Example: Configuring PIM State Limits
Controlling PIM Resources for Multicast VPNs Overview
A service provider network must protect itself from potential attacks from misconfigured or misbehaving customer edge (CE) devices and their associated VPN routing and forwarding (VRF) routing instances. Misbehaving CE devices can potentially advertise a large number of multicast routes toward a provider edge (PE) device, thereby consuming memory on the PE device and using other system resources in the network that are reserved for routes belonging to other VPNs.
To protect against potential misbehaving CE devices and VRF routing instances for specific multicast VPNs (MVPNs), you can control the following Protocol Independent Multicast (PIM) resources:
Limit the number of accepted PIM join messages for any-source groups (*,G) and source-specific groups (S,G).
Note how the device counts the PIM join messages:
Each (*,G) counts as one group toward the limit.
Each (S,G) counts as one group toward the limit.
Limit the number of PIM register messages received for a specific VRF routing instance. Use this configuration if the device is configured as a rendezvous point (RP) or has the potential to become an RP. When a source in a multicast network becomes active, the source’s designated router (DR) encapsulates multicast data packets into a PIM register message and sends them by means of unicast to the RP router.
Note how the device counts PIM register messages:
Each unique (S,G) join received by the RP counts as one group toward the configured register messages limit.
Periodic register messages sent by the DR for existing or already known (S,G) entries do not count toward the configured register messages limit.
Register messages are accepted until either the PIM register limit or the PIM join limit (if configured) is exceeded. Once either limit isreached, any new requests are dropped.
Limit the number of group-to-RP mappings allowed in a specific VRF routing instance. Use this configuration if the device is configured as an RP or has the potential to become an RP. This configuration can apply to devices configured for automatic RP announce and discovery (Auto-RP) or as a PIM bootstrap router. Every multicast device within a PIM domain must be able to map a particular multicast group address to the same RP. Both Auto-RP and the bootstrap router functionality are the mechanisms used to learn the set of group-to-RP mappings. Auto-RP is typically used in a PIM dense-mode deployment, and the bootstrap router is typically used in a PIM sparse-mode deployment.
Note:The group-to-RP mappings limit does not apply to static RP or embedded RP configurations.
Some important things to note about how the device counts group-to-RP mappings:
One group prefix mapped to five RPs counts as five group-to-RP mappings.
Five distinct group prefixes mapped to one RP count as five group-to-RP mappings.
Once the configured limits are reached, no new PIM join messages, PIM register messages, or group-to-RP mappings are accepted unless one of the following occurs:
You clear the current PIM join states by using the
clear pim joincommand. If you use this command on an RP configured for PIM register message limits, the register limit count is also restarted because the PIM join messages are unknown by the RP.Note:On the RP, you can also use the
clear pim registercommand to clear all of the PIM registers. This command is useful if the current PIM register count is greater than the newly configured PIM register limit. After you clear the PIM registers, new PIM register messages are received up to the configured limit.The traffic responsible for the excess PIM join messages and PIM register messages stops and is no longer present.
- CAUTION:
Never restart any of the software processes unless instructed to do so by a customer support engineer.
You restart the PIM routing process on the device. This restart clears all of the configured limits but disrupts routing and therefore requires a maintenance window for the change.
System Log Messages for PIM Resources
You can optionally configure a system log warning threshold for each of the PIM resources. With this configuration, you can generate and review system log messages to detect if an excessive number of PIM join messages, PIM register messages, or group-to-RP mappings have been received on the device. The system log warning thresholds are configured per PIM resource and are a percentage of the configured maximum limits of the PIM join messages, PIM register messages, and group-to-RP mappings. You can further specify a log interval for each configured PIM resource, which is the amount of time (in seconds) between the log messages.
The log messages convey when the configured limits have been exceeded, when the configured warning thresholds have been exceeded, and when the configured limits drop below the configured warning threshold. Table 1 describes the different types of PIM system messages that you might see depending on your system log warning and log interval configurations.
