Guest

Networking Software (IOS & NX-OS)

Configuring Multicast Admission Control

  • Viewing Options

  • PDF (420.4 KB)
  • Feedback
Configuring Multicast Admission Control

Table Of Contents

Configuring Multicast Admission Control

Finding Feature Information

Contents

Prerequisites for Configuring Multicast Admission Control

Information About Configuring Multicast Admission Control

Multicast Admission Control

Multicast Admission Control Features

Global and Per MVRF Mroute State Limit

Global and Per MVRF Mroute State Limit Feature Design

Mechanics of Global and Per MVRF Mroute State Limiters

MSDP SA Limit

MSDP SA Limit Feature Design

Mechanics of MSDP SA Limiters

Tips for Configuring MSDP SA Limiters

IGMP State Limit

IGMP State Limit Feature Design

Mechanics of IGMP State Limiters

Per Interface Mroute State Limit

Per Interface Mroute State Limit Feature Design

Mechanics of Per Interface Mroute State Limiters

Tips for Configuring Per Interface Mroute State Limiters

Bandwidth-Based CAC for IP Multicast

Bandwidth-Based CAC for IP Multicast Feature Design

Mechanics of the Bandwidth-Based Multicast CAC Policies

Tips for Configuring Bandwidth-Based CAC Policies for IP Multicast

How to Configure Multicast Admission Control

Configuring Global and Per MVRF Mroute State Limiters

Prerequisites

Configuring a Global Mroute State Limiter

What to Do Next

Configuring Per MVRF Mroute State Limiters

Configuring MSDP SA Limiters

Prerequisites

Configuring IGMP State Limiters

Prerequisites

Configuring Global IGMP State Limiters

What to Do Next

Configuring Per Interface IGMP State Limiters

Configuring Per Interface Mroute State Limiters

Prerequisites

What to Do Next

Configuring Bandwidth-Based Multicast CAC Policies

Prerequisites

What to Do Next

Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies

Configuration Examples for Configuring Multicast Admission Control

Configuring Global and Per MVRF Mroute State Limiters: Example

Configuring MSDP SA Limiters: Example

Configuring IGMP State Limiters: Example

Configuring Per Interface Mroute State Limiters: Example

Configuring Bandwidth-Based Multicast CAC Policies: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Configuring Multicast Admission Control


Configuring Multicast Admission Control


First Published: November 14, 2008
Last Updated: July 30, 2010

This module describes how to implement multicast admission control in an IP multicast network. Multicast admission control features are configured on multicast-enabled routers to prevent control plane overload, ensure proper resource allocation, and provide multicast Call Admission Control (CAC) capabilities.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring Multicast Admission Control" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Configuring Multicast Admission Control

Information About Configuring Multicast Admission Control

How to Configure Multicast Admission Control

Configuration Examples for Configuring Multicast Admission Control

Additional References

Feature Information for Configuring Multicast Admission Control

Feature Information for Configuring Multicast Admission Control

Prerequisites for Configuring Multicast Admission Control

Before performing the tasks in this module, you should be familiar with the concepts explained in the "IP Multicast Technology Overview" module.

The tasks in this module assume that IP multicast has been enabled and that the Protocol Independent Multicast (PIM) interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.

Information About Configuring Multicast Admission Control

Before configuring multicast admission control, you should understand the following concepts:

Multicast Admission Control

Multicast Admission Control Features

Global and Per MVRF Mroute State Limit

MSDP SA Limit

IGMP State Limit

Per Interface Mroute State Limit

Bandwidth-Based CAC for IP Multicast

Multicast Admission Control

As the popularity of network video applications grows among consumers, admission control functions—which govern transmission and reception of multicast traffic based on available network resources—are vital. Without admission control, some users may receive degraded multicast streams, rendering programs unwatchable, and others may receive a "Network Busy" message or nothing at all as network resources are overtaxed. Network admission control is important in maintaining a high quality of experience for digital video consumers.

The goals of multicast admission control features, therefore, are as follows:

Protect the router from control plane overload to ensure that memory and CPU resources on multicast-enabled routers are not overrun by multicast route (mroute) states or denial-of-service (DoS) attacks from multicast packets.

Enable proper resource allocation (on a global, per MVRF, or per interface basis) to ensure that multicast services are delivered to subscribers per their IP Service Level Agreements (SLAs) and to minimize the effects of DoS attacks on subscribers.

Provide multicast CAC capabilities to prevent bandwidth resources (interfaces, subnetworks) from being congested and to enable service providers to offer more flexible and refined content and subscriber-based policies.

Multicast Admission Control Features

The Cisco IOS software supports the following multicast admission control features:

Global and Per MVRF Mroute State Limit

The ip multicast route-limit command allows for the configuration of global and per MVRF state limiters, which impose limits on the number of multicast routes (mroutes) that can be added to the global table or to a particular Multicast Virtual Routing and Forwarding (MVRF) table.

MSDP SA Limit

The ip msdp sa-limit command allows for the configuration of MSDP SA limiters, which impose limits on the number of Multicast Source Discovery Protocol (MSDP) Source Active (SA) messages that can be cached on a router.

For more information about MSDP, see the "Using MSDP to Interconnect Multiple PIM-SM Domains" module.

IGMP State Limit

This feature allows for the configuration of IGMP state limiters, which impose limits on mroute states resulting from Internet Group Management Protocol (IGMP) membership reports (IGMP joins).

Per Interface Mroute State Limit

This feature allows for the configuration of per interface mroute state limiters, which impose mroute state limits for different access control list (ACL)-classified sets of multicast traffic on an interface.

Bandwidth-Based CAC for IP Multicast

This feature allows for the configuration of bandwidth-based multicast CAC policies, which allow for bandwidth-based CAC on a per interface basis.

These admission control features may be invoked by service providers and enterprise network administrators based on different criteria, including the service package an end user has purchased or the privileges an enterprise user is entitled to.

Global and Per MVRF Mroute State Limit

The ip multicast route-limit command allows for the configuration of global and per MVRF mroute state limiters, which impose limits on the number of mroutes that can be added to the global table or to a particular MVRF table, respectively.

Global mroute state limiters are used to limit the number of mroutes that can be added to the global table on a router. Configuring a global mroute state limiter can protect a router in the event of a multicast DoS attack (by preventing mroutes from overrunning the router).

Per VRF mroute state limiters are used to limit the number of mroutes that can be added to an MVRF table on a Multicast VPN (MVPN) provider edge (PE) router. Configuring per MVRF mroute state limits can be used to ensure the fair sharing of mroutes between different MVRFs on an MVPN PE router.

Global and Per MVRF Mroute State Limit Feature Design

Global and per MVRF mroute state limiters are configured using the ip multicast route-limit command in global configuration mode. The syntax of the ip multicast route-limit command is as follows:

ip multicast [vrf vrf-name] route-limit limit [threshold]

Issuing the ip multicast route-limit command without the optional vrf keyword and vrf-name arguments configures a global mroute state limiter. The optional vrf keyword and vrf-name arguments are used with the ip multicast limit command to configure per MVRF mroute state limiters.


Note When configuring global and per VRF mroute state limiters, you can only configure one limit for the global table and one limit per MVRF table.


The value specified for the required limit argument defines the maximum number of mroutes that can be added to either the global table or a particular MVRF table, respectively.


Note Global and per MVRF mroute state limiters operate independently and can be used alone or together, depending upon the admission control requirements of your network.


In addition, for both global and per MVRF mroute state limiters, the optional threshold argument is available to set mroute threshold limits.

