[c-nsp] Blackholing looped traffic

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Mon Aug 29 19:15:44 EDT 2005 

>> 1) route all traffic (even intra-vpn traffic)
>> via the firewall and apply a central policy there
>> (i.e. who is allowed to access what). Yes, this
>> also involves managing ACLs/rules, but it is done
>> at a central place.
> 
> Are you thinking of the hub/spoke MPLS VPN topology?

well, yes.. I think you are referring to hub+spoke in your setup as you
want to restrict inter-CE communication?

> In that case, yes, it would solve the problem from a
> theoretical perspective, but it would also introduce
> other practical issues concerning hardware, links
> and similar costs considerations. There are reasons
> which urge us to make use of the so called "classical"
> scenario.

What exactly is your scenario? 

>> 2) If the "drop looped packet" does what you want,
>> you should be able to implement this using PBR by
>> matching on the next-hop (i.e. the PE interface
>> address on the central CE site) and "set interface Null0"
>> to drop those packets.
> 
> Yes, so far PBR seems the cleanest answer to the
> problem, though the one specific command I was hoping
> for would provide a more seamless solution. It would
> benefit both config management and (supposedly?)
> processing cost at the CE (assuming CEF-lookups are
> likely to be lighter on CE's CPU than PBR).

Well, it remains to be tested, but this simple PBR route-map does more
or less the same thing a feature would need to do (yes, it could
possibly do it a bit quicker if it is hard-coded), so I think the
overhead is reasonable.
 
> For now, I think our best pragmatical bet is to consider
> PBR, but it also seems that a per-interface command option
> for discarding inbound looped traffic would be generally
> useful, no?

It looks useful for this specific MPLS-VPN scenario, but I have not seen
the need for it before. Usually routing protocols prevent this, as
others have already suggested.

> As I think, IOS already needs to detect
> looped traffic in order to issue ICMP redirects,
> doesn't it? 

On Ethernet, yes. Not on p2p links.

> It would be handy if IOS could give that
> option to drop looped traffic instead of simply
> forwarding it back.

Not sure. Other opinions?

	oli

More information about the cisco-nsp mailing list