Multicast route state limit refers to a limit on the number of multicast routing entries (mroute states) that a device can maintain. This limit helps prevent control plane overload by restricting the number of multicast routes the device processess and stores, ensuring stable and fair resource usage. In Multi-VRF (MVRF) environments, the MVRF mroute state limit allows administrators to set multicast route limits individually for each VRF.

Global mroute state limiters limit the number of mroutes added to the global table on a device. Configuring a global mroute state limiter protects a device in a multicast DoS attack by preventing mroutes from overrunning the device.

Per VRF mroute state limiters limit the number of mroutes added to an MVRF table. Use per MVRF mroute state limits to ensure fair sharing of mroutes between different MVRFs.

Global and per MVRF mroute state limiters are configured using the ip multicast route-limit command in global configuration mode. This command imposes limits on the number of mroutes that can be added to the global table or to a particular MVRF table, respectively.

The syntax of the ip multicast route-limit command is as follows:

ip multicast [vrf vrf-name ] route-limit limit [threshold ]

Issuing the ip multicast route-limit command without the optional vrf keyword and vrf-name arguments configures a global mroute state limiter. The optional vrf keyword and vrf-name arguments are used with the ip multicast limit command to configure per MVRF mroute state limiters.

The value specified for the required limit argument defines the maximum number of mroutes that can be added to either the global table or a particular MVRF table, respectively.

In addition, for both global and per MVRF mroute state limiters, the optional threshold argument is available to set mroute threshold limits.

Note

When configuring global and per VRF mroute state limiters, you can only configure one limit for the global table and one limit per MVRF table. Global and per MVRF mroute state limiters operate independently. They can be used either alone or together, depending on the admission control requirements of your network.

Here is how global and per MVRF mroute state limiters work:

• When an mroute state is created on a device, the Cisco IOS software checks if the global or per MVRF mroute state limiter's limit has been reached.

• States for mroutes that exceed the configured limit for the global or the per MVRF mroute state limiter are not created on the device, and a warning message in this format is generated:

  % MROUTE-4-ROUTELIMIT : <current mroute count> exceeded multicast route-limit of <mroute limit value>

• When an mroute threshold limit is also configured for the global or the per MVRF mroute state limiter, each time the state for an mroute is created on a device, the Cisco IOS software also checks to see if the mroute threshold limit has been reached. If the mroute threshold limit is exceeded, a warning message in this format is generated:

  % MROUTE-4-ROUTELIMITWARNING : multicast route-limit warning <current mroute count> threshold <mroute threshold value>

  Warning messages continue until the number of mroutes exceeds the configured limit or falls below the mroute threshold.

The IGMP State Limit feature allows the configuration of IGMP state limiters to impose limits on mroute states resulting from IGMP membership reports (IGMP joins), applicable globally or on a per-interface basis. Membership reports that exceed the configured limits are excluded from the IGMP cache. You can use the IGMP State Limit feature to prevent DoS attacks and enable a multicast CAC mechanism in network environments where multicast flows utilize similar bandwidth.

Note	IGMP state limiters impose limits on the number of mroute states resulting from IGMP, IGMP v3lite, and URL Rendezvous Directory (URD) membership reports on a global or per interface basis.

• In global configuration mode, configure IGMP state limiters to set a device-wide limit on cached IGMP membership reports.

• In interface configuration mode, configure IGMP state limiters to limit the number of IGMP membership reports per interface.

• Use ACLs to exclude certain groups or channels from being counted against the interface limit. A standard or an extended ACL can be specified. Standard ACL usage: Define the (*, G) state to be excluded from an interface's limit. Extended ACL usage: Define the (S, G) state excluded from the interface limit. An extended ACL also can be used to define the (*, G) state to be excluded from the limit on an interface, by specifying 0.0.0.0 for the source address and source wildcard--referred to as (0, G)--in the permit or deny statements that compose the extended access list.

• You can only configure one global limit per device and one limit per interface.

The mechanics of IGMP state limiters are as follows:

• When a device receives an IGMP membership report for a group or channel, the Cisco IOS software determines whether the limit for either the global IGMP state limiter or the per interface IGMP state limiter is reached.

• IGMP membership reports are honored if only a global IGMP state limiter is configured and its limit has not been reached. When the configured limit is reached, subsequent IGMP membership reports are ignored, and a warning message is generated in these formats:

  %IGMP-6-IGMP_GROUP_LIMIT: IGMP limit exceeded for <group (*, group address)> on <interface type number> by host <ip address>

  %IGMP-6-IGMP_CHANNEL_LIMIT: IGMP limit exceeded for <channel (source address, group address)> on <interface type number> by host <ip address>

• If only per interface IGMP state limiters are configured, then each limit is only counted against the interface on which it was configured.

• If both a global IGMP state limiter and per interface IGMP state limiters are configured, the limits configured for the per interface IGMP state limiters are still enforced but are constrained by the global limit.