Mechanics of Global and Per MVRF Mroute State Limiters

The mechanics of global and per MVRF mroute state limiters are as follows:

Each time the state for an mroute is created on a router, the Cisco IOS software checks to see if the limit for the global mroute state limiter (if the mroute is associated with the global table) or the limit for the per MVRF mroute state limiter (if the mroute is associated with the MVRF table) has been reached.

States for mroutes that exceed the configured limit for the global or the per MVRF mroute state limiter are not created on the router, and a warning message in the following format is generated:

% MROUTE-4-ROUTELIMIT : <current mroute count> exceeded multicast route-limit of  
<mroute limit value>

When an mroute threshold limit is also configured for the global or the per MVRF mroute state limiter, each time the state for an mroute is created on a router, the Cisco IOS software also checks to see if the mroute threshold limit has been reached. If the mroute threshold limit is exceeded, a warning message in the following format is generated:

% MROUTE-4-ROUTELIMITWARNING : multicast route-limit warning <current mroute count> 
threshold <mroute threshold value>

Warning messages continue to be generated until the number of mroutes exceeds the configured limit or until the number of mroute states falls below the configured mroute threshold limit.

MSDP SA Limit

The ip msdp sa-limit command allows for the configuration of MSDP SA limiters, which impose limits on the number of MSDP Source Active (SA) messages that an MSDP-enabled router can accept (can be cached) from an MSDP peer. This command provides a means to protect an MSDP-enabled router from denial of service (DoS) attacks.

MSDP SA Limit Feature Design

MSDP SA limiters are configured using the ip msdp sa-limit command in global configuration mode. The syntax of the ip msdp sa-limit command is as follows:

ip msdp [vrf vrf-name] sa-limit {peer-address | peer-name} sa-limit

For the required peer-address argument or peer-name argument, specify either the MSDP peer address or MSDP peer name of the peer to be limited.

For the required sa-limit argument, specify the maximum number of SA messages that can be accepted (cached) from the specified peer. The range is from 1 to 2147483646.


Note In an MVPN environment, the optional vrf keyword and vrf-name argument are used to specify the MVRF associated with the MSDP peer. When an MVRF is specified, the MSDP SA limiter is applied to the specified MSDP peer associated with the specified MVRF.


Mechanics of MSDP SA Limiters

When MSDP SA limiters are configured, the router maintains a per-peer count of SA messages stored in the SA cache.

SA messages that exceed the limit configured for an MSDP peer are ignored.

If the router receives SA messages in excess of the configured limit from an MSDP peer, a warning in the following format is generated (once a minute) until the cache is cleared:

%MSDP-4-SA_LIMIT: SA from peer <peer address or name>, RP <RP address> for <mroute> 
exceeded sa-limit of <configured SA limit for MSDP peer>

Tips for Configuring MSDP SA Limiters

We recommended that you configure MSDP SA limiters for all MSDP peerings on the router.

An appropriately low MSDP SA limit should be configured on peerings with a stub MSDP region (an MSDP peer that may have some further downstream peers but does not act as a transit for SA messages across the rest of the Internet).

An appropriately high SA limit should be configured for all MSDP peerings that act as transits for MSDP SA messages across the Internet.

IGMP State Limit

The IGMP State Limit feature allows for the configuration of IGMP state limiters, which impose limits on mroute states resulting from IGMP membership reports (IGMP joins) on a global or per interface basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. This feature can be used to prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.


Note IGMP state limiters impose limits on the number of mroute states resulting from IGMP, IGMP v3lite, and URL Rendezvous Directory (URD) membership reports on a global or per interface basis.


IGMP State Limit Feature Design

IGMP state limiters are configured using the ip igmp limit command:

Configuring the ip igmp limit command in global configuration mode specifies a global limit on the number of IGMP membership reports that can be cached. The syntax of the ip igmp limit command in global configuration mode is as follows:

ip igmp limit number

For the required number argument, specify a global limit on the number of IGMP membership reports that can be cached. The range is from 1 to 64000.

Configuring the ip igmp limit command in interface configuration mode specifies a limit on the number of IGMP membership reports on a per interface basis. The syntax of the ip igmp limit command in interface configuration mode is as follows:

ip igmp limit number [except access-list]

For the required number argument, specify a limit on the number of IGMP membership reports that can be cached for the specified interface. The range is from 1 to 64000.

Use the optional except access-list keyword and argument to prevent groups or channels from being counted against the interface limit. A standard or an extended ACL can be specified.

A standard ACL can be used to define the (*, G) state to be excluded from the limit on an interface.

An extended ACLs can be used to define the (S, G) state to be excluded from the limit on an interface. An extended ACL also can be used to define the (*, G) state to be excluded from the limit on an interface, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.


Note When configuring IGMP state limiters, you can only configure one global limit on a router and one limit per interface.


Mechanics of IGMP State Limiters

The mechanics of IGMP state limiters are as follows:

Each time a router receives an IGMP membership report for a particular group or channel, the Cisco IOS software checks to see if either the limit for the global IGMP state limiter or the limit for the per interface IGMP state limiter has been reached.

If only a global IGMP state limiter has been configured and the limit has not been reached, IGMP membership reports are honored. When the configured limit has been reached, subsequent IGMP membership reports are then ignored (dropped) and a warning message in one of the following formats is generated:

%IGMP-6-IGMP_GROUP_LIMIT: IGMP limit exceeded for <group (*, group address)> on 
<interface type number> by host <ip address>

or

%IGMP-6-IGMP_CHANNEL_LIMIT: IGMP limit exceeded for <channel (source address, 
group address)> on <interface type number> by host <ip address>

If only per interface IGMP state limiters are configured, then each limit is only counted against the interface on which it was configured.

If both a global IGMP state limiter and per interface IGMP state limiters are configured, the limits configured for the per interface IGMP state limiters are still enforced but are constrained by the global limit.

If a per interface IGMP state limiter has been configured, the Cisco IOS software also checks to see if an ACL is specified (with the optional except keyword and access-list argument) to prevent groups or channels from being counted against the interface limit.

If an ACL has been configured and the group or channel in the IGMP membership report matches, then the state for the IGMP membership is counted against the global limit and not the interface limit.

If no ACL has been configured, the per interface IGMP state limiter accounts for all IGMP membership reports that do not exceed the configured limit.

Per Interface Mroute State Limit

The Per Interface Mroute State Limit feature provides the capability to limit the number of mroute states on an interface for different ACL-classified sets of multicast traffic. This feature can be used to prevent DoS attacks or to provide a multicast CAC mechanism when all the multicast flows roughly utilize the same amount of bandwidth.

The Per Interface Mroute State Limit feature essentially is a complete superset of the IGMP State Limit feature (with the exception that it does not support a global limit). The Per Interface Mroute State Limit feature, moreover, is more flexible and powerful (albeit more complex) than the IGMP State Limit feature but is not intended to be a replacement for it because there are applications that suit both features.

The main differences between the Per Interface Mroute State Limit feature and the IGMP State Limit feature are as follows:

The Per Interface Mroute State Limit feature allows multiple limits to be configured on an interface, whereas the IGMP State Limit feature allows only one limit to be configured on an interface. The Per Interface Mroute State Limit feature, thus, is more flexible than the IGMP State Limit feature in that it allows multiple limits to be configured for different sets of multicast traffic on an interface.

The Per Interface Mroute State Limit feature can be used to limit both IGMP and PIM joins, whereas the IGMP State Limit feature can only be used to limit IGMP joins. The IGMP State Limit feature, thus, is more limited in application in that it is best suited to be configured on an edge router to limit the number of groups that receivers can join on an outgoing interface. The Per Interface Mroute State Limit feature has a wider application in that it can be configured to limit IGMP joins on an outgoing interface, to limit PIM joins (for Any Source Multicast [ASM] groups or Source Specific Multicast [SSM] channels) on an outgoing interface connected to other routers, to limit sources behind an incoming interface from sending multicast traffic, or to limit sources directly connected to an incoming interface from sending multicast traffic.


