ip multicast limit access-list max-entries
This command limits mroute state creation for an ACL-classified set of traffic on an interface when the interface is an outgoing (egress) interface, and limits mroute outgoing interface list (olist) membership when the interface is an incoming (ingress) Reverse Path Forwarding (RPF) interface.
This type of per interface mroute state limiter limits mroute state creation—by accounting each time an mroute permitted by the ACL is created or deleted—and limits mroute olist membership—by accounting each time that an mroute olist member permitted by the ACL is added or removed.
Entering this form of the command (that is, with no optional keywords) is equivalent to specifying the ip multicast limit rpf and ip multicast limit out forms of the command.
•ip multicast limit connected access-list max-entries
This command limits mroute state creation for an ACL-classified set of multicast traffic on an incoming (RPF) interface that is directly connected to a multicast source by accounting each time that an mroute permitted by the ACL is created or deleted.
•ip multicast limit out access-list max-entries
This command limits mroute olist membership on an outgoing interface for an ACL-classified set of multicast traffic by accounting each time that an mroute olist member permitted by the ACL is added or removed.
•ip multicast limit rpf access-list max-entries
This command limits mroute state creation for an ACL-classified set of multicast traffic on an incoming (RPF) interface by accounting each time an mroute permitted by the ACL is created or deleted.
For the required access-list argument, specify the ACL that defines the IP multicast traffic to be limited on an interface. A standard or extended ACL can be specified. Standard ACLs can be used to define the (*, G) state to be limited on an interface. Extended ACLs can be used to define the (S, G) state to be limited on an interface. Extended ACLs also can be used to define the (*, G) state to be limited on an interface, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.
Mechanics of Per Interface Mroute State Limiters
The mechanics of per interface mroute state limiters are as follows:
•Each time the state for an mroute is created or deleted and each time an olist member is added or removed, the Cisco IOS software searches for a corresponding per interface mroute state limiter that matches the mroute.
•In the case of the creation and deletion of mroutes, the Cisco IOS software searches for a per interface mroute state limiter configured on the incoming (RPF) interface that matches the mroute to be created or deleted. In the case of olist member addition or removal, the Cisco IOS software searches for a per interface mroute state limiter configured on the outgoing interface that matches the mroute to be added or removed.
•The Cisco IOS software performs a top-down search from the list of configured per interface mroute state limiters. Only per interface mroute state limiters that match the direction of traffic are considered. The first per interface mroute state limiter that matches is used for limiting (sometimes referred to as accounting). A match is found when the ACL permits the mroute state.
•When a match is found, the counter of the per interface mroute state limiter is updated (increased or decreased). If no per interface mroute state limiter is found that matches an mroute, no accounting is performed for the mroute (because there is no counter to update).
•The amount to update the counter with is called the cost (sometimes referred to as the cost multiplier). The default cost is 1.
Note A per interface mroute state limiter always allows the deletion of an mroute or the removal of an interface from the olist. In those cases, the respective per interface mroute state limiter decreases the counter by the value of the cost multiplier. In addition, RPF changes to an existing mroute are always allowed (in order to not affect existing traffic). However, a per interface mroute state limiter only allows the creation of an mroute or the addition of an mroute olist member if adding the cost does not exceed the maximum number of mroutes permitted.
Tips for Configuring Per Interface Mroute State Limiters
•To ensure that all mroutes are accounted, you can configure a per interface mroute state limiter whose ACL contains a permit any statement and set the maximum for the max-entries argument to 0. Configuring an mroute state limiter in this manner effectively denies all fall through states, which may be a way to prevent a multicast DoS attack in and out of the interface.
•When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny any statement for everything if it did not find a match before reaching the end.
•An explicit deny statement for a specific mroute in an ACL can be used to specify the state that will not match the ACL (thus, preventing the ACL from being accounted). If an mroute matches a deny statement, the search immediately continues to the next configured mroute state limiter. Configuring an explicit deny statement in an ACL can be more efficient than forcing the mroute to fall through an ACL (by means of the implicit deny any statement at the end of the ACL).
