Hi, On Wed, Jan 25, 2017 at 06:35:19PM +0000, James A. T. Rice wrote: > Hi Folks, > > I'm trying to gather information on how to disable MLD reports for various > Cisco devices in use at IXPs - where MLD queries and reports are often both > prohibited traffic. > > There doesn't seem to be a configuration line to disable replying to MLD > queries with MLD reports.
from the top of my head "no ipv6 mld join-group" should achieve that (whereas "no ipv6 mld router" disables the querier side of things). have you tried that (the former)? A while ago a bunch of guys (incl. myself) tried to suggest an "RA guard" similar thing called "MLD guard" but the draft never gained much ground. [see https://www.ietf.org/archive/id/draft-vyncke-pim-mld-security-01.txt] So an ACL like the one you suggested below actually is the best/only way to go when it comes to filtering. best Enno > > I've been testing workarounds based upon filtering the incoming MLD query, on > a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco 6500 w. SUP720-3B > running 15.1(2)SY). > > Using the following ACL: > ######## > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface <x> > ipv6 traffic-filter v6-denymldquery-in in > ######## > works on both the 4500 and 6500, when applied to the SVI/L3 interface. > However, on the 4500 when applied to the SVI/L3 interface this gets processed > in CPU. It's better to use an SVI, and have the ACL applied on the L2 port, > or in a VLAN map, in which case the traffic is filtered in hardware. > Conversely, on the 6500, it appears better to not use an SVI, since with a L3 > port the SP CPU isn't hit. I've not found a way to filter the traffic such > that it doesn't hit the RP CPU. > Configuration lines from after write erase, reload, for each test case, are > in the attached file, in case anyone would like to repeat this. > > prevents MLD responses [a] SVI/L3 ACL [b] L2 port ACL [c] VLAN map ACL > / cpu@3kpps > [1] 4500 L3 port yes n/a no > 60%cpu > [2] 4500 SVI + L2 access yes yes yes > 60%cpu 0%cpu 0%cpu > [3] 4500 SVI + L2 trunk yes yes yes > 60%cpu 0%cpu 0%cpu > [4] 6500 L3 port yes n/a n/a > 20%rp 0%sp > [5] 6500 SVI + L2 access yes no no > 20%rp 40%sp > [6] 6500 SVI + L3 trunk yes no no > 20%rp 40%sp > > > Does anyone have any better configurations for blocking MLD queries (i.e. on > the 6500 is there a way to make it process the ACL in HW, thus not affect RP > or the SP CPU)? > > Does anyone have any configurations for the best way of stopping MLD > responses on other platforms, and whether it's possible for these to be > applied entirely in hardware? I don't have any more platforms to test on, but > ASR1K/ASR9K both seem to be popular peering platforms, and 7201 isn't unheard > of. > > Bizarrely, one way of making the 6500 stop responding to MLD queries seems to > be to send 3000 pps of queries towards it for about 100 seconds, around which > point it will stop responding to any more until a chassis reload. > > Thanks > James Rice > Jump Networks Ltd. > prevents MLD responses [a] SVI/L3 ACL [b] L2 port ACL [c] VLAN map ACL > / cpu@3kpps > [1] 4500 L3 port yes n/a no > 60%cpu > [2] 4500 SVI + L2 access yes yes yes > 60%cpu 0%cpu 0%cpu > [3] 4500 SVI + L2 trunk yes yes yes > 60%cpu 0%cpu 0%cpu > [4] 6500 L3 port yes n/a n/a > 20%rp 0%sp > [5] 6500 SVI + L2 access yes no no > 20%rp 40%sp > [6] 6500 SVI + L3 trunk yes no no > 20%rp 40%sp > > > > [1] 4500 with L3 port > ipv6 unicast-routing > int g1/48 > no switchport > no ip redirects > no ip unreachables > no ip proxy-arp > ipv6 address 2001:DB8:4:1::22EF:2/64 > ipv6 nd ra suppress all > no ipv6 redirects > no ipv6 unreachables > no cdp enable > [1.a] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface g1/48 > ipv6 traffic-filter v6-denymldquery-in in > [1.c] > do show vlan internal usage > ipv6 access-list match-mld-query > permit icmp any host ff02::1 mld-query > vlan access-map drop-mld-query > match ipv6 address match-mld-query > action drop > vlan filter drop-mld-query vlan-list 1006 > > [2] 4500 with SVI + access port > ipv6 unicast-routing > vlan 1201 > interface g1/48 > switchport access vlan 1201 > switchport mode access > switchport nonegotiate > no cdp enable > spanning-tree portfast > spanning-tree bpdufilter enable > int vlan 1201 > no ip redirects > no ip unreachables > no ip proxy-arp > ipv6 address 2001:DB8:4:1::22EF:2/64 > ipv6 nd ra suppress all > no ipv6 redirects > no ipv6 unreachables > no shutdown > [2.a] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface vlan 1201 > ipv6 traffic-filter v6-denymldquery-in in > [2.b] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface g1/48 > ipv6 traffic-filter v6-denymldquery-in in > [2.c] > ipv6 access-list match-mld-query > permit icmp any host ff02::1 mld-query > vlan access-map drop-mld-query > match ipv6 address match-mld-query > action drop > vlan filter drop-mld-query vlan-list 1201 > > > [3] 4500 with SVI + trunk port > ipv6 unicast-routing > vlan 1201 > interface g1/48 > switchport trunk allowed vlan 1201 > switchport mode trunk > switchport nonegotiate > no cdp enable > no vtp > spanning-tree portfast trunk > spanning-tree bpdufilter enable > int vlan 1201 > no ip redirects > no ip unreachables > no ip proxy-arp > ipv6 address 2001:DB8:4:1::22EF:2/64 > ipv6 nd ra suppress all > no ipv6 redirects > no ipv6 unreachables > no shutdown > [3.a] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface vlan 1201 > ipv6 traffic-filter v6-denymldquery-in in > [3.b] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface g1/48 > ipv6 traffic-filter v6-denymldquery-in in > [3.c] > ipv6 access-list match-mld-query > permit icmp any host ff02::1 mld-query > vlan access-map drop-mld-query > match ipv6 address match-mld-query > action drop > vlan filter drop-mld-query vlan-list 1201 > > > > [4] 6500 with L3 port > ipv6 unicast-routing > int g1/2 > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp > media-type rj45 > ipv6 address 2001:DB8:4:1::22EF:2/64 > ipv6 nd ra suppress all > no ipv6 redirects > no ipv6 unreachables > no cdp enable > no shutdown > [4.a] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface g1/2 > ipv6 traffic-filter v6-denymldquery-in in > > > > [5] 6500 with SVI + access port > ipv6 unicast-routing > vlan 1201 > int g1/2 > switchport > switchport access vlan 1201 > switchport mode access > switchport nonegotiate > media-type rj45 > no cdp enable > spanning-tree portfast edge > spanning-tree bpdufilter enable > no shutdown > int vlan 1201 > no ip redirects > no ip unreachables > no ip proxy-arp > ipv6 address 2001:DB8:4:1::22EF:2/64 > ipv6 nd ra suppress all > no ipv6 redirects > no ipv6 unreachables > no shutdown > [5.a] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface vlan 1201 > ipv6 traffic-filter v6-denymldquery-in in > [5.b] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface g1/2 > ipv6 traffic-filter v6-denymldquery-in in > [5.c] > ipv6 access-list match-mld-query > permit icmp any host ff02::1 mld-query > vlan access-map drop-mld-query > match ipv6 address match-mld-query > action drop > vlan filter drop-mld-query vlan-list 1201 > > > > > [6] 6500 with SVI + trunk port > ipv6 unicast-routing > vlan 1201 > int g1/2 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 1201 > switchport mode trunk > switchport nonegotiate > media-type rj45 > no cdp enable > no vtp > spanning-tree portfast edge trunk > spanning-tree bpdufilter enable > no shutdown > int vlan 1201 > no ip redirects > no ip unreachables > no ip proxy-arp > ipv6 address 2001:DB8:4:1::22EF:2/64 > ipv6 nd ra suppress all > no ipv6 redirects > no ipv6 unreachables > no shutdown > [6.a] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface vlan 1201 > ipv6 traffic-filter v6-denymldquery-in in > [6.b] > ipv6 access-list v6-denymldquery-in > deny icmp any host ff02::1 mld-query > permit ipv6 any any > interface g1/2 > access-group mode prefer port > ipv6 traffic-filter v6-denymldquery-in in > [6.c] > ipv6 access-list match-mld-query > permit icmp any host ff02::1 mld-query > vlan access-map drop-mld-query > match ipv6 address match-mld-query > action drop > vlan filter drop-mld-query vlan-list 1201 > [6.d] > mls qos > ipv6 access-list match-mld-query > permit icmp any host ff02::1 mld-query > class-map class-mld-query > match access-group name match-mld-query > policy-map test-copp > class class-mld-query > police 32000 2000 conform-action drop exceed-action drop > control-plane > service-policy input test-copp > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator ======================================================= _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