Note Although the PIM Interface Mroute State Limit feature allows you to limit both IGMP and PIM joins, it does not provide the capability to limit PIM or IGMP joins separately because it does not take into account whether the state is created as a result of an IGMP or PIM join. As such, the IGMP State Limit feature is more specific in application because it specifically limits IGMP joins.


The Per Interface Mroute State Limit feature allows you to specify limits according to the direction of traffic; that is, it allows you to specify limits for outgoing interfaces, incoming interfaces, and for incoming interfaces having directly connected multicast sources. The IGMP State Limit feature, however, only can be used to limit outgoing interfaces. The Per Interface State Mroute State Limit feature, thus, is wider in scope in that it can be used to limit mroute states for both incoming and outgoing interfaces from both sources and receivers, whereas the IGMP State Limit feature is more narrow in scope in that it can only be used to limit mroute states for receivers on an LAN by limiting the number of IGMP joins on an outgoing interface.

Both the IGMP State Limit and Per Interface Mroute State Limit features provide a rudimentary multicast CAC mechanism that can be used to provision bandwidth utilization on an interface when all multicast flows roughly utilize the same amount of bandwidth. The Bandwidth-Based CAC for IP Multicast feature, however, offers a more flexible and powerful alternative for providing multicast CAC in network environments where IP multicast flows utilize different amounts of bandwidth.


Note For more information about the Bandwidth-Based CAC for IP Multicast feature, see the "Bandwidth-Based CAC for IP Multicast" section.


Per Interface Mroute State Limit Feature Design

The Per Interface Mroute State Limit feature is configured using the ip multicast limit command in interface configuration mode. An ip multicast limit command configured on an interface is called an per interface mroute state limiter. A per interface mroute state limiter is defined by direction, ACL, and maximum number of mroutes. Each per interface mroute state limiter maintains a counter to ensure that the maximum number of mroutes is not exceeded.

The following forms of the ip multicast limit command are available to configure per interface mroute state limiters:

ip multicast limit access-list max-entries

This command limits mroute state creation for an ACL-classified set of traffic on an interface when the interface is an outgoing (egress) interface, and limits mroute outgoing interface list (olist) membership when the interface is an incoming (ingress) Reverse Path Forwarding (RPF) interface.

This type of per interface mroute state limiter limits mroute state creation—by accounting each time an mroute permitted by the ACL is created or deleted—and limits mroute olist membership—by accounting each time that an mroute olist member permitted by the ACL is added or removed.

Entering this form of the command (that is, with no optional keywords) is equivalent to specifying the ip multicast limit rpf and ip multicast limit out forms of the command.

ip multicast limit connected access-list max-entries

This command limits mroute state creation for an ACL-classified set of multicast traffic on an incoming (RPF) interface that is directly connected to a multicast source by accounting each time that an mroute permitted by the ACL is created or deleted.

ip multicast limit out access-list max-entries

This command limits mroute olist membership on an outgoing interface for an ACL-classified set of multicast traffic by accounting each time that an mroute olist member permitted by the ACL is added or removed.

ip multicast limit rpf access-list max-entries

This command limits mroute state creation for an ACL-classified set of multicast traffic on an incoming (RPF) interface by accounting each time an mroute permitted by the ACL is created or deleted.

For the required access-list argument, specify the ACL that defines the IP multicast traffic to be limited on an interface. A standard or extended ACL can be specified. Standard ACLs can be used to define the (*, G) state to be limited on an interface. Extended ACLs can be used to define the (S, G) state to be limited on an interface. Extended ACLs also can be used to define the (*, G) state to be limited on an interface, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.

Mechanics of Per Interface Mroute State Limiters

The mechanics of per interface mroute state limiters are as follows:

Each time the state for an mroute is created or deleted and each time an olist member is added or removed, the Cisco IOS software searches for a corresponding per interface mroute state limiter that matches the mroute.

In the case of the creation and deletion of mroutes, the Cisco IOS software searches for a per interface mroute state limiter configured on the incoming (RPF) interface that matches the mroute to be created or deleted. In the case of olist member addition or removal, the Cisco IOS software searches for a per interface mroute state limiter configured on the outgoing interface that matches the mroute to be added or removed.

The Cisco IOS software performs a top-down search from the list of configured per interface mroute state limiters. Only per interface mroute state limiters that match the direction of traffic are considered. The first per interface mroute state limiter that matches is used for limiting (sometimes referred to as accounting). A match is found when the ACL permits the mroute state.

When a match is found, the counter of the per interface mroute state limiter is updated (increased or decreased). If no per interface mroute state limiter is found that matches an mroute, no accounting is performed for the mroute (because there is no counter to update).

The amount to update the counter with is called the cost (sometimes referred to as the cost multiplier). The default cost is 1.


Note A per interface mroute state limiter always allows the deletion of an mroute or the removal of an interface from the olist. In those cases, the respective per interface mroute state limiter decreases the counter by the value of the cost multiplier. In addition, RPF changes to an existing mroute are always allowed (in order to not affect existing traffic). However, a per interface mroute state limiter only allows the creation of an mroute or the addition of an mroute olist member if adding the cost does not exceed the maximum number of mroutes permitted.


Tips for Configuring Per Interface Mroute State Limiters

To ensure that all mroutes are accounted, you can configure a per interface mroute state limiter whose ACL contains a permit any statement and set the maximum for the max-entries argument to 0. Configuring an mroute state limiter in this manner effectively denies all fall through states, which may be a way to prevent a multicast DoS attack in and out of the interface.

When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny any statement for everything if it did not find a match before reaching the end.

An explicit deny statement for a specific mroute in an ACL can be used to specify the state that will not match the ACL (thus, preventing the ACL from being accounted). If an mroute matches a deny statement, the search immediately continues to the next configured mroute state limiter. Configuring an explicit deny statement in an ACL can be more efficient than forcing the mroute to fall through an ACL (by means of the implicit deny any statement at the end of the ACL).

Bandwidth-Based CAC for IP Multicast

The Bandwidth-Based CAC for IP Multicast feature enhances the Per Interface Mroute State Limit feature by implementing a way to count per interface mroute state limiters using cost multipliers (referred to as bandwidth-based multicast CAC policies). This feature can be used to provide bandwidth-based multicast CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth.

Bandwidth-Based CAC for IP Multicast Feature Design

Bandwidth-based multicast CAC policies are configured using the ip multicast limit cost command in global configuration mode. The syntax of the ip multicast limit cost command is as follows:

ip multicast [vrf vrf-name] limit cost access-list cost-multiplier

For the required access-list argument, specify the ACL that defines the IP multicast traffic for which to apply a cost. A standard or extended ACL can be specified. Standard ACLs can be used to define the (*, G) state. Extended ACLs can be used to define the (S, G) state. Extended ACLs also can be used to define the (*, G) state, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.

For the required cost-multiplier argument, specify the cost value to be applied to mroutes that match the ACL associated with the bandwidth-based multicast CAC policy. The range is 0 to 2147483647.


Note In an MVPN environment, the optional vrf keyword and vrf-name argument are used to specify that the cost be applied only to mroutes associated with MVRF specified for the vrf-name argument.


Mechanics of the Bandwidth-Based Multicast CAC Policies

The mechanics of bandwidth-based multicast CAC policies are as follows:

Once an mroute matches an ACL configured for a per interface mroute state limiter, the Cisco IOS software performs a top-down search from the global or per MVRF list of configured bandwidth-based multicast CAC policies to determine if a cost should be applied to the mroute.