Bandwidth-Based CAC for IP Multicast
The Bandwidth-Based CAC for IP Multicast feature enhances the Per Interface Mroute State Limit feature by implementing a way to count per interface mroute state limiters using cost multipliers (referred to as bandwidth-based multicast CAC policies). This feature can be used to provide bandwidth-based multicast CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth.
Bandwidth-Based CAC for IP Multicast Feature Design
Bandwidth-based multicast CAC policies are configured using the ip multicast limit cost command in global configuration mode. The syntax of the ip multicast limit cost command is as follows:
ip multicast [vrf vrf-name] limit cost access-list cost-multiplier
For the required access-list argument, specify the ACL that defines the IP multicast traffic for which to apply a cost. A standard or extended ACL can be specified. Standard ACLs can be used to define the (*, G) state. Extended ACLs can be used to define the (S, G) state. Extended ACLs also can be used to define the (*, G) state, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.
For the required cost-multiplier argument, specify the cost value to be applied to mroutes that match the ACL associated with the bandwidth-based multicast CAC policy. The range is 0 to 2147483647.
Note In an MVPN environment, the optional vrf keyword and vrf-name argument are used to specify that the cost be applied only to mroutes associated with MVRF specified for the vrf-name argument.
Mechanics of the Bandwidth-Based Multicast CAC Policies
The mechanics of bandwidth-based multicast CAC policies are as follows:
•Once an mroute matches an ACL configured for a per interface mroute state limiter, the Cisco IOS software performs a top-down search from the global or per MVRF list of configured bandwidth-based multicast CAC policies to determine if a cost should be applied to the mroute.
•A cost is applied to the first bandwidth-based CAC policy that matches the mroute. A match is found when the ACL applied to the bandwidth-based CAC policy permits the mroute state.
•The counter for the mroute state limiter either adds or subtracts the cost configured for the cost-multiplier argument. If no costs are configured or if the mroute does not match any of the configured bandwidth-based CAC polices, the default cost of 1 is used.
Tips for Configuring Bandwidth-Based CAC Policies for IP Multicast
•To ensure that a particular cost applies to all mroutes being limited, you can configure a bandwidth-based CAC policy whose ACL contains a permit any statement. Configuring a bandwidth-based CAC policy in this manner effectively ensures that the default cost is not applied to any mroutes being limited.
•Configuring a bandwidth-based CAC policy with a cost of 0 for the cost-multiplier argument can be used to skip the accounting of certain mroutes (for example, to prevent Auto-RP groups or a specific multicast channel from being accounted).
•An explicit deny statement for a specific mroute in an ACL can be used to specify the state that will not match the ACL (thus, preventing the ACL from being accounted). If an mroute matches a deny statement, the search immediately continues to the next configured bandwidth-based CAC policy. Configuring an explicit deny statement in an ACL can be more efficient than forcing the mroute to fall through an ACL (by means of the implicit deny any statement at the end of the ACL).
How to Configure Multicast Admission Control
This section contains the following tasks:
•Configuring Global and Per MVRF Mroute State Limiters (optional)
•Configuring MSDP SA Limiters (optional)
•Configuring IGMP State Limiters (optional)
•Configuring Per Interface Mroute State Limiters (optional)
•Configuring Bandwidth-Based Multicast CAC Policies (optional)
•Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies (optional)
Configuring Global and Per MVRF Mroute State Limiters
Perform the following optional tasks to configure global and per MVRF mroute state limiters.
Global mroute state limiters are used to limit the number of mroutes that can be added to the global table on a router. Configuring a global mroute state limiter can protect a router in the event of a multicast DoS attack (by preventing mroutes from overrunning the router).
Per VRF mroute state limiters are used to limit the number of mroutes that can be added to an MVRF table on an MVPN PE router. Configuring per MVRF mroute state limits can be used to ensure the fair sharing of mroutes between different MVRFs on an MVPN PE router.
Note Global and per MVRF mroute state limiters operate independently and can be used alone or together, depending upon the admission control requirements of your network.
Note When configuring global and per VRF mroute state limiters, you can only configure one limit for the global table and one limit per MVRF table.
