https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Issue-High-CPU-utilization-on-the-switch-due-to-UPnP-239-255-255/m-p/68352#M232 <P><SPAN>Prevent Resource Exhaustion Caused by SSDP</SPAN></P><P>To stop resource exhaustion, the SSDP traffic must be stopped prior to the first L3 hop and multicast state creation. The quickest solution is to use an IPv4 Access Control List (ACL) applied on ingress to all L3 interfaces configured with PIM that sees this traffic. Verify with the "<SPAN>show ip mroute 239.255.255.250</SPAN>" command and look at the "Incoming Interface" for each group. This indicates which L3 interface the source of the traffic is sourced from and be aware there can be more than one unique source interface. This configuration example allows SSDP to work at layer 2 and allows L2-adjacent hosts to discover PNP services, but prevents client advertisements to be forwarded across L3 boundaries, and prevents L3 multicast state creation on any multicast router or switch.</P><P><SPAN>Configure</SPAN> an extended ACL:</P><P>ip access-list extended BLOCK_SSDP<BR />remark Block SSDP<BR /><SPAN>deny ip any host 239.255.255.250&nbsp;&nbsp;&lt;--&nbsp;Deny&nbsp;SSDP</SPAN></P><P><SPAN>permit ip any any </SPAN><SPAN>&nbsp; </SPAN><SPAN>&lt;-- Permit any other group</SPAN></P><P><SPAN>Configure</SPAN> under each L3 interface, apply the ACL in the ingress direction:</P><P>Switch#<SPAN>configure terminal</SPAN><BR />Switch(config)#<SPAN>interface vlan100</SPAN><BR />Switch(config-if)#<SPAN>ip access-group BLOCK_SSDP in </SPAN><BR />Switch(config-if)#<SPAN>end</SPAN></P> Thu, 21 Sep 2023 03:29:14 GMT va10461 2023-09-21T03:29:14Z https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Issue-High-CPU-utilization-on-the-switch-due-to-UPnP-239-255-255/m-p/68321#M230 <P>In DM RAW output, it is found that the destination IP 239.255.255.250 is of UPnP (Universal Plug and Play)/SSDP (Simple Service Discovery Protocol). The devices are just advertising their capabilities. So higher the number of devices, higher will be the advertisement packets which causes high CPU.<BR /><BR /></P><P><STRONG>TEST-Switch# dm raw</STRONG></P><P>Debug: Jul 22 22:19:16 RX [3dcb7d2]192.168.2.130&nbsp; -&gt;239.255.255.250 PROTO=IGMP port: 2/3/2</P><P>Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.2.130&nbsp; -&gt;239.255.255.250 PROTO=IGMP port: VIDX 20</P><P>Debug: Jul 20 22:19:16RX [3dcb7d2]192.168.1.149&nbsp; -&gt;239.255.255.250 PROTO=IGMP port: 1/3/4</P><P>Debug: Jul 20 22:19:16TX [3dcb7d2]192.168.1.149&nbsp; -&gt;239.255.255.250 PROTO=IGMP port: VIDX 20</P><P>Debug: Jul 22 22:19:16RX [3dcb7d2]192.168.1.99&nbsp;&nbsp; -&gt;239.255.255.250 PROTO=IGMP port: 2/3/2</P><P>Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.1.99&nbsp;&nbsp; -&gt;239.255.255.250 PROTO=IGMP port: VIDX 20</P><P>Debug: Jul 22 22:19:16RX [3dcb7d2]192.168.2.91&nbsp;&nbsp; -&gt;239.255.3.22&nbsp;&nbsp;&nbsp; PROTO=IGMP port: 2/3/2</P><P>Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.2.91&nbsp;&nbsp; -&gt;239.255.3.22&nbsp;&nbsp;&nbsp; PROTO=IGMP port: VIDX 20</P><P>Debug: Jul 22 22:19:16RX [3dcb7d2]192.168.2.153&nbsp; -&gt;239.255.3.22&nbsp;&nbsp;&nbsp; PROTO=IGMP port: 1/1/18</P><P>Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.2.153&nbsp; -&gt;239.255.3.22&nbsp;&nbsp;&nbsp; PROTO=IGMP port: VIDX 20</P><P>&nbsp;</P><P>The multicast group 239.255. 255.250 is&nbsp;used by the Simple Service Discovery Protocol (SSDP). Therefore, when SSDP is enabled on any servers or PCs, the servers or PCs send multicast packets with group address 239.255.</P><P>&nbsp;</P><P>To block these packets, we need to apply below ACL on the switch and CPU utilization will comes to Normal or stable.</P><P><STRONG><U>ACL:</U></STRONG></P><P>#ip access-list extended DenySSDP<BR />#sequence 10 deny ip any host 239.255.255.250<BR />#sequence 20 permit ip any any</P><P><STRONG>Apply to relevant vlan</STRONG></P><P>#vlan &lt;vlan_id&gt;<BR />#ip access-group DenySSDP in</P><P>&nbsp;</P> Wed, 20 Sep 2023 16:10:13 GMT https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Issue-High-CPU-utilization-on-the-switch-due-to-UPnP-239-255-255/m-p/68321#M230 Smiley 2023-09-20T16:10:13Z https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Issue-High-CPU-utilization-on-the-switch-due-to-UPnP-239-255-255/m-p/68352#M232 <P><SPAN>Prevent Resource Exhaustion Caused by SSDP</SPAN></P><P>To stop resource exhaustion, the SSDP traffic must be stopped prior to the first L3 hop and multicast state creation. The quickest solution is to use an IPv4 Access Control List (ACL) applied on ingress to all L3 interfaces configured with PIM that sees this traffic. Verify with the "<SPAN>show ip mroute 239.255.255.250</SPAN>" command and look at the "Incoming Interface" for each group. This indicates which L3 interface the source of the traffic is sourced from and be aware there can be more than one unique source interface. This configuration example allows SSDP to work at layer 2 and allows L2-adjacent hosts to discover PNP services, but prevents client advertisements to be forwarded across L3 boundaries, and prevents L3 multicast state creation on any multicast router or switch.</P><P><SPAN>Configure</SPAN> an extended ACL:</P><P>ip access-list extended BLOCK_SSDP<BR />remark Block SSDP<BR /><SPAN>deny ip any host 239.255.255.250&nbsp;&nbsp;&lt;--&nbsp;Deny&nbsp;SSDP</SPAN></P><P><SPAN>permit ip any any </SPAN><SPAN>&nbsp; </SPAN><SPAN>&lt;-- Permit any other group</SPAN></P><P><SPAN>Configure</SPAN> under each L3 interface, apply the ACL in the ingress direction:</P><P>Switch#<SPAN>configure terminal</SPAN><BR />Switch(config)#<SPAN>interface vlan100</SPAN><BR />Switch(config-if)#<SPAN>ip access-group BLOCK_SSDP in </SPAN><BR />Switch(config-if)#<SPAN>end</SPAN></P> Thu, 21 Sep 2023 03:29:14 GMT https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Issue-High-CPU-utilization-on-the-switch-due-to-UPnP-239-255-255/m-p/68352#M232 va10461 2023-09-21T03:29:14Z