In DM RAW output, it is found that the destination IP 126.96.36.199 is of UPnP (Universal Plug and Play)/SSDP (Simple Service Discovery Protocol). The devices are just advertising their capabilities. So higher the number of devices, higher will be the advertisement packets which causes high CPU.
The multicast group 239.255. 255.250 is used by the Simple Service Discovery Protocol (SSDP). Therefore, when SSDP is enabled on any servers or PCs, the servers or PCs send multicast packets with group address 239.255.
To block these packets, we need to apply below ACL on the switch and CPU utilization will comes to Normal or stable.
#ip access-list extended DenySSDP #sequence 10 deny ip any host 188.8.131.52 #sequence 20 permit ip any any
To stop resource exhaustion, the SSDP traffic must be stopped prior to the first L3 hop and multicast state creation. The quickest solution is to use an IPv4 Access Control List (ACL) applied on ingress to all L3 interfaces configured with PIM that sees this traffic. Verify with the "show ip mroute 184.108.40.206" command and look at the "Incoming Interface" for each group. This indicates which L3 interface the source of the traffic is sourced from and be aware there can be more than one unique source interface. This configuration example allows SSDP to work at layer 2 and allows L2-adjacent hosts to discover PNP services, but prevents client advertisements to be forwarded across L3 boundaries, and prevents L3 multicast state creation on any multicast router or switch.
Configure an extended ACL:
ip access-list extended BLOCK_SSDP remark Block SSDP deny ip any host 220.127.116.11 <-- Deny SSDP
permit ip any any <-- Permit any other group
Configure under each L3 interface, apply the ACL in the ingress direction:
Switch#configure terminal Switch(config)#interface vlan100 Switch(config-if)#ip access-group BLOCK_SSDP in Switch(config-if)#end