The following tasks explain how to configure global and per MVRF mroute state limiters:
•Configuring a Global Mroute State Limiter
•Configuring Per MVRF Mroute State Limiters
Prerequisites
•These tasks assume that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.
•Before configuring per MVRF mroute state limiters, the MVRFs on the PE router must be configured using the tasks described in the "Configuring Multicast VPN" module.
Configuring a Global Mroute State Limiter
Perform this task to limit the number of mroutes that can be added to the global table. States for mroutes that exceed the global mroute limit will not be created.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip multicast route-limit limit [threshold]
4. end
5. show ip mroute count
DETAILED STEPS
What to Do Next
Proceed to the "Configuring Per MVRF Mroute State Limiters" task to configure per MVRF mroute state limiters on a PE router.
Configuring Per MVRF Mroute State Limiters
Perform this optional task to configure per MVRF mroute state limiters to limit the number of mroutes that can be added to a particular MVRF table. This feature can be configured on a PE router to ensure the fair sharing of mroutes between different MVRFs on the router. States for mroutes that exceed the per MVRF mroute limiter are not created.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip multicast vrf vrf-name route-limit limit [threshold]
4. Repeat Step 3 to configure additional per MVRF mroute state limiters for other MVRFs on an MVPN PE router.
5. end
6. show ip mroute vrf vrf-name count
DETAILED STEPS
Configuring MSDP SA Limiters
Perform this optional task to limit the overall number of SA messages that the router can accept from specified MSDP peers. Performing this task protects an MSDP-enabled router from distributed DoS attacks.
Note We recommend that you perform this task for all MSDP peerings on the router.
Prerequisites
This task assumes that you are running MSDP and have configured MSDP peers using the tasks described in the "Using MSDP to Interconnect Multiple PIM-SM Domains" module.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip msdp [vrf vrf-name] sa-limit {peer-address | peer-name} sa-limit
4. Repeat Step 3 to configure SA limits for additional MSDP peers.
5. end
6. show ip msdp count
7. show ip msdp peer [peer-address | peer-name]
8. show ip msdp summary
DETAILED STEPS
Configuring IGMP State Limiters
Perform the following tasks to configure global and per interface IGMP state limiters. IGMP state limiters are used to limit the number of mroute states resulting from IGMP membership reports (IGMP joins) on a global or per interface basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. IGMP state limiters can be used to prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.
Note IGMP state limiters impose limits on the number of mroute states resulting from IGMP, IGMP v3lite, and URD membership reports on a global or per interface basis.
The following tasks explain how to configure global and per interface IGMP state limiters:
•Configuring Global IGMP State Limiters
•Configuring Per Interface IGMP State Limiters
Note When configuring IGMP state limiters, you can only configure one global limit on a router and one limit per interface.
Prerequisites
•These tasks assume that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.
•All ACLs you intend to apply to per interface IGMP state limiters should be configured prior to beginning this configuration task; otherwise, IGMP membership reports for all groups and channels are counted against the configured limits. For information about how to configure ACLs, see the "Creating an IP Access List and Applying It to an Interface" module.
Configuring Global IGMP State Limiters
Perform this optional task to configure a global IGMP state limiter.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp limit number
4. end
5. show ip igmp groups
DETAILED STEPS
What to Do Next
Proceed to the "Configuring Per Interface IGMP State Limiters" task to configure per interface IGMP state limiters.
Configuring Per Interface IGMP State Limiters
Perform this optional task to configure per interface IGMP state limiters.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip igmp limit number [except access-list]
5. Repeat Step 3 and Step 4 if you want to configure additional per interface IGMP state limiters.
6. end
7. show ip igmp interface [type number]
8. show ip igmp groups
DETAILED STEPS
Configuring Per Interface Mroute State Limiters
Perform this task to configure per interface mroute state limiters. Configuring per interface mroute state limiters can be used to prevent DoS attacks or to provide a multicast CAC mechanism to control bandwidth, when all the multicast flows roughly utilize the same amount of bandwidth.
