Similarly, if the two devices have different passwords configured, a message such as the following will appear
on the console:
%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local router's
IP address]:179
The
debug ip tcp transactions
command is used to display information on significant TCP transactions such
as state changes, retransmissions, and duplicate packets. In the context of monitoring or troubleshooting MSDP
MD5 password authentication, use the
debug ip tcp transactions
command to verify that the MD5 password
is enabled and that the keepalive message is received by the MSDP peer.
Preventing DoS Attacks by Limiting the Number of SA Messages Allowed in
the SA Cache from Specified MSDP Peers
Perform this optional (but highly recommended) task to limit the overall number of SA messages that the
device can accept from specified MSDP peers. Performing this task protects an MSDP-enabled device from
distributed denial-of-service (DoS) attacks.
We recommend that you perform this task for all MSDP peerings on the device.
Note
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
ip msdp sa-limit
{
peer-address
|
peer-name
}
sa-limit
4.
Repeat Step 3 to configure SA limits for additional MSDP peers.
5.
exit
6.
show ip msdp count
[
as-number
]
7.
show ip msdp peer
[
peer-address
|
peer-name
]
8.
show ip msdp summary
DETAILED STEPS
Purpose
Command or Action
Enables privileged EXEC mode.
enable
Step 1
Example:
Device> enable
•
Enter your password if prompted.
Enters global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 2
IP Multicast Routing Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)
OL-29890-01
189
Configuring MSDP
Preventing DoS Attacks by Limiting the Number of SA Messages Allowed in the SA Cache from Specified MSDP
Peers