From Specified Msdp Peers - Cisco Catalyst 3850 series Configuration Manual

Configuring MSDP
Similarly, if the two devices have different passwords configured, a message such as the following will appear
on the console:
%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local router's
IP address]:179
The debug ip tcp transactions command is used to display information on significant TCP transactions such
as state changes, retransmissions, and duplicate packets. In the context of monitoring or troubleshooting MSDP
MD5 password authentication, use the debug ip tcp transactions command to verify that the MD5 password
is enabled and that the keepalive message is received by the MSDP peer.
Preventing DoS Attacks by Limiting the Number of SA Messages Allowed in
the SA Cache from Specified MSDP Peers
Perform this optional (but highly recommended) task to limit the overall number of SA messages that the
device can accept from specified MSDP peers. Performing this task protects an MSDP-enabled device from
distributed denial-of-service (DoS) attacks.
We recommend that you perform this task for all MSDP peerings on the device.
Note
SUMMARY STEPS
1. enable
2. configure terminal
3. ip msdp sa-limit {peer-address | peer-name} sa-limit
4. Repeat Step 3 to configure SA limits for additional MSDP peers.
5. exit
6. show ip msdp count [as-number]
7. show ip msdp peer [peer-address | peer-name]
8. show ip msdp summary
DETAILED STEPS
Command or Action
Step 1
enable
Example:
Device> enable
Step 2 configure terminal
Example:
Device# configure terminal
OL-32598-01
Preventing DoS Attacks by Limiting the Number of SA Messages Allowed in the SA Cache from Specified MSDP
IP Multicast Routing Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)
Purpose
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Peers
215