Prerequisites
•This task assumes that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.
•All ACLs you intend to apply to per interface mroute state limiters should be configured prior to beginning this configuration task; otherwise, the limiters are ignored. For information about how to configure ACLs, see the "Creating an IP Access List and Applying It to an Interface" module.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip multicast limit [connected | out | rpf] access-list max-entries
5. Repeat Step 4 if you want to configure additional per interface mroute state limiters on the interface.
6. Repeat Step 3 and Step 4 if you want to configure per interface mroute state limiters on additional interfaces.
7. end
DETAILED STEPS
What to Do Next
Proceed to the "Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies" task to monitor per interface mroute state limiters.
Configuring Bandwidth-Based Multicast CAC Policies
Perform this optional task to configure bandwidth-based multicast CAC policies. Bandwidth-based multicast CAC policies provide the capability to assign costs to mroutes that are being limited by per interface mroute state limiters. This task can be used to provide bandwidth-based multicast CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth. Bandwidth-based multicast CAC policies can be applied globally or per MVRF.
Prerequisites
•This task assumes that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.
•All ACLs you intend to apply to bandwidth-based multicast CAC policies should be configured prior to beginning this configuration task; otherwise, the limiters are ignored. For information about how to configure ACLs, see the "Creating an IP Access List and Applying It to an Interface" module.
Note You can omit Steps 3 to 7 if you have already configured the per interface mroute state limiters for which to apply costs.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip multicast limit [connected | out | rpf] access-list max-entries
5. Repeat Step 4 if you want to configure additional mroute state limiters on the interface.
6. Repeat Step 3 and Step 4 if you want to configure mroute state limiters on additional interfaces.
7. exit
8. ip multicast [vrf vrf-name] limit cost access-list cost-multiplier
9. Repeat Step 8 if you want to apply additional costs to mroutes.
10. end
DETAILED STEPS
What to Do Next
Proceed to the "Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies" task to monitor bandwidth-based multicast CAC policies.
Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies
Perform this optional task to monitor per interface mroute state limiters and bandwidth-based multicast CAC policies.
SUMMARY STEPS
1. enable
2. debug ip mrouting limits [group-address]
3. show ip multicast limit [type number]
4. clear ip multicast limit [type number]
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted.
Router> enable
Step 2 debug ip mrouting limits [group-address]
Use this command to display debugging information about configured per interface mroute state limiters and bandwidth-based multicast CAC policies.
Specify the optional group-address argument to restrict the output to display only per interface mroute state limiter events related to a particular multicast group.
The following output is from the debug ip mrouting limits command. The output displays the following events:
•An mroute state being created and the corresponding per interface mroute state limiter counter being increased by the default cost of 1 on incoming Ethernet interface 1/0.
•An mroute olist member being removed from the olist and the corresponding per interface mroute limiter being decreased by the default cost of 1 on outgoing Ethernet interface 1/0.
•An mroute being denied by the per interface mroute state limiter because the maximum number of mroute states has been reached.
•An mroute state being created and the corresponding per interface mroute state limiter counter being increased by the cost of 2 on incoming Ethernet interface 1/0.
•An mroute olist member being removed from the olist and the corresponding per interface mroute limiter being decreased by a cost of 2 on outgoing Ethernet interface 1/0.
Router# debug ip mrouting limits
MRL(0): incr-ed acl `rpf-list' to (13 < max 32), [n:0,p:0], (main) GigabitEthernet0/0, (10.41.0.41, 225.30.200.60)MRL(0): decr-ed acl `out-list' to (10 < max 32), [n:0,p:0], (main) GigabitEthernet0/0, (*, 225.40.202.60)MRL(0): Add mroute (10.43.0.43, 225.30.200.60) denied for GigabitEthernet0/2, acl std-list, (16 = max 16)MRL(0): incr-ed limit-acl `rpf-list' to (12 < max 32), cost-acl 'cost-list' cost 2, [n:0,p:0], (main) GigabitEthernet0/0, (10.41.0.41, 225.30.200.60)MRL(0): decr-ed limit-acl `out-list' to (8 < max 32), cost-acl 'cost-list'' cost 2, [n:0,p:0], (main) GigabitEthernet0/0, (*, 225.40.202.60)Step 3 show ip multicast limit type number
Use this command to display counters related to mroute state limiters configured on the interfaces on the router.