System Log Message |
Definition |
|---|---|
RPD_PIM_SG_THRESHOLD_EXCEED |
Records when the (S,G)/(*,G) routes exceed the configured warning threshold. |
RPD_PIM_REG_THRESH_EXCEED |
Records when the PIM registers exceed the configured warning threshold. |
RPD_PIM_GRP_RP_MAP_THRES_EXCEED |
Records when the group-to-RP mappings exceed the configured warning threshold. |
RPD_PIM_SG_LIMIT_EXCEED |
Records when the (S,G)/(*,G) routes exceed the configured limit, or when the configured log interval has been met and the routes exceed the configured limit. |
RPD_PIM_REGISTER_LIMIT_EXCEED |
Records when the PIM registers exceed the configured limit, or when the configured log interval has been met and the registers exceed the configured limit. |
RPD_PIM_GRP_RP_MAP_LIMIT_EXCEED |
Records when the group-to-RP mappings exceed the configured limit, or when the configured log interval has been met and the mapping exceeds the configured limit. |
RPD_PIM_SG_LIMIT_BELOW |
Records when the (S,G)/(*,G) routes drop below the configured limit and the configured log interval. |
RPD_PIM_REGISTER_LIMIT_BELOW |
Records when the PIM registers drop below the configured limit and the configured log interval. |
RPD_PIM_GRP_RP_MAP_LIMIT_BELOW |
Records when the group-to-RP mappings drop below the configured limit and the configured log interval. |
Example: Configuring PIM State Limits
This example shows how to set limits on the Protocol Independent Multicast (PIM) state information so that a service provider network can protect itself from potential attacks from misconfigured or misbehaving customer edge (CE) devices and their associated VPN routing and forwarding (VRF) routing instances.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, a multiprotocol BGP-based multicast VPN (next-generation MBGP MVPN) is configured with limits on the PIM state resources.
The sglimit maximum statement sets a limit for the
number of accepted (*,G) and (S,G) PIM join states received for the
vpn-1 routing instance.
The rp register-limit maximum statement configures
a limit for the number of PIM register messages received for the vpn-1
routing instance. You configure this statement on the rendezvuos point
(RP) or on all the devices that might become the RP.
The group-rp-mapping maximum statement configures
a limit for the number of group-to-RP mappings allowed in the vpn-1
routing instance.
For each configured PIM resource, the threshold statement
sets a percentage of the maximum limit at which to start generating
warning messages in the PIM log file.
For each configured PIM resource, the log-interval statement is an amount of time (in seconds) between system log message
generation.
Figure 1 shows the topology used in this example.
CLI Quick Configuration shows the configuration for all of the devices in Figure 1. The section Device PE1 below describes the steps for Device PE1.
Configuration
Procedure
CLI Quick Configuration
To quickly configure
this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match
your network configuration, and then copy and paste the commands into
the CLI at the [edit] hierarchy level.
Device CE1
set interfaces ge-1/2/0 unit 1 family inet address 10.1.1.1/30 set interfaces ge-1/2/0 unit 1 family mpls set interfaces lo0 unit 1 family inet address 192.0.2.1/24 set protocols ospf area 0.0.0.0 interface lo0.1 passive set protocols ospf area 0.0.0.0 interface ge-1/2/0.1 set protocols pim rp static address 203.0.113.1 set protocols pim interface all set routing-options router-id 192.0.2.1
Device PE1
set interfaces ge-1/2/0 unit 2 family inet address 10.1.1.2/30 set interfaces ge-1/2/0 unit 2 family mpls set interfaces ge-1/2/1 unit 5 family inet address 10.1.1.5/30 set interfaces ge-1/2/1 unit 5 family mpls set interfaces vt-1/2/0 unit 2 family inet set interfaces lo0 unit 2 family inet address 192.0.2.2/24 set interfaces lo0 unit 102 family inet address 203.0.113.1/24 set protocols mpls interface ge-1/2/1.5 set protocols bgp group ibgp type internal set protocols bgp group ibgp local-address 192.0.2.2 set protocols bgp group ibgp family inet-vpn any set protocols bgp group ibgp family inet-mvpn signaling set protocols bgp group ibgp neighbor 192.0.2.4 set protocols bgp group ibgp neighbor 192.0.2.5 set protocols ospf area 0.0.0.0 interface lo0.2 passive set protocols ospf area 0.0.0.0 interface ge-1/2/1.5 set protocols ldp interface ge-1/2/1.5 set protocols ldp p2mp set policy-options policy-statement parent_vpn_routes from protocol bgp set policy-options policy-statement parent_vpn_routes then accept set routing-instances vpn-1 instance-type vrf set routing-instances vpn-1 interface ge-1/2/0.2 set routing-instances vpn-1 interface vt-1/2/0.2 set routing-instances vpn-1 interface lo0.102 set routing-instances vpn-1 route-distinguisher 100:100 set routing-instances vpn-1 provider-tunnel ldp-p2mp set routing-instances vpn-1 vrf-target target:1:1 set routing-instances vpn-1 protocols ospf export parent_vpn_routes set routing-instances vpn-1 protocols ospf area 0.0.0.0 interface lo0.102 passive set routing-instances vpn-1 protocols ospf area 0.0.0.0 interface ge-1/2/0.2 set routing-instances vpn-1 protocols pim sglimit family inet maximum 100 set routing-instances vpn-1 protocols pim sglimit family inet threshold 70 set routing-instances vpn-1 protocols pim sglimit family inet log-interval 10 set routing-instances vpn-1 protocols pim rp register-limit family inet maximum 100 set routing-instances vpn-1 protocols pim rp register-limit family inet threshold 80 set routing-instances vpn-1 protocols pim rp register-limit family inet log-interval 10 set routing-instances vpn-1 protocols pim rp group-rp-mapping family inet maximum 100 set routing-instances vpn-1 protocols pim rp group-rp-mapping family inet threshold 80 set routing-instances vpn-1 protocols pim rp group-rp-mapping family inet log-interval 10 set routing-instances vpn-1 protocols pim rp static address 203.0.113.1 set routing-instances vpn-1 protocols pim interface ge-1/2/0.2 mode sparse set routing-instances vpn-1 protocols mvpn set routing-options router-id 192.0.2.2 set routing-options autonomous-system 1001
Device P
set interfaces ge-1/2/0 unit 6 family inet address 10.1.1.6/30 set interfaces ge-1/2/0 unit 6 family mpls set interfaces ge-1/2/1 unit 9 family inet address 10.1.1.9/30 set interfaces ge-1/2/1 unit 9 family mpls set interfaces ge-1/2/2 unit 13 family inet address 10.1.1.13/30 set interfaces ge-1/2/2 unit 13 family mpls set interfaces lo0 unit 3 family inet address 192.0.2.3/24 set protocols mpls interface ge-1/2/0.6 set protocols mpls interface ge-1/2/1.9 set protocols mpls interface ge-1/2/2.13 set protocols ospf area 0.0.0.0 interface lo0.3 passive set protocols ospf area 0.0.0.0 interface ge-1/2/0.6 set protocols ospf area 0.0.0.0 interface ge-1/2/1.9 set protocols ospf area 0.0.0.0 interface ge-1/2/2.13 set protocols ldp interface ge-1/2/0.6 set protocols ldp interface ge-1/2/1.9 set protocols ldp interface ge-1/2/2.13 set protocols ldp p2mp set routing-options router-id 192.0.2.3
Device PE2
set interfaces ge-1/2/0 unit 10 family inet address 10.1.1.10/30 set interfaces ge-1/2/0 unit 10 family mpls set interfaces ge-1/2/1 unit 17 family inet address 10.1.1.17/30 set interfaces ge-1/2/1 unit 17 family mpls set interfaces vt-1/2/0 unit 4 family inet set interfaces lo0 unit 4 family inet address 192.0.2.4/24 set interfaces lo0 unit 104 family inet address 203.0.113.4/24 set protocols mpls interface ge-1/2/0.10 set protocols bgp group ibgp type internal set protocols bgp group ibgp local-address 192.0.2.4 set protocols bgp group ibgp family inet-vpn any set protocols bgp group ibgp family inet-mvpn signaling set protocols bgp group ibgp neighbor 192.0.2.2 set protocols bgp group ibgp neighbor 192.0.2.5 set protocols ospf area 0.0.0.0 interface lo0.4 passive set protocols ospf area 0.0.0.0 interface ge-1/2/0.10 set protocols ldp interface ge-1/2/0.10 set protocols ldp p2mp set policy-options