A cost is applied to the first bandwidth-based CAC policy that matches the mroute. A match is found when the ACL applied to the bandwidth-based CAC policy permits the mroute state.

The counter for the mroute state limiter either adds or subtracts the cost configured for the cost-multiplier argument. If no costs are configured or if the mroute does not match any of the configured bandwidth-based CAC polices, the default cost of 1 is used.

Tips for Configuring Bandwidth-Based CAC Policies for IP Multicast

To ensure that a particular cost applies to all mroutes being limited, you can configure a bandwidth-based CAC policy whose ACL contains a permit any statement. Configuring a bandwidth-based CAC policy in this manner effectively ensures that the default cost is not applied to any mroutes being limited.

Configuring a bandwidth-based CAC policy with a cost of 0 for the cost-multiplier argument can be used to skip the accounting of certain mroutes (for example, to prevent Auto-RP groups or a specific multicast channel from being accounted).

An explicit deny statement for a specific mroute in an ACL can be used to specify the state that will not match the ACL (thus, preventing the ACL from being accounted). If an mroute matches a deny statement, the search immediately continues to the next configured bandwidth-based CAC policy. Configuring an explicit deny statement in an ACL can be more efficient than forcing the mroute to fall through an ACL (by means of the implicit deny any statement at the end of the ACL).

How to Configure Multicast Admission Control

This section contains the following tasks:

Configuring Global and Per MVRF Mroute State Limiters (optional)

Configuring MSDP SA Limiters (optional)

Configuring IGMP State Limiters (optional)

Configuring Per Interface Mroute State Limiters (optional)

Configuring Bandwidth-Based Multicast CAC Policies (optional)

Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies (optional)

Configuring Global and Per MVRF Mroute State Limiters

Perform the following optional tasks to configure global and per MVRF mroute state limiters.

Global mroute state limiters are used to limit the number of mroutes that can be added to the global table on a router. Configuring a global mroute state limiter can protect a router in the event of a multicast DoS attack (by preventing mroutes from overrunning the router).

Per VRF mroute state limiters are used to limit the number of mroutes that can be added to an MVRF table on an MVPN PE router. Configuring per MVRF mroute state limits can be used to ensure the fair sharing of mroutes between different MVRFs on an MVPN PE router.


Note Global and per MVRF mroute state limiters operate independently and can be used alone or together, depending upon the admission control requirements of your network.



Note When configuring global and per VRF mroute state limiters, you can only configure one limit for the global table and one limit per MVRF table.


The following tasks explain how to configure global and per MVRF mroute state limiters:

Configuring a Global Mroute State Limiter

Configuring Per MVRF Mroute State Limiters

Prerequisites

These tasks assume that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.

Before configuring per MVRF mroute state limiters, the MVRFs on the PE router must be configured using the tasks described in the "Configuring Multicast VPN" module.

Configuring a Global Mroute State Limiter

Perform this task to limit the number of mroutes that can be added to the global table. States for mroutes that exceed the global mroute limit will not be created.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip multicast route-limit limit [threshold]

4. end

5. show ip mroute count

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip multicast route-limit limit [threshold]

Example:

Router(config)# ip multicast route-limit 1500 1460

Limits the number of mroutes that can be added to the global table.

For the required limit argument, specify the limit on the number of mroutes that can be added to the global table. The range is from 1 to 2147483647.

Use the optional threshold argument to set an mroute threshold limit. The range is from 1 to 2147483647.

Step 4 

end

Example:

Router(config)# end

Ends the current configuration session and returns to privileged EXEC mode.

Step 5 

show ip mroute count

Example:

Router# show ip mroute count

(Optional) Displays mroute data and packet count statistics.

Use this command to verify the number of mroutes in the global table.

What to Do Next

Proceed to the "Configuring Per MVRF Mroute State Limiters" task to configure per MVRF mroute state limiters on a PE router.

Configuring Per MVRF Mroute State Limiters

Perform this optional task to configure per MVRF mroute state limiters to limit the number of mroutes that can be added to a particular MVRF table. This feature can be configured on a PE router to ensure the fair sharing of mroutes between different MVRFs on the router. States for mroutes that exceed the per MVRF mroute limiter are not created.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip multicast vrf vrf-name route-limit limit [threshold]

4. Repeat Step 3 to configure additional per MVRF mroute state limiters for other MVRFs on an MVPN PE router.

5. end

6. show ip mroute vrf vrf-name count

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip multicast vrf vrf-name route-limit limit [threshold]

Example:

Router(config)# ip multicast vrf red route-limit 1500 1460

Limits the number of mroutes that can be added to a particular MVRF table.

For the vrf keyword and vrf-name argument, specify the MVRF for which to apply the limit.

For the required limit argument, specify the limit on the number of mroutes that can be added to the MVRF table (for the specified MVRF). The range is from 1 to 2147483647.

Use the optional threshold argument to set an mroute threshold limit. The range is from 1 to 2147483647

Step 4 

Repeat Step 3 to configure additional per VRF mroute state limiters for other VRFs on an MVPN PE router.

Step 5 

end

Example:

Router(config)# end

Ends the current configuration session and returns to privileged EXEC mode.

Step 6 

show ip mroute vrf vrf-name count

Example:

Router# show ip mroute vrf red count

(Optional) Displays mroute data and packet count statistics related to the specified MVRF.

Use this command to verify the number of mroutes in a particular MVRF table.

Configuring MSDP SA Limiters

Perform this optional task to limit the overall number of SA messages that the router can accept from specified MSDP peers. Performing this task protects an MSDP-enabled router from distributed DoS attacks.


Note We recommend that you perform this task for all MSDP peerings on the router.


Prerequisites

This task assumes that you are running MSDP and have configured MSDP peers using the tasks described in the "Using MSDP to Interconnect Multiple PIM-SM Domains" module.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip msdp [vrf vrf-name] sa-limit {peer-address | peer-name} sa-limit

4. Repeat Step 3 to configure SA limits for additional MSDP peers.

5. end

6. show ip msdp count

7. show ip msdp peer [peer-address | peer-name]

8. show ip msdp summary

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip msdp [vrf vrf-name] sa-limit {peer-address | peer-name} sa-limit

Example:

Router(config)# ip msdp sa-limit 192.168.10.1 100

Limits the number of SA messages allowed in the SA cache from the specified MSDP.

Use the optional vrf keyword and vrf-name argument to specify the MVRF associated with the MSDP peer. When an MVRF is specified, the MSDP SA limiter is applied to the specified MSDP peer associated with the specified MVRF.

For the required peer-address argument or peer-name argument, specify either the MSDP peer address or MSDP peer name of the peer to be limited.

For the required sa-limit argument, specify the maximum number of SA messages that can be accepted (cached) from the specified peer. The range is from 1 to 2147483646.

Step 4 

Repeat Step 3 to configure additional per MVRF mroute state limiters for other MVRFs on an MVPN PE router.

Step 5 

end

Example:

Router(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 6 

show ip msdp count

Example:

Router# show ip msdp count

(Optional) Displays the number of sources and groups originated in MSDP SA messages and the number of SA messages from an MSDP peer in the SA cache.

Step 7 

show ip msdp peer [peer-address | peer-name]

Example:

Router# show ip msdp peer

(Optional) Displays detailed information about MSDP peers.

Note The output of this command displays the number of SA messages received from MSDP peers that are stored in the cache.

Step 8 

show ip msdp summary

Example:

Router# show ip msdp summary

(Optional) Displays MSDP peer status.

Note The output of this command displays a per-peer "SA Count" field that displays the number of SAs stored in the SA cache.