Specify the optional type number arguments to restrict the output to displaying only statistics about per interface mroute state limiters configured on the specified interface.
For each per interface mroute state limiter shown in the output, the following information is displayed:
•The direction of traffic that the per mroute state limiter is limiting.
•The ACL referenced by the per interface mroute state limiter that defines the IP multicast traffic being limited.
•Statistics, enclosed in parenthesis, which track the current number of mroutes being limited less the configured limit. Each time the state for an mroute is created or deleted and each time an outgoing interface list (olist) member is added or removed, the counters for matching per interface mroute state limiters are increased or decreased accordingly.
•The exceeded counter, which tracks the total number of times that the limit configured for the per interface mroute state limiter has been exceeded. Each time an mroute is denied due to the configured limit being reached, the exceeded counter is increased by a value of 1.
The following is sample output from the show ip multicast limit command with the type number arguments. In this example, information about mroute state limiters configured on Gigabit Ethernet interface 0/0 is displayed.
Router# show ip multicast limit GigabitEthernet 0/0Interface GigabitEthernet 0/0Multicast Access Limitsout acl out-list (1 < max 32) exceeded 0rpf acl rpf-list (6 < max 32) exceeded 0con acl conn-list (0 < max 32) exceeded 0Step 4 clear ip multicast limit [type number]
Use this command to reset the exceeded counter for per interface mroute state limiters.
The exceeded counter is displayed in the output of the show ip multicast limit command. This counter tracks the total number of times that the limit configured for the per interface mroute state limiter has been exceeded. Each time an mroute is denied due to the configured limit being reached, the exceeded counter is increased by a value of 1.
Specify the optional type number arguments to reset the exceeded counter for only per interface mroute state limiters configured on the specified interface.
The following example shows how to reset exceeded counters for per interface mroute state limiters configured on Gigabit Ethernet interface 0/0:
clear ip multicast limit interface GigabitEthernet 0/0
Configuration Examples for Configuring Multicast Admission Control
This section provides the following configuration examples:
•Configuring Global and Per MVRF Mroute State Limiters: Example
•Configuring MSDP SA Limiters: Example
•Configuring IGMP State Limiters: Example
•Configuring Per Interface Mroute State Limiters: Example
•Configuring Bandwidth-Based Multicast CAC Policies: Example
Configuring Global and Per MVRF Mroute State Limiters: Example
The following example shows how to configure a global mroute state limiter. In this example, a global mroute state limiter is configured with an mroute limit of 1500 and an mroute threshold limit of 1460.
ip multicast route-limit 1500 1460The following is a sample mroute threshold warning message. The output shows that the configured mroute threshold limit of 1460 has been exceeded by one mroute.
%MROUTE-4-ROUTELIMITWARNING : multicast route-limit warning 1461 threshold 1460The following is a sample mroute exceeded warning message. The output shows that the configured mroute limit of 1500 has been exceeded by one mroute. States for mroutes that exceed the configured limit for the global mroute state limiter are not created on the router.
%MROUTE-4-ROUTELIMIT : 1501 routes exceeded multicast route-limit of 1500Configuring MSDP SA Limiters: Example
The following example shows how to configure an MSDP SA limiter. In this example, an MSDP SA limiter is configured that imposes a limit of 100 SA messages from the MSDP peer at 192.168.10.1.
ip msdp sa-limit 192.168.10.1 100Configuring IGMP State Limiters: Example
The following example shows how to configure IGMP state limiters to provide multicast CAC in a network environment where all the multicast flows roughly utilize the same amount of bandwidth.
This example uses the topology illustrated in Figure 1.
Figure 1 IGMP State Limit Example Topology
In this example, a service provider is offering 300 Standard Definition (SD) TV channels. Each SD channel utilizes approximately 4 Mbps.