policy-statement parent_vpn_routes from protocol bgp set policy-options policy-statement parent_vpn_routes then accept set routing-instances vpn-1 instance-type vrf set routing-instances vpn-1 interface vt-1/2/0.4 set routing-instances vpn-1 interface ge-1/2/1.17 set routing-instances vpn-1 interface lo0.104 set routing-instances vpn-1 route-distinguisher 100:100 set routing-instances vpn-1 vrf-target target:1:1 set routing-instances vpn-1 protocols ospf export parent_vpn_routes set routing-instances vpn-1 protocols ospf area 0.0.0.0 interface lo0.104 passive set routing-instances vpn-1 protocols ospf area 0.0.0.0 interface ge-1/2/1.17 set routing-instances vpn-1 protocols pim rp group-rp-mapping family inet maximum 100 set routing-instances vpn-1 protocols pim rp group-rp-mapping family inet threshold 80 set routing-instances vpn-1 protocols pim rp group-rp-mapping family inet log-interval 10 set routing-instances vpn-1 protocols pim rp static address 203.0.113.1 set routing-instances vpn-1 protocols pim interface ge-1/2/1.17 mode sparse set routing-instances vpn-1 protocols mvpn set routing-options router-id 192.0.2.4 set routing-options autonomous-system 1001
Device PE3
set interfaces ge-1/2/0 unit 14 family inet address 10.1.1.14/30 set interfaces ge-1/2/0 unit 14 family mpls set interfaces ge-1/2/1 unit 21 family inet address 10.1.1.21/30 set interfaces ge-1/2/1 unit 21 family mpls set interfaces vt-1/2/0 unit 5 family inet set interfaces lo0 unit 5 family inet address 192.0.2.5/24 set interfaces lo0 unit 105 family inet address 203.0.113.5/24 set protocols mpls interface ge-1/2/0.14 set protocols bgp group ibgp type internal set protocols bgp group ibgp local-address 192.0.2.5 set protocols bgp group ibgp family inet-vpn any set protocols bgp group ibgp family inet-mvpn signaling set protocols bgp group ibgp neighbor 192.0.2.2 set protocols bgp group ibgp neighbor 192.0.2.4 set protocols ospf area 0.0.0.0 interface lo0.5 passive set protocols ospf area 0.0.0.0 interface ge-1/2/0.14 set protocols ldp interface ge-1/2/0.14 set protocols ldp p2mp set policy-options policy-statement parent_vpn_routes from protocol bgp set policy-options policy-statement parent_vpn_routes then accept set routing-instances vpn-1 instance-type vrf set routing-instances vpn-1 interface vt-1/2/0.5 set routing-instances vpn-1 interface ge-1/2/1.21 set routing-instances vpn-1 interface lo0.105 set routing-instances vpn-1 route-distinguisher 100:100 set routing-instances vpn-1 vrf-target target:1:1 set routing-instances vpn-1 protocols ospf export parent_vpn_routes set routing-instances vpn-1 protocols ospf area 0.0.0.0 interface lo0.105 passive set routing-instances vpn-1 protocols ospf area 0.0.0.0 interface ge-1/2/1.21 set routing-instances vpn-1 protocols pim rp static address 203.0.113.1 set routing-instances vpn-1 protocols pim interface ge-1/2/1.21 mode sparse set routing-instances vpn-1 protocols mvpn set routing-options router-id 192.0.2.5 set routing-options autonomous-system 1001
Device CE2
set interfaces ge-1/2/0 unit 18 family inet address 10.1.1.18/30 set interfaces ge-1/2/0 unit 18 family mpls set interfaces lo0 unit 6 family inet address 192.0.2.6/24 set protocols sap listen 192.168.0.0 set protocols ospf area 0.0.0.0 interface lo0.6 passive set protocols ospf area 0.0.0.0 interface ge-1/2/0.18 set protocols pim rp static address 203.0.113.1 set protocols pim interface all set routing-options router-id 192.0.2.6
Device CE3
set interfaces ge-1/2/0 unit 22 family inet address 10.1.1.22/30 set interfaces ge-1/2/0 unit 22 family mpls set interfaces lo0 unit 7 family inet address 192.0.2.7/24 set protocols ospf area 0.0.0.0 interface lo0.7 passive set protocols ospf area 0.0.0.0 interface ge-1/2/0.22 set protocols pim rp static address 203.0.113.1 set protocols pim interface all set routing-options router-id 192.0.2.7
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure PIM state limits:
Configure the network interfaces.
