[c-nsp] DOS Mitigation on MPLS Networks

Bruce Pinsky bep at whack.org
Tue Apr 12 12:39:22 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

christian.macnevin at uk.bnpparibas.com wrote:
| Hi all,
|
| I'm looking at deploying a mechanism similar to those used on public ipv4
| networks for killing off traffic destined for a given prefix.
|
| The method I was thinking of was tagging a prefix at its ingress PE with a
| BGP community. This community is then matched by all the PEs, which
| redirect it to null0 or somesuch. This is on a homogenous Cisco IOS
| network.
|
| Unfortunately, IOS doesn't allow you to set the ip next hop to a 'martian'
| address (eg 127.0.0.1) within a route map, and setting the next-hop
| interface to null0 isn't allowed on a bgp import. So instead of being able
| to use one route map and apply it to all VRFs equally, I'm looking at
| having to opssibly having to specify the route-map for every individual vrf
| on every PE, which isn't desirable.
|
| Has anyone tackled this before or know of any good resources for it?
|

Haven't had a chance to try it, but could you point the next-hop to an
unused address like 1.1.1.1 and then recursively route 1.1.1.1 to null0 via
a static route in the VRF?  While you would have to put the route in each
VRF via a config line, that would certainly be less work than having to
define a unique route map per VRF and applying to each peer.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCW/m6E1XcgMgrtyYRAompAKDWAssp0vyZkirsczfJndqt8V+IsACg8PkY
Tns3D5JL80wRIXNxaHN6q+k=
=A9xq
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list