The service provider must provision the Gigabit Ethernet interfaces on the PE router connected to the Digital Subscriber Line Access Multiplexers (DSLAMs) as follows: 50% of the link's bandwidth (500 Mbps) must be available to subscribers of the Internet, voice, and video on demand (VoD) service offerings while the remaining 50% (500 Mbps) of the link's bandwidth must be available to subscribers of the SD channel offerings.
Because each SD channel utilizes the same amount of bandwidth (4 Mbps), per interface IGMP state limiters can be used to provide the necessary CAC to provision the services being offered by the service provider. To determine the required CAC needed per interface, the total number of channels is divided by 4 (because each channel utilizes 4 Mbps of bandwidth). The required CAC needed per interface, therefore, is as follows:
500Mbps / 4Mbps = 125 mroutes
Once the required CAC is determined, the service provider uses the results to configure the per IGMP state limiters required to provision the Gigabit Ethernet interfaces on the PE router. Based on the network's CAC requirements, the service provider must limit the SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 125. Configuring a per interface IGMP state limit of 125 for the SD channels provisions the interface for 500 Mbps of bandwidth, the 50% of the link's bandwidth that must always be available (but never exceeded) for the SD channel offerings.
The following configuration shows how the service provider uses a per interface mroute state limiter to provision interface Gigabit Ethernet 0/0 for the SD channels and Internet, Voice, and VoD services being offered to subscribers:
interface GigabitEthernet0/0description --- Interface towards the DSLAM ---...ip igmp limit 125Configuring Per Interface Mroute State Limiters: Example
The following example shows how to configure per interface mroute state limiters to provide multicast CAC in a network environment where all the multicast flows roughly utilize the same amount of bandwidth.
This example uses the topology illustrated in Figure 2.
Figure 2 Per Interface Mroute State Limit Example Topology
In this example, a service provider is offering 300 SD TV channels. The SD channels are being offered to customers in three service bundles (Basic, Premium, and Gold), which are available to customers on a subscription basis. Each bundle offers 100 channels to subscribers, and each channel utilizes approximately 4 Mbps of bandwidth.
The service provider must provision the Gigabit Ethernet interfaces on the PE router connected to DSLAMs as follows: 50% of the link's bandwidth (500 Mbps) must be available to subscribers of their Internet, voice, and VoD service offerings while the remaining 50% (500 Mbps) of the link's bandwidth must be available to subscribers of their SD channel bundle service offerings.
For the 500 Mbps of the link's bandwidth that must always be available to (but must never be exceeded by) the subscribers of the SD channel bundles, the interface must be further provisioned as follows:
•60% of the bandwidth must be available to subscribers of the basic service (300 Mbps).
•20% of the bandwidth must be available to subscribers of the premium service (100 Mbps).
•20% of the bandwidth must be available to subscribers of the gold service (100 Mbps).
Because each SD channel utilizes the same amount of bandwidth (4 Mbps), per interface mroute state limiters can be used to provide the necessary CAC to provision the services being offered by the service provider. To determine the required CAC needed per interface, the number of channels for each bundle is divided by 4 (because each channel utilizes 4 Mbps of bandwidth). The required CAC needed per interface, therefore, is as follows:
•Basic Services: 300 / 4 = 75
•Premium Services: 100 / 4 = 25
•Gold Services: 100 / 4 = 25
Once the required CAC required per SD channel bundle is determined, the service provider uses the results to configure the mroute state limiters required to provision the Gigabit Ethernet interfaces on the PE router for the services being offered to subscribers behind the DSLAMs:
•For the Basic Services bundle, the service provider must limit the number of Basic Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 75. Configuring an mroute state limit of 75 for the SD channels offered in the Basic Service bundle provisions the interface for 300 Mbps of bandwidth (the 60% of the link's bandwidth that must always be available to [but never exceeded by] the subscribers of the Basic Services bundle).
•For the Premium Services bundle, the service provider must limit the number of Premium Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 25. Configuring an mroute state limit of 25 for the SD channels offered in the Premium Service bundle provisions the interface for 100 Mbps of bandwidth (the 20% of the link's bandwidth that must always be available to [but never exceeded by] the subscribers of the Premium Service bundle).