[edit interfaces] user@PE1# set ge-1/2/0 unit 2 family inet address 10.1.1.2/30 user@PE1# set ge-1/2/0 unit 2 family mpls user@PE1# set ge-1/2/1 unit 5 family inet address 10.1.1.5/30 user@PE1# set ge-1/2/1 unit 5 family mpls user@PE1# set vt-1/2/0 unit 2 family inet user@PE1# set lo0 unit 2 family inet address 192.0.2.2/24 user@PE1# set lo0 unit 102 family inet address 203.0.113.1/24
Configure MPLS on the core-facing interface.
[edit protocols mpls] user@PE1# set interface ge-1/2/1.5
Configure internal BGP (IBGP) on the main router.
The IBGP neighbors are the other PE devices.
[edit protocols bgp group ibgp] user@PE1# set type internal user@PE1# set local-address 192.0.2.2 user@PE1# set family inet-vpn any user@PE1# set family inet-mvpn signaling user@PE1# set neighbor 192.0.2.4 user@PE1# set neighbor 192.0.2.5
Configure OSPF on the main router.
[edit protocols ospf area 0.0.0.0] user@PE1# set interface lo0.2 passive user@PE1# set interface ge-1/2/1.5
Configure a signaling protocol (RSVP or LDP) on the main router.
[edit protocols ldp] user@PE1# set interface ge-1/2/1.5 user@PE1# set p2mp
Configure the BGP export policy.
[edit policy-options policy-statement parent_vpn_routes] user@PE1# set from protocol bgp user@PE1# set then accept
Configure the routing instance.
The customer-facing interfaces and the BGP export policy are referenced in the routing instance.
[edit routing-instances vpn-1] user@PE1# set instance-type vrf user@PE1# set interface ge-1/2/0.2 user@PE1# set interface vt-1/2/0.2 user@PE1# set interface lo0.102 user@PE1# set route-distinguisher 100:100 user@PE1# set provider-tunnel ldp-p2mp user@PE1# set vrf-target target:1:1 user@PE1# set protocols ospf export parent_vpn_routes user@PE1# set protocols ospf area 0.0.0.0 interface lo0.102 passive user@PE1# set protocols ospf area 0.0.0.0 interface ge-1/2/0.2 user@PE1# set protocols pim rp static address 203.0.113.1 user@PE1# set protocols pim interface ge-1/2/0.2 mode sparse user@PE1# set protocols mvpn
Configure the PIM state limits.
[edit routing-instances vpn-1 protocols pim] user@PE1# set sglimit family inet maximum 100 user@PE1# set sglimit family inet threshold 70 user@PE1# set sglimit family inet log-interval 10 user@PE1# set rp register-limit family inet maximum 100 user@PE1# set rp register-limit family inet threshold 80 user@PE1# set rp register-limit family inet log-interval 10 user@PE1# set rp group-rp-mapping family inet maximum 100 user@PE1# set rp group-rp-mapping family inet threshold 80 user@PE1# set rp group-rp-mapping family inet log-interval 10
Configure the router ID and AS number.
[edit routing-options] user@PE1# set router-id 192.0.2.2 user@PE1# set autonomous-system 1001
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show protocols, show policy-options, show routing-instances, and show routing-options commands. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
user@PE1# show interfaces
ge-1/2/0 {
unit 2 {
family inet {
address 10.1.1.2/30;
}
family mpls;
}
}
ge-1/2/1 {
unit 5 {
family inet {
address 10.1.1.5/30;
}
family mpls;
}
}
vt-1/2/0 {
unit 2 {
family inet;
}
}
lo0 {
unit 2 {
family inet {
address 192.0.2.2/24;
}
}
unit 102 {
family inet {
address 203.0.113.1/24;
}
}
}
user@PE1# show protocols
mpls {
interface ge-1/2/1.5;
}
bgp {
group ibgp {
type internal;
local-address 192.0.2.2;
family inet-vpn {
any;
}
family inet-mvpn {
signaling;
}
neighbor 192.0.2.4;
neighbor 192.0.2.5;
}
}
ospf {
area 0.0.0.0 {
interface lo0.2 {
passive;
}
interface ge-1/2/1.5;
}
}
ldp {
interface ge-1/2/1.5;
p2mp;
}
user@PE1# show policy-options
policy-statement parent_vpn_routes {
from protocol bgp;
then accept;
}
user@PE1# show routing-instances
vpn-1 {
instance-type vrf;
interface ge-1/2/0.2;
interface vt-1/2/0.2;
interface lo0.102;
route-distinguisher 100:100;
provider-tunnel {
ldp-p2mp;
}
vrf-target target:1:1;
protocols {
ospf {
export parent_vpn_routes;
area 0.0.0.0 {
interface lo0.102 {
passive;
}
interface ge-1/2/0.2;
}
}
pim {
sglimit {
family inet {
maximum 100;
threshold 70;
log-interval 10;
}
}
rp {
register-limit {
family inet {
maximum 100;
threshold 80;
log-interval 10;
}
}
group-rp-mapping {
family inet {
maximum 100;
threshold 80;
log-interval 10;
}
}
static {
address 203.0.113.1;
}
}
interface ge-1/2/0.2 {
mode sparse;
}
}
mvpn;
}
}
user@PE1# show routing-options
router-id 192.0.2.2;
autonomous-system 1001;
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Monitoring the PIM State Information
Purpose
Verify that the counters are set as expected and are not exceeding the configured limits.
Action
From operational mode, enter the show pim statistics command.
user@PE1> show pim statistics instance vpn-1 PIM Message type Received Sent Rx errors V2 Hello 393 390 0 ... V4 (S,G) Maximum 100 V4 (S,G) Accepted 0 V4 (S,G) Threshold 70 V4 (S,G) Log Interval 10 V4 (grp-prefix, RP) Maximum 100 V4 (grp-prefix, RP) Accepted 0 V4 (grp-prefix, RP) Threshold 80 V4 (grp-prefix, RP) Log Interval 10 V4 Register Maximum 100 V4 Register Accepted 0 V4 Register Threshold 80 V4 Register Log Interval 10
Meaning
The V4 (S,G) Maximum field shows the maximum number of (S,G) IPv4 multicast routes accepted for the VPN routing instance. If this number is met, additional (S,G) entries are not accepted.
The V4 (S,G) Accepted field shows the number of accepted (S,G) IPv4 multicast routes.
The V4 (S,G) Threshold field shows the threshold at which a warning message is logged (percentage of the maximum number of (S,G) IPv4 multicast routes accepted by the device).
The V4 (S,G) Log Interval field shows the time (in seconds) between consecutive log messages.
The V4 (grp-prefix, RP) Maximum field shows the maximum number of group-to-rendezvous point (RP) IPv4 multicast mappings accepted for the VRF routing instance. If this number is met, additional mappings are not accepted.
The V4 (grp-prefix, RP) Accepted field shows the number of accepted group-to-RP IPv4 multicast mappings.
The V4 (grp-prefix, RP) Threshold field shows the threshold at which a warning message is logged (percentage of the maximum number of group-to-RP IPv4 multicast mappings accepted by the device).
The V4 (grp-prefix, RP) Log Interval field shows the time (in seconds) between consecutive log messages.
The V4 Register Maximum field shows the maximum number of IPv4 PIM registers accepted for the VRF routing instance. If this number is met, additional PIM registers are not accepted. You configure the register limits on the RP.
The V4 Register Accepted field shows the number of accepted IPv4 PIM registers.
The V4 Register Threshold field shows the threshold at which a warning message is logged (percentage of the maximum number of IPv4 PIM registers accepted by the device).
The V4 Register Log Interval field shows the time (in seconds) between consecutive log messages.