This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue: High CPU utilization on the switch due to UPnP 239.255.255.250 Multicast Traffic

Smiley
RUCKUS Team Member

‎09-20-2023 09:10 AM

In DM RAW output, it is found that the destination IP 239.255.255.250 is of UPnP (Universal Plug and Play)/SSDP (Simple Service Discovery Protocol). The devices are just advertising their capabilities. So higher the number of devices, higher will be the advertisement packets which causes high CPU.

TEST-Switch# dm raw

Debug: Jul 22 22:19:16 RX [3dcb7d2]192.168.2.130  ->239.255.255.250 PROTO=IGMP port: 2/3/2

Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.2.130  ->239.255.255.250 PROTO=IGMP port: VIDX 20

Debug: Jul 20 22:19:16RX [3dcb7d2]192.168.1.149  ->239.255.255.250 PROTO=IGMP port: 1/3/4

Debug: Jul 20 22:19:16TX [3dcb7d2]192.168.1.149  ->239.255.255.250 PROTO=IGMP port: VIDX 20

Debug: Jul 22 22:19:16RX [3dcb7d2]192.168.1.99   ->239.255.255.250 PROTO=IGMP port: 2/3/2

Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.1.99   ->239.255.255.250 PROTO=IGMP port: VIDX 20

Debug: Jul 22 22:19:16RX [3dcb7d2]192.168.2.91   ->239.255.3.22    PROTO=IGMP port: 2/3/2

Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.2.91   ->239.255.3.22    PROTO=IGMP port: VIDX 20

Debug: Jul 22 22:19:16RX [3dcb7d2]192.168.2.153  ->239.255.3.22    PROTO=IGMP port: 1/1/18

Debug: Jul 22 22:19:16TX [3dcb7d2]192.168.2.153  ->239.255.3.22    PROTO=IGMP port: VIDX 20

 

The multicast group 239.255. 255.250 is used by the Simple Service Discovery Protocol (SSDP). Therefore, when SSDP is enabled on any servers or PCs, the servers or PCs send multicast packets with group address 239.255.

 

To block these packets, we need to apply below ACL on the switch and CPU utilization will comes to Normal or stable.

ACL:

#ip access-list extended DenySSDP
#sequence 10 deny ip any host 239.255.255.250
#sequence 20 permit ip any any

Apply to relevant vlan

#vlan <vlan_id>
#ip access-group DenySSDP in

 

Labels:
0 Kudos
1 REPLY 1

va10461
RUCKUS Team Member

‎09-20-2023 08:29 PM

Prevent Resource Exhaustion Caused by SSDP

To stop resource exhaustion, the SSDP traffic must be stopped prior to the first L3 hop and multicast state creation. The quickest solution is to use an IPv4 Access Control List (ACL) applied on ingress to all L3 interfaces configured with PIM that sees this traffic. Verify with the "show ip mroute 239.255.255.250" command and look at the "Incoming Interface" for each group. This indicates which L3 interface the source of the traffic is sourced from and be aware there can be more than one unique source interface. This configuration example allows SSDP to work at layer 2 and allows L2-adjacent hosts to discover PNP services, but prevents client advertisements to be forwarded across L3 boundaries, and prevents L3 multicast state creation on any multicast router or switch.

Configure an extended ACL:

ip access-list extended BLOCK_SSDP
remark Block SSDP
deny ip any host 239.255.255.250  <-- Deny SSDP

permit ip any any   <-- Permit any other group

Configure under each L3 interface, apply the ACL in the ingress direction:

Switch#configure terminal
Switch(config)#interface vlan100
Switch(config-if)#ip access-group BLOCK_SSDP in
Switch(config-if)#end


Vivek Alaparthi
Staff TSE | CCNA | CCNP | RCNI

RUCKUS Networks, CommScope!

Follow me on LinkedIn

0 Kudos
Copyright © 2024 Khoros, LLC