•For the Gold Services bundle, the service provider must limit the number of Gold Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 25. Configuring an mroute state limit of 25 for the SD channels offered in the Gold Service bundle provisions the interface for 100 Mbps of bandwidth (the 20% of the link's bandwidth that must always be available to [but never exceeded by] the subscribers of the Gold Service bundle).
The service provider then configures three ACLs to be applied to per interface mroute state limiters. Each ACL defines the SD channels for each SD channel bundle to be limited on an interface:
•acl-basic—The ACL that defines the SD channels offered in the basic service.
•acl-premium—The ACL that defines the SD channels offered in the premium service.
•acl-gold—The ACL that defines the SD channels offered in the gold service.
These ACLs are then applied to per interface mroute state limiters configured on the PE router's Gigabit Ethernet interfaces.
For this example, three per interface mroute state limiters are configured on Gigabit Ethernet interface 0/0 to provide the multicast CAC needed to provision the interface for the SD channel bundles being offered to subscribers:
•An mroute state limit of 75 for the SD channels that match acl-basic.
•An mroute state limit of 25 for the SD channels that match acl-premium.
•An mroute state limit of 25 for the SD channels that match acl-gold.
The following configuration shows how the service provider uses per interface mroute state limiters to provision Gigabit Ethernet interface 0/0 for the SD channel bundles and Internet, Voice, and VoD services being offered to subscribers:
interface GigabitEthernet0/0description --- Interface towards the DSLAM ---...ip multicast limit out acl-basic 75ip multicast limit out acl-premium 25ip multicast limit out acl-gold 25Configuring Bandwidth-Based Multicast CAC Policies: Example
The following example shows how to configure bandwidth-based multicast CAC policies to provide multicast CAC in a network environment where the multicast flows utilize different amounts of bandwidth.
This example uses the topology illustrated in Figure 3.
Figure 3 Bandwidth-Based CAC for IP Multicast Example Topology
In this example, three content providers are providing TV services across a service provider core. The content providers are broadcasting TV channels that utilize different amounts of bandwidth:
•MPEG-2 SDTV channels—4 Mbps per channel.
•MPEG-2 HDTV channels—18 Mbps per channel.
•MPEG-4 SDTV channels—1.6 Mbps per channel.
•MPEG-4 HDTV channels—6 Mbps per channel.
The service provider needs to provision the fair sharing of bandwidth between these three content providers to its subscribers across Gigabit Ethernet interfaces. The service provider, thus, determines that it needs to provision each Gigabit Ethernet interface on the PE router connected to the DSLAMs as follows:
•250 Mbps per content provider.
•250 Mbps for Internet, voice, and VoD services.
The service provider then configures three ACLs:
•acl-CP1-channels—The ACL that defines the channels being offered by the content provider CP1.
•acl-CP2-channels—The ACL that defines the channels being offered by the content provider CP2.
•acl-CP3-channels—The ACL that defines the channels being offered by the content provider CP3.
Because the content providers are broadcasting TV channels that utilize different amounts of bandwidth, the service provider needs to determine the values that need to be configured for the per interface mroute state limiters and bandwidth-based multicast CAC policies to provide the fair sharing of bandwidth required between the content providers.
Prior to the introduction of the Bandwidth-Based CAC for IP Multicast feature, per interface mroute state limiters were based strictly on the number of flows. The introduction of cost multipliers by the Bandwidth-Based CAC for IP Multicast feature expands how per interface mroute state limiters can be defined. Instead of defining the per interface mroute state limiters based on the number of multicast flows, the service provider looks for a common unit of measure and decides to represent the per interface mroute state limiters in kilobits per second (Kbps). The service provider then configures three per interface mroute state limiters, one per content provider. Because the link is a Gigabit, the service provider sets each limit to 250000 (because 250000 Kbps equals 250 Mbps, the number of bits that service provider needs to provision per content provider).