Configuring IGMP State Limiters

Perform the following tasks to configure global and per interface IGMP state limiters. IGMP state limiters are used to limit the number of mroute states resulting from IGMP membership reports (IGMP joins) on a global or per interface basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. IGMP state limiters can be used to prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.


Note IGMP state limiters impose limits on the number of mroute states resulting from IGMP, IGMP v3lite, and URD membership reports on a global or per interface basis.


The following tasks explain how to configure global and per interface IGMP state limiters:

Configuring Global IGMP State Limiters

Configuring Per Interface IGMP State Limiters


Note When configuring IGMP state limiters, you can only configure one global limit on a router and one limit per interface.


Prerequisites

These tasks assume that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.

All ACLs you intend to apply to per interface IGMP state limiters should be configured prior to beginning this configuration task; otherwise, IGMP membership reports for all groups and channels are counted against the configured limits. For information about how to configure ACLs, see the "Creating an IP Access List and Applying It to an Interface" module.

Configuring Global IGMP State Limiters

Perform this optional task to configure a global IGMP state limiter.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip igmp limit number

4. end

5. show ip igmp groups

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip igmp limit number

Example:

Router(config)# ip igmp limit 150

Configures a global limit on the number of mroute states resulting from IGMP membership reports (IGMP joins).

For the required number argument, specify a global limit on the number of IGMP membership reports that can be cached. The range is from 1 to 64000.

Step 4 

end

Example:

Router(config-if)# end

Ends the current configuration session and returns to privileged EXEC mode.

Step 5 

show ip igmp groups

Example:

Router# show ip igmp groups

(Optional) Displays the multicast groups with receivers that are directly connected to the router and that were learned through IGMP.

What to Do Next

Proceed to the "Configuring Per Interface IGMP State Limiters" task to configure per interface IGMP state limiters.

Configuring Per Interface IGMP State Limiters

Perform this optional task to configure per interface IGMP state limiters.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip igmp limit number [except access-list]

5. Repeat Step 3 and Step 4 if you want to configure additional per interface IGMP state limiters.

6. end

7. show ip igmp interface [type number]

8. show ip igmp groups

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface GigabitEthernet0/0

Enters interface configuration mode.

For the type and number arguments, specify an interface that is connected to hosts.

Step 4 

ip igmp limit number [except access-list]

Example:

Router(config-if)# ip igmp limit 100

Configures a per interface limit on the number of mroutes states created as a result of IGMP membership reports (IGMP joins).

For the required number argument, specify a limit on the number of IGMP membership reports that can be cached for the specified interface. The range is from 1 to 64000.

Use the optional except access-list keyword and argument to prevent groups or channels from being counted against the interface limit. A standard or an extended ACL can be specified.

A standard ACL can be used to define the (*, G) state to be excluded from the limit on an interface.

An extended ACLs can be used to define the (S, G) state to be excluded from the limit on an interface. An extended ACL also can be used to define the (*, G) state to be excluded from the limit on an interface, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.

Step 5 

Repeat Step 3 and Step 4 if you want to configure additional per interface IGMP state limiters.

Step 6 

end

Example:

Router(config-if)# end

Ends the current configuration session and returns to privileged EXEC mode.

Step 7 

show ip igmp interface [type number]

Example:

Router# show ip igmp interface

(Optional) Displays information about the status and configuration of IGMP and multicast routing on interfaces.

Use the optional type and number arguments to restrict the output to only displaying IGMP and multicast routing status and configuration information about the specified interface.

Step 8 

show ip igmp groups

Example:

Router# show ip igmp groups

(Optional) Displays the multicast groups with receivers that are directly connected to the router and that were learned through IGMP.

Configuring Per Interface Mroute State Limiters

Perform this task to configure per interface mroute state limiters. Configuring per interface mroute state limiters can be used to prevent DoS attacks or to provide a multicast CAC mechanism to control bandwidth, when all the multicast flows roughly utilize the same amount of bandwidth.

Prerequisites

This task assumes that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.

All ACLs you intend to apply to per interface mroute state limiters should be configured prior to beginning this configuration task; otherwise, the limiters are ignored. For information about how to configure ACLs, see the "Creating an IP Access List and Applying It to an Interface" module.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip multicast limit [connected | out | rpf] access-list max-entries

5. Repeat Step 4 if you want to configure additional per interface mroute state limiters on the interface.

6. Repeat Step 3 and Step 4 if you want to configure per interface mroute state limiters on additional interfaces.

7. end

DETAILED STEPS

 
Command or Action 
Purpose 

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface GigabitEthernet0/0

Enters interface configuration mode for the specified interface type and number.

Step 4 

ip multicast limit [connected | out | rpf] access-list max-entries

Example:

Router(config-if)# ip multicast limit 15 100

Configures per interface mroute state limiters.

Specify the ip multicast limit command with no optional keywords to limit mroute state creation for an ACL-classified set of traffic on an interface when the interface is an outgoing (egress) interface, and to limit mroute olist membership when the interface is an incoming (ingress) Reverse Path Forwarding (RPF) interface.

This type of per interface mroute state limiter limits mroute state creation by accounting each time an mroute permitted by the ACL is created or deleted and limits mroute olist membership by accounting each time that an mroute olist member permitted by the ACL is added or removed.

Entering this form of the command (that is, with no optional keywords) is equivalent to specifying the ip multicast limit rpf and ip multicast limit out forms of the command.

Use the optional connected keyword to configure a per interface mroute state limiter that limits mroute states created for an ACL-classified set of multicast traffic on an incoming (RPF) interface that is directly connected to a multicast source by accounting each time that an mroute permitted by the ACL is created or deleted.

Use the optional out keyword to configure a per interface mroute state limiter that limits mroute olist membership on an outgoing interface for an ACL-classified set of multicast traffic by accounting each time that an mroute olist member permitted by the ACL is added or removed.

Use the optional rpf keyword to configure a per interface mroute state limiter that limits the number of mroute states created for an ACL-classified set of multicast traffic on an incoming (RPF) interface by accounting each time an mroute permitted by the ACL is created or deleted.

 

For the required access-list argument, specify the ACL that defines the IP multicast traffic to be limited on an interface.

Standard ACLs can be used to define the (*, G) state to be limited on an interface.

Extended ACLs can be used to define the (S, G) state to be limited on an interface. Extended ACLs also can be used to define the (*, G) state to be limited on an interface, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.h

For the required max-entries argument, specify the maximum number of mroutes permitted by the per interface mroute state limiter. The range is from 0 to 2147483647.

Step 5 

Repeat Step 4, if you want to configure additional per interface mroute state limiters on the interface.

Step 6 

Repeat Step 3 and Step 4 if you want to configure per interface mroute state limiters on additional interfaces.

Step 7 

end

Example:

Router(config-if)# end

Exits interface configuration mode, and enters privileged EXEC mode.

What to Do Next

Proceed to the "Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies" task to monitor per interface mroute state limiters.

Configuring Bandwidth-Based Multicast CAC Policies

Perform this optional task to configure bandwidth-based multicast CAC policies. Bandwidth-based multicast CAC policies provide the capability to assign costs to mroutes that are being limited by per interface mroute state limiters. This task can be used to provide bandwidth-based multicast CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth. Bandwidth-based multicast CAC policies can be applied globally or per MVRF.

Prerequisites

This task assumes that IP multicast has been enabled and that the PIM interfaces have been configured using the tasks described in the "Configuring Basic IP Multicast" module.

All ACLs you intend to apply to bandwidth-based multicast CAC policies should be configured prior to beginning this configuration task; otherwise, the limiters are ignored. For information about how to configure ACLs, see the "Creating an IP Access List and Applying It to an Interface" module.


