Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring MSDP with Active Source Limits and Mesh Groups
This example shows how to configure MSDP to filter source-active messages and limit the flooding of source-active messages.
Requirements
Before you begin:
- Configure the router interfaces. See the Network Interfaces Configuration Guide.
- Configure an interior gateway protocol or static routing. See the Routing Protocols Configuration Guide.
- Enable PIM sparse mode. See PIM Background.
- Configure the router as a PIM sparse-mode RP. See Configuring Local PIM RPs.
Overview
A router interested in MSDP messages, such as an RP, might have to process a large number of MSDP messages, especially source-active messages, arriving from other routers. Because of the potential need for a router to examine, process, and create state tables for many MSDP packets, there is a possibility of an MSDP-based DoS attack on a router running MSDP. To minimize this possibility, you can configure the router to limit the number of source active messages the router accepts. Also, you can configure a threshold for applying random early discard (RED) to drop some but not all MSDP active source messages.
By default, the router accepts 25,000 source active messages before ignoring the rest. The limit can be from 1 through 1,000,000. The limit is applied to both the number of messages and the number of MSDP peers.
By default, the router accepts 24,000 source-active messages before applying the RED profile to prevent a possible DoS attack. This number can also range from 1 through 1,000,000. The next 1,000 messages are screened by the RED profile and the accepted messages processed. If you configure no drop profiles (as this example does not), RED is still in effect and functions as the primary mechanism for managing congestion. In the default RED drop profile, when the packet queue fill-level is 0 percent, the drop probability is 0 percent. When the fill-level is 100 percent, the drop probability is 100 percent.
 | Note: The router ignores source-active messages with encapsulated TCP packets. Multicast does not use TCP; segments inside source-active messages are most likely the result of worm activity. |
The number configured for the threshold must be less than the number configured for the maximum number of active MSDP sources.
You can configure an active source limit globally, for a group, or for a peer. If active source limits are configured at multiple levels of the hierarchy (as shown in this example), all are applied.
You can configure an active source limit for an address range as well as for a specific peer. A per-source active source limit uses an IP prefix and prefix length instead of a specific address. You can configure more than one per-source active source limit. The longest match determines the limit.
Per-source active source limits can be combined with active source limits at the peer, group, and global (instance) hierarchy level. Per-source limits are applied before any other type of active source limit. Limits are tested in the following order:
- Per-source
- Per-peer or group
- Per-instance
An active source message must “pass” all limits established before being accepted. For example, if a source is configured with an active source limit of 10,000 active multicast groups and the instance is configured with a limit of 5,000 (and there are no other sources or limits configured), only 5,000 active source messages are accepted from this source.
MSDP mesh groups are groups of peers configured in a full-mesh topology that limits the flooding of source-active messages to neighboring peers. Every mesh group member must have a peer connection with every other mesh group member. When a source-active message is received from a mesh group member, the source-active message is always accepted but is not flooded to other members of the same mesh group. However, the source-active message is flooded to non-mesh group peers or members of other mesh groups. By default, standard flooding rules apply if mesh-group is not specified.
 | Caution: When configuring MSDP mesh groups, you must configure all members the same. If you do not configure a full mesh, excessive flooding of source-active messages can occur. |
A common application for MSDP mesh groups is peer-reverse-path-forwarding (peer-RPF) check bypass. For example, if there are two MSDP peers inside an autonomous system (AS), and only one of them has an external MSDP session to another AS, the internal MSDP peer often rejects incoming source-active messages relayed by the peer with the external link. Rejection occurs because the external MSDP peer must be reachable by the internal MSDP peer through the next hop toward the source in another AS, and this next-hop condition is not certain. To prevent rejections, configure an MSDP mesh group on the internal MSDP peer so it always accepts source-active messages.
| Note: An alternative way to bypass the peer-RPF check is to configure a default peer. In networks with only one MSDP peer, especially stub networks, the source-active message always needs to be accepted. An MSDP default peer is an MSDP peer from which all source-active messages are accepted without performing the peer-RPF check. You can establish a default peer at the peer or group level by including the default-peer statement. |
Table 10 explains how flooding is handled by peers in this example. Figure 27 illustrates source-active message flooding between different mesh groups and peers within the same mesh group.
