08-12-2024 06:22 AM
Hi, I have a wide L2 network where VLANs are extended across many switches. I've been facing an issue with mDNS traffic flooding the entire L2 network, and due to hardware limitations, I haven't been able to completely block it.
On the Catalyst 2960, ACLs can't be applied to outgoing traffic. Blocking incoming traffic isn't an option because I need to allow customers to use the switch as they see fit. However, I do want to prevent this traffic from exiting one switch and reaching another.
After these 2960 switches, I have ASR920 devices configured as L2 only. Unfortunately, the ASR920s also can't block ACLs on trunk ports. To mitigate the issue, I've configured QoS to minimize the passage of mDNS traffic, but I still notice a significant amount of mDNS packets getting through.
Network setup: Cat 2960 => ASR920
Has anyone experienced problems with mDNS flooding?
Does anyone have advice on how to block mDNS packets?
Here’s the QoS configuration I applied on the ASR920:
---------------------------------------------------------------------------------------
ip access-list extended IPv4-mDNS
10 permit ip any host 224.0.0.251
20 permit udp any any eq 5353
!
ipv6 access-list IPv6-mDNS
sequence 10 permit ipv6 any host FF02::FB
!
class-map match-any ClassMap-mDNS
match access-group name IPv4-mDNS
match access-group name IPv6-mDNS
!
policy-map INGRESS-QOS-mDNS
class ClassMap-mDNS
set qos-group 99
set discard-class 0
!
class-map match-any QOS-GROUP-99
match qos-group 99
!
policy-map EGRESS-QOS-mDNS
class QOS-GROUP-99
police cir 64000
conform-action drop
exceed-action drop
!
interface GigabitEthernet0/0/0
service-policy input INGRESS-QOS-mDNS
service-policy output EGRESS-QOS-Other
!
interface TenGigabitEthernet0/0/24
service-policy input INGRESS-QOS-Other
service-policy output EGRESS-QOS-mDNS
08-13-2024 12:48 AM
Hello @Ab26
To manage mDNS flooding in your wide L2 network, consider these strategies:
Refine QoS Configuration: Lower the CIR further in your EGRESS-QOS-mDNS policy on the ASR920 to drop more mDNS traffic. Ensure no bypass rules allow mDNS packets through.
Enable IGMP Snooping: On Catalyst 2960 switches, enable IGMP Snooping to limit multicast traffic like mDNS to only interested hosts.
Use VLAN Filtering: Consider VLAN ACLs (VACLs) to drop mDNS traffic within VLANs, though be cautious as it may disrupt valid mDNS usage.
Upgrade Hardware/Software: If limitations persist, upgrading to newer devices or updating software on your current devices may offer better multicast control.
These steps should help mitigate mDNS flooding across your network.
E.S
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide