Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

On 27/01/2017 15:15, James A. T. Rice wrote: There appears to be a Cisco 'wontfix' bug for this: https://quickview.cloudapps.cisco.com/quickview/bug/CSCuo37358 Ugh. That is not promising. I've personally never tested the MLD RL - I know other RLs on the platform work, I had foolishly

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

Hi Saku, > On 26 Jan 2017, at 16:08, Saku Ytti wrote: > > If you allow MCAST in CoPP and MLS rate-limit, you can drop them in HW. With MLS rate-limit on 15.1SY sup720-3b: # mls qos # mls rate-limit multicast ipv6 mld 10 1 # show mls rate-limit Rate Limiter Type Status

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

Hi Enno, > On 26 Jan 2017, at 08:42, Enno Rey wrote: > > from the top of my head "no ipv6 mld join-group" should achieve that (whereas > "no ipv6 mld router" disables the querier side of things). > have you tried that (the former)? 'no ipv6 mld join-group' requires a group

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

On 27/01/2017 14:04, adamv0...@netconsultings.com wrote: Saku Ytti Sent: Thursday, January 26, 2017 4:51 PM On 26 January 2017 at 18:41, Phil Mayers wrote: Box-wide though, right? No way to only do this on the IXP interface with MLS RL. Unfortunately no. I guess

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

> Saku Ytti > Sent: Thursday, January 26, 2017 4:51 PM > > On 26 January 2017 at 18:41, Phil Mayers wrote: > > > Box-wide though, right? No way to only do this on the IXP interface > > with MLS RL. > > Unfortunately no. I guess per DFC should be possible, unsure if

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

On 26 January 2017 at 18:41, Phil Mayers wrote: > Box-wide though, right? No way to only do this on the IXP interface with MLS > RL. Unfortunately no. I guess per DFC should be possible, unsure if it's supported. -- ++ytti

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

On 26/01/2017 16:08, Saku Ytti wrote: On 26 January 2017 at 13:54, Phil Mayers wrote: Hey, Worth noting that CoPP on sup720 is done in software for multicast and broadcast. I assume it'll come before MLD processing so would stop the queries arriving and thus replies

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

On 26 January 2017 at 13:54, Phil Mayers wrote: Hey, > Worth noting that CoPP on sup720 is done in software for multicast and > broadcast. I assume it'll come before MLD processing so would stop the > queries arriving and thus replies being sent, but worth testing. > >

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

On 26/01/17 08:18, Lukas Tribus wrote: I've been testing workarounds based upon filtering the incoming MLD query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco 6500 w. SUP720-3B running 15.1(2)SY). Control Plane Policing is probably the way to address this (in case MLD cannot

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

Hi, On Wed, Jan 25, 2017 at 06:35:19PM +, James A. T. Rice wrote: > Hi Folks, > > I'm trying to gather information on how to disable MLD reports for various > Cisco devices in use at IXPs - where MLD queries and reports are often both > prohibited traffic. > > There doesn't seem to be a

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

> I've been testing workarounds based upon filtering the incoming MLD > query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco > 6500 w. SUP720-3B running 15.1(2)SY). Control Plane Policing is probably the way to address this (in case MLD cannot be properly disabled, I mean). >

[c-nsp] Stopping MLD responses & protecting CPU from MLD queries

Hi Folks, I'm trying to gather information on how to disable MLD reports for various Cisco devices in use at IXPs - where MLD queries and reports are often both prohibited traffic. There doesn't seem to be a configuration line to disable replying to MLD queries with MLD reports. I've been