[c-nsp] Blackholing looped traffic

Everton da Silva Marques everton at lab.ipaccess.diveo.net.br
Mon Aug 29 09:34:27 EDT 2005


Hello Rodney,

On Mon, Aug 29, 2005 at 08:31:14AM -0400, Rodney Dunn wrote:
> No. What are you trying to solve?

Please consider a classic scenario for Internet
access from a central site under MPLS VPNs:

[MPLS VPN cloud]--[PE]--[CE]--[firewall]--[Internet]
                        ^^^^^^^^^^^^^^^^
                        central VPN site
                        providing
                        Internet access

Then suppose:
1) remote VPN sites should have access to Internet
2) remote VPN sites should NOT have mutual access
3) central PE VRF has a default route towards central CE
4) central CE has a default route towards firewall
   and multiple specific routes towards PE

Problem is, central CE could forward back packets
received from the multiple remote VPN sites, thus
violating the communication policy established by
the MPLS VPN topology.

If that kind of command was available:

interface Serial0
 ip drop incoming looped packets

then one could apply it to the interface Serial0
at the central CE router, so it would easily
(no need to manage addresses like in an ACL)
and cheaply (CEF processing cost similar to uRPF)
prevent the central CE router from violating MPLS
VPN communication policy.

What do you think?

Thanks,
Everton



More information about the cisco-nsp mailing list