Note You can omit Steps 3 to 7 if you have already configured the per interface mroute state limiters for which to apply costs.


SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip multicast limit [connected | out | rpf] access-list max-entries

5. Repeat Step 4 if you want to configure additional mroute state limiters on the interface.

6. Repeat Step 3 and Step 4 if you want to configure mroute state limiters on additional interfaces.

7. exit

8. ip multicast [vrf vrf-name] limit cost access-list cost-multiplier

9. Repeat Step 8 if you want to apply additional costs to mroutes.

10. end

DETAILED STEPS

 
Command or Action 
Purpose 

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface GigabitEthernet 0/0

Enters interface configuration mode for the specified interface type and number.

Step 4 

ip multicast limit [connected | out | rpf] access-list max-entries

Example:

Router(config-if)# ip multicast limit acl-test 100


Configures mroute state limiters on an interface.

Specify the ip multicast limit command with no optional keywords to limit mroute state creation for an ACL-classified set of traffic on an interface when the interface is an outgoing (egress) interface, and to limit mroute olist membership when the interface is an incoming (ingress) Reverse Path Forwarding (RPF) interface.

 

This type of mroute state limiter limits mroute state creation by accounting each time an mroute permitted by the ACL is created or deleted and limits mroute olist membership by accounting each time that an mroute olist member permitted by the ACL is added or removed.

Entering this form of the command (that is, with no optional keywords) is equivalent to specifying the ip multicast limit rpf and ip multicast limit out forms of the command.

 

Use the optional connected keyword to configure an mroute state limiter that limits mroute states created for an ACL-classified set of multicast traffic on an incoming (RPF) interface that is directly connected to a multicast source by accounting each time that an mroute permitted by the ACL is created or deleted.

Use the optional out keyword to configure an mroute state limiter that limits mroute olist membership on an outgoing interface for an ACL-classified set of multicast traffic by accounting each time that an mroute olist member permitted by the ACL is added or removed.

Use the optional rpf keyword to configure an mroute state limiter that limits the number of mroute states created for an ACL-classified set of multicast traffic on an incoming (RPF) interface by accounting each time an mroute permitted by the ACL is created or deleted.

For the required access-list argument, specify the ACL that defines the IP multicast traffic to be limited on an interface.

Standard ACLs can be used to define the (*, G) state to be limited on an interface.

Extended ACLs can be used to define the (S, G) state to be limited on an interface. Extended ACLs also can be used to define the (*, G) state to be limited on an interface, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.

For the required max-entries argument, specify the maximum number of mroutes permitted by the per interface mroute state limiter. The range is from 0 to 2147483647.

Step 5 

Repeat Step 4 if you want to configure additional mroute state limiters on the interface.

Step 6 

Repeat Step 3 and Step 4 if you want to configure mroute state limiters on additional interfaces.

Step 7 

exit

Example:

Router(config-if)# exit

Exits interface configuration mode, and returns to global configuration mode.

Step 8 

ip multicast [vrf vrf-name] limit cost access-list cost-multiplier

Example:

Router(config)# ip multicast limit cost acl-MP2SD-channels 4000

Applies costs to per interface mroute state limiters.

Use the optional vrf keyword and vrf-name argument to specify that the cost be applied only to mroutes associated with MVRF specified for the vrf-name argument.

For the required access-list argument, specify the ACL that defines the IP multicast traffic for which to apply a cost.

Standard ACLs can be used to define the (*, G) state.

Extended ACLs can be used to define the (S, G) state. Extended ACLs also can be used to define the (*, G) state, by specifying 0.0.0.0 for the source address and source wildcard—referred to as (0, G)—in the permit or deny statements that compose the extended access list.

For the required cost-multiplier argument, specify the cost value to be applied to mroutes that match the ACL associated with the bandwidth-based multicast CAC policy. The range is 0 to 2147483647.

Step 9 

Repeat Step 8 if you want to apply additional costs to mroutes.

Step 10 

end

Example:

Router(config-if)# end

Exits interface configuration mode, and enters privileged EXEC mode.

What to Do Next

Proceed to the "Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies" task to monitor bandwidth-based multicast CAC policies.

Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies

Perform this optional task to monitor per interface mroute state limiters and bandwidth-based multicast CAC policies.

SUMMARY STEPS

1. enable

2. debug ip mrouting limits [group-address]

3. show ip multicast limit [type number]

4. clear ip multicast limit [type number]

DETAILED STEPS


Step 1 enable

Enables privileged EXEC mode. Enter your password if prompted.

Router> enable

Step 2 debug ip mrouting limits [group-address]

Use this command to display debugging information about configured per interface mroute state limiters and bandwidth-based multicast CAC policies.

Specify the optional group-address argument to restrict the output to display only per interface mroute state limiter events related to a particular multicast group.

The following output is from the debug ip mrouting limits command. The output displays the following events:

An mroute state being created and the corresponding per interface mroute state limiter counter being increased by the default cost of 1 on incoming Ethernet interface 1/0.

An mroute olist member being removed from the olist and the corresponding per interface mroute limiter being decreased by the default cost of 1 on outgoing Ethernet interface 1/0.

An mroute being denied by the per interface mroute state limiter because the maximum number of mroute states has been reached.

An mroute state being created and the corresponding per interface mroute state limiter counter being increased by the cost of 2 on incoming Ethernet interface 1/0.

An mroute olist member being removed from the olist and the corresponding per interface mroute limiter being decreased by a cost of 2 on outgoing Ethernet interface 1/0.

Router# debug ip mrouting limits 

MRL(0): incr-ed acl `rpf-list' to (13 < max 32), [n:0,p:0], (main) GigabitEthernet0/0, 
(10.41.0.41, 225.30.200.60)
MRL(0): decr-ed acl `out-list' to (10 < max 32), [n:0,p:0], (main) GigabitEthernet0/0, (*, 
225.40.202.60)
MRL(0): Add mroute (10.43.0.43, 225.30.200.60) denied for GigabitEthernet0/2, acl 
std-list, (16 = max 16)
MRL(0): incr-ed limit-acl `rpf-list' to (12 < max 32), cost-acl 'cost-list' cost 2, 
[n:0,p:0], (main) GigabitEthernet0/0, (10.41.0.41, 225.30.200.60)
MRL(0): decr-ed limit-acl `out-list' to (8 < max 32), cost-acl 'cost-list'' cost 2, 
[n:0,p:0], (main) GigabitEthernet0/0, (*, 225.40.202.60)

Step 3 show ip multicast limit type number

Use this command to display counters related to mroute state limiters configured on the interfaces on the router.

Specify the optional type number arguments to restrict the output to displaying only statistics about per interface mroute state limiters configured on the specified interface.

For each per interface mroute state limiter shown in the output, the following information is displayed:

The direction of traffic that the per mroute state limiter is limiting.

The ACL referenced by the per interface mroute state limiter that defines the IP multicast traffic being limited.

Statistics, enclosed in parenthesis, which track the current number of mroutes being limited less the configured limit. Each time the state for an mroute is created or deleted and each time an outgoing interface list (olist) member is added or removed, the counters for matching per interface mroute state limiters are increased or decreased accordingly.

The exceeded counter, which tracks the total number of times that the limit configured for the per interface mroute state limiter has been exceeded. Each time an mroute is denied due to the configured limit being reached, the exceeded counter is increased by a value of 1.

The following is sample output from the show ip multicast limit command with the type number arguments. In this example, information about mroute state limiters configured on Gigabit Ethernet interface 0/0 is displayed.

