[c-nsp] GRE Tunnels and vrfs
Gert Doering
gert at greenie.muc.de
Mon Sep 13 12:21:55 EDT 2004
Hi,
On Sun, Sep 12, 2004 at 10:34:01PM +0100, Ian Dickinson wrote:
> Gert Doering wrote:
> >We managed to build a setup where certain packets would loop (aggregate
> >routed statically into the tunnel, but not all individual routes were
> >known on the B end, so the packets came back via the tunnel due to a
> >default route inside the VRF), and that drove CPU to 90% for hours...
>
> I saw this when routes disappeared on the B end due to circuit
> failure, whilst the A end still had a static to B. Adding a high
> admin distance Null0 static on the B end sorted this, as would
> have adding an ACL or uRPF to the Tunnel on the A end.
Yep. This is what we did in the end (and usually do).
> You're
> right that routers don't like loops over GRE very much.
The problem is not loops per se.
The problem is *neverending loops* - with this bug (which is something
quite serious, actually) the packet will loop between those routers *for
ever*, because the TTL isn't ever decremented and the packet never
discarded (unless one of the routers drops it due to overload).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list