On Mon, 22 Sep 2014, Richard Holbo wrote:
Now it looks like from my reading that CISCO MLD snooping would _help_ with this, though it would not stop the offender from generating the multicast requests, it might keep if from reaching _all_ ports, but it would still
If the packets are sent to ff02::1, then this will be sent to all ports even with MLD snooping turned on. http://www.ietf.org/rfc/rfc4541.txt "In IPv6, the data forwarding rules are more straight forward because MLD is mandated for addresses with scope 2 (link-scope) or greater. The only exception is the address FF02::1 which is the all hosts link-scope address for which MLD messages are never sent. Packets with the all hosts link-scope address should be forwarded on all ports." So I doubt turning on MLD snooping will help. Your switches, can't you do some kind of protocol based filtering, and only allow two ethertypes, ARP and IPv4? -- Mikael Abrahamsson email: swmike@swm.pp.se