The service provider needs to further provision the fair sharing of bandwidth between the content providers, which can be achieved by configuring bandwidth-based multicast CAC policies. The service provider decides to create four bandwidth-based CAC policies, one policy per channel based on bandwidth. For these policies, the service provider configures the following ACLs:
•acl-MP2SD-channels—Defines all the MPEG-2 SD channels offered by the three content providers.
•acl-MP2HD-channels—Defines all the MPEG-2 HD channels offered by the three content providers.
•acl-MP4SD-channels—Defines all the MPEG-4 SD channels offered by the three content providers.
•acl-MP4HD-channels—Defines all the MPEG-4 HD channels offered by the three content providers.
For each policy, a cost multiplier (represented in Kbps) is defined for each ACL that is based on the bandwidth of the channels defined in the ACL:
•4000—Represents the 4 Mbps MPEG-2 SD channels.
•18000—Represents the 18 Mbps MPEG-2 HD channels.
•1600—Represents the 1.6 Mbps MPEG-4 SD channels.
•6000—Represents the 6 Mbps MPEG-4 HD channels.
The following configuration example shows how the service provider used per interface mroute state limiters with bandwidth-based multicast CAC policies to provision Gigabit Ethernet interface 0/0 for the fair sharing of bandwidth required between the three content providers:
!ip multicast limit cost acl-MP2SD-channels 4000ip multicast limit cost acl-MP2HD-channels 18000ip multicast limit cost acl-MP4SD-channels 1600ip multicast limit cost acl-MP4HD-channels 6000!...!interface GigabitEthernet0/0ip multicast limit out acl-CP1-channels 250000ip multicast limit out acl-CP2-channels 250000ip multicast limit out acl-CP3-channels 250000!Additional References
The following sections provide references related to configuring multicast admission control.
Related Documents
Related Topic Document TitleOverview of the IP multicast technology area
"IP Multicast Technology Overview" module
Concepts, tasks, and examples for configuring an IP multicast network using PIM
Concepts, tasks, and examples for using MSDP to interconnection multiple PIM-SM domains
Multicast commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Standards
Standards TitleNo new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
RFCs TitleNo new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Feature Information for Configuring Multicast Admission Control
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table.
For information on a feature in this technology that is not documented here, see the "IP Multicast Features Roadmap."
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Feature Information for Configuring Multicast Admission Control
Feature Name Releases Feature InformationBandwidth-Based CAC for IP Multicast
12.2(33)SRB
12.4(15)T
12.2(33)SXIThe Bandwidth-Based CAC for IP Multicast feature enhances the Per Interface Mroute State Limit feature by implementing a way to count per interface mroute state limiters using cost multipliers. This feature can be used to provide bandwidth-based CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth.
The following sections provide information about this feature:
•Bandwidth-Based CAC for IP Multicast
•Configuring Bandwidth-Based Multicast CAC Policies
•Configuring Bandwidth-Based Multicast CAC Policies: Example
The following command was introduced by this feature: ip multicast limit cost.
IGMP State Limit
12.2(14)S
12.2(15)T
15.0(1)SThe IGMP State Limit feature introduces the capability to limit the number of mroute states resulting from IGMP membership states on a per interface or global basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. This feature can be used to
prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.
The following sections provide information about this feature:
•Configuring IGMP State Limiters
•Configuring IGMP State Limiters: Example
•Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies
The following commands were introduced or modified by this feature: ip igmp limit (global), ip igmp limit (interface), show ip igmp interface.
Per Interface Mroute State Limit
12.3(14)T
12.2(33)SRB
12.2(33)SXIThe Per Interface Mroute State Limit feature provides the capability to limit the number of mroute states on an interface for different ACL-classified sets of multicast traffic. This feature can be used to prevent DoS attacks, or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.
The following sections provide information about this feature:
•Per Interface Mroute State Limit
•Configuring Per Interface Mroute State Limiters
•Configuring Bandwidth-Based Multicast CAC Policies
•Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies
The following commands were introduced or modified by this feature: clear ip multicast limit, debug ip mrouting limits, ip multicast limit, show ip multicast limit.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008-2010 Cisco Systems, Inc. All rights reserved.