[c-nsp] Blackholing looped traffic
Everton da Silva Marques
everton at lab.ipaccess.diveo.net.br
Mon Aug 29 09:34:27 EDT 2005
Hello Rodney,
On Mon, Aug 29, 2005 at 08:31:14AM -0400, Rodney Dunn wrote:
> No. What are you trying to solve?
Please consider a classic scenario for Internet
access from a central site under MPLS VPNs:
[MPLS VPN cloud]--[PE]--[CE]--[firewall]--[Internet]
^^^^^^^^^^^^^^^^
central VPN site
providing
Internet access
Then suppose:
1) remote VPN sites should have access to Internet
2) remote VPN sites should NOT have mutual access
3) central PE VRF has a default route towards central CE
4) central CE has a default route towards firewall
and multiple specific routes towards PE
Problem is, central CE could forward back packets
received from the multiple remote VPN sites, thus
violating the communication policy established by
the MPLS VPN topology.
If that kind of command was available:
interface Serial0
ip drop incoming looped packets
then one could apply it to the interface Serial0
at the central CE router, so it would easily
(no need to manage addresses like in an ACL)
and cheaply (CEF processing cost similar to uRPF)
prevent the central CE router from violating MPLS
VPN communication policy.
What do you think?
Thanks,
Everton
More information about the cisco-nsp
mailing list