Table 10: Source-Active Message Flooding Explanation
Source-Active Message Received From | Source-Active Message Flooded To | Source-Active Message Not Flooded To |
|---|---|---|
Peer 21 | Peer 11, Peer 12, Peer 13, Peer 31, Peer 32 | Peer 22 |
Peer 11 | Peer 21, Peer 22, Peer 31, Peer 32 | Peer 12, Peer 13 |
Peer 31 | Peer 21, Peer 22, Peer 11, Peer 12, Peer 13, Peer 32 |
|
Figure 27: Source-Active Message Flooding
This example includes the following settings:
- active-source-limit maximum 10000—Applies a limit of 10,000 active sources to all other peers.
- data-encapsulation disable—On an RP router
using MSDP, disables the default encapsulation of multicast data received
in MSDP register messages inside MSDP source-active messages.
MSDP data encapsulation mainly concerns bursty sources of multicast traffic. Sources that send only one packet every few minutes have problems with the timeout of state relationships between sources and their multicast groups (S,G). Routers lose data while they attempt to reestablish (S,G) state tables. So multicast register messages contain data, and this data encapsulation in MSDP source-active messages can be turned on or off through configuration.
By default, MSDP data encapsulation is enabled. An RP running MSDP takes the data packets arriving in the source's register message and encapsulates the data inside an MSDP source-active message.
However, data encapsulation creates both a multicast forwarding cache entry in the inet.1 table (this is also the forwarding table) and a routing table entry in the inet.4 table. Without data encapsulation, MSDP creates only a routing table entry in the inet.4 table. In some circumstances, such as the presence of Internet worms or other forms of denial-of-service (DoS) attack, the router's forwarding table may fill up with these entries. To prevent the forwarding table from filling up with MSDP entries, you can configure the router not to use MSDP data encapsulation. However, if you disable data encapsulation, the router ignores and discards the encapsulated data. Without data encapsulation, multicast applications with bursty sources having transmit intervals greater than about 3 minutes might not work well.
- group MSDP-group local-address 10.1.2.3—Specifies the address of the local router (this router).
- group MSDP-group mode mesh-group—Specifies that all peers belonging to the MSDP-group group, are mesh group members.
- group MSDP-group peer 10.10.10.10—Prevents the sending of source-active messages to neighboring peer 10.10.10.10.
- group MSDP-group peer 10.10.10.10 active-source-limit maximum 7500—Applies a limit of 7,500 active sources to MSDP peer 10.10.10.10 in group MSDP-group.
- peer 10.0.0.1 active-source-limit maximum 5000 threshold 4000—Applies a threshhold of 4,000 active sources and a limit of 5,000 active sources to MSDP peer 10.0.0.1.
- source 10.1.0.0/16 active-source-limit maximum 500—Applies a limit of 500 active sources to any source on the 10.1.0.0/16 network.
Configuration
CLI Quick Configuration
To quickly configure MSDP source active routes and mesh groups, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI.
Step-by-Step Procedure
To configure MSDP source active routes and mesh groups:
(Optional) Disable data encapsulation.
Configure the active source limits.
user@host# set peer 10.0.0.1 active-source-limit maximum 5000 threshold 4000[edit protocols msdp]user@host# set group MSDP-group peer 10.10.10.10 active-source-limit maximum 7500[edit protocols msdp]user@host# set active-source-limit maximum 10000[edit protocols msdp]user@host# set source 10.1.0.0/16 active-source-limit maximum 500Configure the mesh group.
user@host# set group MSDP-group mode mesh-group[edit protocols msdp]user@host# set group MSDP-group peer 10.10.10.10[edit protocols msdp]user@host# set group MSDP-group local-address 10.1.2.3If you are done configuring the device, commit the configuration.
[edit routing-instances]user@host# commit
Results
Confirm your configuration by entering the show protocols command.
Verification
To verify the configuration, run the following commands:
Related Topics
- Example: Configuring MSDP
- Filtering MSDP SA Messages
- Configuring RED Drop Profiles in the Class of Service Configuration Guide
- Configuring Local PIM RPs