Router# show ip multicast limit GigabitEthernet 0/0

Interface GigabitEthernet 0/0
 Multicast Access Limits
out acl out-list (1 < max 32) exceeded 0
rpf acl rpf-list (6 < max 32) exceeded 0
con acl conn-list (0 < max 32) exceeded 0

Step 4 clear ip multicast limit [type number]

Use this command to reset the exceeded counter for per interface mroute state limiters.

The exceeded counter is displayed in the output of the show ip multicast limit command. This counter tracks the total number of times that the limit configured for the per interface mroute state limiter has been exceeded. Each time an mroute is denied due to the configured limit being reached, the exceeded counter is increased by a value of 1.

Specify the optional type number arguments to reset the exceeded counter for only per interface mroute state limiters configured on the specified interface.

The following example shows how to reset exceeded counters for per interface mroute state limiters configured on Gigabit Ethernet interface 0/0:

clear ip multicast limit interface GigabitEthernet 0/0

Configuration Examples for Configuring Multicast Admission Control

This section provides the following configuration examples:

Configuring Global and Per MVRF Mroute State Limiters: Example

Configuring MSDP SA Limiters: Example

Configuring IGMP State Limiters: Example

Configuring Per Interface Mroute State Limiters: Example

Configuring Bandwidth-Based Multicast CAC Policies: Example

Configuring Global and Per MVRF Mroute State Limiters: Example

The following example shows how to configure a global mroute state limiter. In this example, a global mroute state limiter is configured with an mroute limit of 1500 and an mroute threshold limit of 1460.

ip multicast route-limit 1500 1460

The following is a sample mroute threshold warning message. The output shows that the configured mroute threshold limit of 1460 has been exceeded by one mroute.

%MROUTE-4-ROUTELIMITWARNING : multicast route-limit warning 1461 threshold 1460

The following is a sample mroute exceeded warning message. The output shows that the configured mroute limit of 1500 has been exceeded by one mroute. States for mroutes that exceed the configured limit for the global mroute state limiter are not created on the router.

%MROUTE-4-ROUTELIMIT : 1501 routes exceeded multicast route-limit of 1500

Configuring MSDP SA Limiters: Example

The following example shows how to configure an MSDP SA limiter. In this example, an MSDP SA limiter is configured that imposes a limit of 100 SA messages from the MSDP peer at 192.168.10.1.

ip msdp sa-limit 192.168.10.1 100

Configuring IGMP State Limiters: Example

The following example shows how to configure IGMP state limiters to provide multicast CAC in a network environment where all the multicast flows roughly utilize the same amount of bandwidth.

This example uses the topology illustrated in Figure 1.

Figure 1 IGMP State Limit Example Topology

In this example, a service provider is offering 300 Standard Definition (SD) TV channels. Each SD channel utilizes approximately 4 Mbps.

The service provider must provision the Gigabit Ethernet interfaces on the PE router connected to the Digital Subscriber Line Access Multiplexers (DSLAMs) as follows: 50% of the link's bandwidth (500 Mbps) must be available to subscribers of the Internet, voice, and video on demand (VoD) service offerings while the remaining 50% (500 Mbps) of the link's bandwidth must be available to subscribers of the SD channel offerings.

Because each SD channel utilizes the same amount of bandwidth (4 Mbps), per interface IGMP state limiters can be used to provide the necessary CAC to provision the services being offered by the service provider. To determine the required CAC needed per interface, the total number of channels is divided by 4 (because each channel utilizes 4 Mbps of bandwidth). The required CAC needed per interface, therefore, is as follows:

500Mbps / 4Mbps = 125 mroutes

Once the required CAC is determined, the service provider uses the results to configure the per IGMP state limiters required to provision the Gigabit Ethernet interfaces on the PE router. Based on the network's CAC requirements, the service provider must limit the SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 125. Configuring a per interface IGMP state limit of 125 for the SD channels provisions the interface for 500 Mbps of bandwidth, the 50% of the link's bandwidth that must always be available (but never exceeded) for the SD channel offerings.

The following configuration shows how the service provider uses a per interface mroute state limiter to provision interface Gigabit Ethernet 0/0 for the SD channels and Internet, Voice, and VoD services being offered to subscribers:

interface GigabitEthernet0/0
description --- Interface towards the DSLAM ---
.
.
.
ip igmp limit 125

Configuring Per Interface Mroute State Limiters: Example

The following example shows how to configure per interface mroute state limiters to provide multicast CAC in a network environment where all the multicast flows roughly utilize the same amount of bandwidth.

This example uses the topology illustrated in Figure 2.

Figure 2 Per Interface Mroute State Limit Example Topology

In this example, a service provider is offering 300 SD TV channels. The SD channels are being offered to customers in three service bundles (Basic, Premium, and Gold), which are available to customers on a subscription basis. Each bundle offers 100 channels to subscribers, and each channel utilizes approximately 4 Mbps of bandwidth.

The service provider must provision the Gigabit Ethernet interfaces on the PE router connected to DSLAMs as follows: 50% of the link's bandwidth (500 Mbps) must be available to subscribers of their Internet, voice, and VoD service offerings while the remaining 50% (500 Mbps) of the link's bandwidth must be available to subscribers of their SD channel bundle service offerings.

For the 500 Mbps of the link's bandwidth that must always be available to (but must never be exceeded by) the subscribers of the SD channel bundles, the interface must be further provisioned as follows:

60% of the bandwidth must be available to subscribers of the basic service (300 Mbps).

20% of the bandwidth must be available to subscribers of the premium service (100 Mbps).

20% of the bandwidth must be available to subscribers of the gold service (100 Mbps).

Because each SD channel utilizes the same amount of bandwidth (4 Mbps), per interface mroute state limiters can be used to provide the necessary CAC to provision the services being offered by the service provider. To determine the required CAC needed per interface, the number of channels for each bundle is divided by 4 (because each channel utilizes 4 Mbps of bandwidth). The required CAC needed per interface, therefore, is as follows:

Basic Services: 300 / 4 = 75

Premium Services: 100 / 4 = 25

Gold Services: 100 / 4 = 25

Once the required CAC required per SD channel bundle is determined, the service provider uses the results to configure the mroute state limiters required to provision the Gigabit Ethernet interfaces on the PE router for the services being offered to subscribers behind the DSLAMs:

For the Basic Services bundle, the service provider must limit the number of Basic Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 75. Configuring an mroute state limit of 75 for the SD channels offered in the Basic Service bundle provisions the interface for 300 Mbps of bandwidth (the 60% of the link's bandwidth that must always be available to [but never exceeded by] the subscribers of the Basic Services bundle).

For the Premium Services bundle, the service provider must limit the number of Premium Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 25. Configuring an mroute state limit of 25 for the SD channels offered in the Premium Service bundle provisions the interface for 100 Mbps of bandwidth (the 20% of the link's bandwidth that must always be available to [but never exceeded by] the subscribers of the Premium Service bundle).

For the Gold Services bundle, the service provider must limit the number of Gold Service SD channels that can be transmitted out a Gigabit Ethernet interface (at any given time) to 25. Configuring an mroute state limit of 25 for the SD channels offered in the Gold Service bundle provisions the interface for 100 Mbps of bandwidth (the 20% of the link's bandwidth that must always be available to [but never exceeded by] the subscribers of the Gold Service bundle).

The service provider then configures three ACLs to be applied to per interface mroute state limiters. Each ACL defines the SD channels for each SD channel bundle to be limited on an interface:

acl-basic—The ACL that defines the SD channels offered in the basic service.

acl-premium—The ACL that defines the SD channels offered in the premium service.

acl-gold—The ACL that defines the SD channels offered in the gold service.

