This document describes how to configure a standard set of filtering
rules for Multicast Source Discovery Protocol (MSDP) Source-Active (SA)
messages. Cisco highly recommends establishing at least these filters when
connecting to the native IP multicast Internet.
Note: The information in this document applies to all current MSDP capable
Cisco IOS® Software Releases.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware
For more information on document conventions, see the
Cisco Technical Tips
MSDP-SA messages contain (source, group (S,G)) information for
rendezvous points (RPs) (called MSDP peers) in Protocol Independent Multicast
sparse-mode (PIM-SM) domains. This mechanism allows RPs to learn about
multicast sources in remote PIM-SM domains so that they can join those sources
if there are local receivers in their own domain. You can also use MSDP between
multiple RPs in a single PIM-SM domain to establish MSDP mesh-groups.
With a default configuration, MSDP exchanges SA messages without
filtering them for specific source or group addresses.
Typically, there are a number of (S,G) states in a PIM-SM domain that
should stay within the PIM-SM domain, but, due to default filtering, they get
passed in SA messages to MSDP peers. Examples of this include domain local
applications that use global IP multicast addresses, and sources that use local
IP addresses (such as 10.x.y.z). In the native IP multicast Internet, this
default leads to excessive (S,G) information being shared. To improve the
scalability of MSDP in the native IP multicast Internet, and to avoid global
visibility of domain local (S,G) information, we recommend using the following
configuration to reduce unnecessary creation, forwarding, and caching of some
of these well-known domain local sources.
Cisco recommends using the following configuration filter for PIM-SM
domains with a single RP for every group (no MSDP mesh-group):
!--- Filter MSDP SA-messages.
!--- Replicate the following two rules for every external MSDP peer.
ip msdp sa-filter in <peer_address> list 111
ip msdp sa-filter out <peer_address> list 111
!--- The redistribution rule is independent of peers.
ip msdp redistribute list 111
!--- ACL to control SA-messages originated, forwarded.
!--- Domain-local applications.
access-list 111 deny ip any host 188.8.131.52 !
access-list 111 deny ip any host 184.108.40.206 ! Rwhod
access-list 111 deny ip any host 220.127.116.11 ! Microsoft-ds
access-list 111 deny ip any host 18.104.22.168 ! SVRLOC
access-list 111 deny ip any host 22.214.171.124 ! SGI-Dogfight
access-list 111 deny ip any host 126.96.36.199 ! SVRLOC-DA
access-list 111 deny ip any host 188.8.131.52 ! hp-device-disc
!--- Auto-RP groups.
access-list 111 deny ip any host 184.108.40.206
access-list 111 deny ip any host 220.127.116.11
!--- Scoped groups.
access-list 111 deny ip any 18.104.22.168 0.255.255.255
!--- Loopback, private addresses (RFC 1918).
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
!--- Default SSM-range. Do not do MSDP in this range.
access-list 111 deny ip any 22.214.171.124 0.255.255.255
access-list 111 permit ip any any
In the example above, access list 111 (you can use any number) defines
domain local SA-information. This includes (S,G) state for global groups used
by domain local applications, the two auto-RP groups, scoped groups, and (S,G)
state from local IP addresses.
This filter list is applied so that the local router does not accept
domain-local SA-information from external MSDP peers and that external MSDP
peers never get SA-information or domain local information from the router.
The ip msdp sa-filter in <peer_address>
list 111 command filters local information from SA
messages received from MSDP peer <peer_address>. If
you configure this command on every external MSDP peer, then the router itself
will not accept any domain local information from outside the domain.
The ip msdp sa-filter out
<peer_address> list 111 command
filters domain local information from SA announcements sent to MSDP peer
<peer_address>. If you configure this command on
every external MSDP peer, then no domain local information is announced outside
We included the ip msdp redistribute list
111 command for added safety. It prevents the router from
originating SA messages for domain local (S,G) state. This action is
independent of the filtering of sent SA messages caused by the ip
msdp sa-filter out command.
If the PIM-SM domain uses an MSDP mesh-group, then there are domain
internal MSDP peers. For this situation, the configuration described above
needs to be examined further.
You should apply the ip msdp sa-filter in
and ip msdp sa-filter out rules to external MSDP
peers only. If you apply them to internal MSDP peers, all SA information
filtered by access-list 111 will not be passed between internal peers, which
breaks any application using the source or group addresses filtered by
access-list 111 (unless, as in the case of auto-RP groups, the groups use
PIM-DM instead of PIM-SM).
Cisco recommends not configuring the ip msdp redistribute
list 111 command because it prevents the RP from originating SA
messages for domain local (S,G) state. This command breaks any domain local
application that depends on it. Since this command is included for added
safety, removing it will not change how messages are filtered between external
Note: You should consistently apply the filtering described here to all RPs
within the MSDP mesh-group.
The MSDP Documentation
on CCO describes MSDP commands.
The following commands filter SA messages:
ip msdp sa-filter in <peer>
[list <acl>] [route-map
<map>] - Defines which SA messages
received from MSDP peers are accepted. By default, all SA messages are accepted
if they pass the MSDP Reverse Path Forwarding (RPF) checks outlined in this
ip msdp redistribute [list
<map>] - Defines for which (S,G)
information the local router originates SA messages. By default, SA messages
are originated for all sources that match one of the following criteria:
Data received on, and RPF to source through, the same
Note: When one of these rules is satisfied, an "A" flag is set on the
(S,G) entry corresponding to that source in Cisco IOS® Software Release 12.0(6)
ip msdp sa-filter out
<peer> [list <acl>]
[route-map <map>] - Defines which
SA messages that have originated locally or been accepted from MSDP peers are
forwarded to other MSDP peers. By default, all locally-originated SA messages
and all received and accepted SA messages are sent to other MSDP peers.
To minimize the need to continuously update the filter list recommended
above, domain local applications should always use scoped group addresses or
private source addresses by default. On the domain boundary, these addresses
are filtered by SA-message filtering and by multicast boundary definitions for
the scoped multicast addresses.