These ACLs are then applied to per interface mroute state limiters configured on the PE router's Gigabit Ethernet interfaces.

For this example, three per interface mroute state limiters are configured on Gigabit Ethernet interface 0/0 to provide the multicast CAC needed to provision the interface for the SD channel bundles being offered to subscribers:

An mroute state limit of 75 for the SD channels that match acl-basic.

An mroute state limit of 25 for the SD channels that match acl-premium.

An mroute state limit of 25 for the SD channels that match acl-gold.

The following configuration shows how the service provider uses per interface mroute state limiters to provision Gigabit Ethernet interface 0/0 for the SD channel bundles and Internet, Voice, and VoD services being offered to subscribers:

interface GigabitEthernet0/0
description --- Interface towards the DSLAM ---
.
.
.
ip multicast limit out acl-basic 75
ip multicast limit out acl-premium 25
ip multicast limit out acl-gold 25

Configuring Bandwidth-Based Multicast CAC Policies: Example

The following example shows how to configure bandwidth-based multicast CAC policies to provide multicast CAC in a network environment where the multicast flows utilize different amounts of bandwidth.

This example uses the topology illustrated in Figure 3.

Figure 3 Bandwidth-Based CAC for IP Multicast Example Topology

In this example, three content providers are providing TV services across a service provider core. The content providers are broadcasting TV channels that utilize different amounts of bandwidth:

MPEG-2 SDTV channels—4 Mbps per channel.

MPEG-2 HDTV channels—18 Mbps per channel.

MPEG-4 SDTV channels—1.6 Mbps per channel.

MPEG-4 HDTV channels—6 Mbps per channel.

The service provider needs to provision the fair sharing of bandwidth between these three content providers to its subscribers across Gigabit Ethernet interfaces. The service provider, thus, determines that it needs to provision each Gigabit Ethernet interface on the PE router connected to the DSLAMs as follows:

250 Mbps per content provider.

250 Mbps for Internet, voice, and VoD services.

The service provider then configures three ACLs:

acl-CP1-channels—The ACL that defines the channels being offered by the content provider CP1.

acl-CP2-channels—The ACL that defines the channels being offered by the content provider CP2.

acl-CP3-channels—The ACL that defines the channels being offered by the content provider CP3.

Because the content providers are broadcasting TV channels that utilize different amounts of bandwidth, the service provider needs to determine the values that need to be configured for the per interface mroute state limiters and bandwidth-based multicast CAC policies to provide the fair sharing of bandwidth required between the content providers.

Prior to the introduction of the Bandwidth-Based CAC for IP Multicast feature, per interface mroute state limiters were based strictly on the number of flows. The introduction of cost multipliers by the Bandwidth-Based CAC for IP Multicast feature expands how per interface mroute state limiters can be defined. Instead of defining the per interface mroute state limiters based on the number of multicast flows, the service provider looks for a common unit of measure and decides to represent the per interface mroute state limiters in kilobits per second (Kbps). The service provider then configures three per interface mroute state limiters, one per content provider. Because the link is a Gigabit, the service provider sets each limit to 250000 (because 250000 Kbps equals 250 Mbps, the number of bits that service provider needs to provision per content provider).

The service provider needs to further provision the fair sharing of bandwidth between the content providers, which can be achieved by configuring bandwidth-based multicast CAC policies. The service provider decides to create four bandwidth-based CAC policies, one policy per channel based on bandwidth. For these policies, the service provider configures the following ACLs:

acl-MP2SD-channels—Defines all the MPEG-2 SD channels offered by the three content providers.

acl-MP2HD-channels—Defines all the MPEG-2 HD channels offered by the three content providers.

acl-MP4SD-channels—Defines all the MPEG-4 SD channels offered by the three content providers.

acl-MP4HD-channels—Defines all the MPEG-4 HD channels offered by the three content providers.

For each policy, a cost multiplier (represented in Kbps) is defined for each ACL that is based on the bandwidth of the channels defined in the ACL:

4000—Represents the 4 Mbps MPEG-2 SD channels.

18000—Represents the 18 Mbps MPEG-2 HD channels.

1600—Represents the 1.6 Mbps MPEG-4 SD channels.

6000—Represents the 6 Mbps MPEG-4 HD channels.

The following configuration example shows how the service provider used per interface mroute state limiters with bandwidth-based multicast CAC policies to provision Gigabit Ethernet interface 0/0 for the fair sharing of bandwidth required between the three content providers:

!
ip multicast limit cost acl-MP2SD-channels 4000
ip multicast limit cost acl-MP2HD-channels 18000
ip multicast limit cost acl-MP4SD-channels 1600
ip multicast limit cost acl-MP4HD-channels 6000
!
.
.
.
!
interface GigabitEthernet0/0
 ip multicast limit out acl-CP1-channels 250000
 ip multicast limit out acl-CP2-channels 250000
 ip multicast limit out acl-CP3-channels 250000
!

Additional References

The following sections provide references related to configuring multicast admission control.

Related Documents

Related Topic
Document Title

Overview of the IP multicast technology area

"IP Multicast Technology Overview" module

Concepts, tasks, and examples for configuring an IP multicast network using PIM

"Configuring a Basic IP Multicast Network" module

Concepts, tasks, and examples for using MSDP to interconnection multiple PIM-SM domains

"Using MSDP to Interconnect Multiple PIM-SM Domains" module

Multicast commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS IP Multicast Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Configuring Multicast Admission Control

Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table.

For information on a feature in this technology that is not documented here, see the "IP Multicast Features Roadmap."

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.


Table 1 Feature Information for Configuring Multicast Admission Control 

Feature Name
Releases
Feature Information

Bandwidth-Based CAC for IP Multicast

12.2(33)SRB
12.4(15)T
12.2(33)SXI

The Bandwidth-Based CAC for IP Multicast feature enhances the Per Interface Mroute State Limit feature by implementing a way to count per interface mroute state limiters using cost multipliers. This feature can be used to provide bandwidth-based CAC on a per interface basis in network environments where the multicast flows utilize different amounts of bandwidth.

The following sections provide information about this feature:

Bandwidth-Based CAC for IP Multicast

Configuring Bandwidth-Based Multicast CAC Policies

Configuring Bandwidth-Based Multicast CAC Policies: Example

The following command was introduced by this feature: ip multicast limit cost.

IGMP State Limit

12.2(14)S
12.2(15)T
15.0(1)S

The IGMP State Limit feature introduces the capability to limit the number of mroute states resulting from IGMP membership states on a per interface or global basis. Membership reports exceeding the configured limits are not entered into the IGMP cache. This feature can be used to

   

prevent DoS attacks or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.

The following sections provide information about this feature:

IGMP State Limit

Configuring IGMP State Limiters

Configuring IGMP State Limiters: Example

Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies

The following commands were introduced or modified by this feature: ip igmp limit (global), ip igmp limit (interface), show ip igmp interface.

Per Interface Mroute State Limit

12.3(14)T
12.2(33)SRB
12.2(33)SXI

The Per Interface Mroute State Limit feature provides the capability to limit the number of mroute states on an interface for different ACL-classified sets of multicast traffic. This feature can be used to prevent DoS attacks, or to provide a multicast CAC mechanism in network environments where all the multicast flows roughly utilize the same amount of bandwidth.

The following sections provide information about this feature:

Per Interface Mroute State Limit

Configuring Per Interface Mroute State Limiters

Configuring Bandwidth-Based Multicast CAC Policies

Monitoring Per Interface Mroute State Limiters and Bandwidth-Based Multicast CAC Policies

The following commands were introduced or modified by this feature: clear ip multicast limit, debug ip mrouting limits, ip multicast limit, show ip multicast limit.