[c-nsp] Blackholing looped traffic

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Mon Aug 29 10:41:55 EDT 2005 

Everton,

allow me to chime in. I see your problem. Not sure whether I would
consider this a violation of the MPLS-VPN topology since this is based
on presence of routing information in the vrf (ex: hub+spoke is enforced
by only importing the hub network into the spoke vrfs, by importing a
default route into the spoke vrf, you are already "violating" this
setup).

I basically see two solutions to address these communication
requirements:

1) route all traffic (even intra-vpn traffic) via the firewall and apply
a central policy there (i.e. who is allowed to access what). Yes, this
also involves managing ACLs/rules, but it is done at a central place.

2) If the "drop looped packet" does what you want, you should be able to
implement this using PBR by matching on the next-hop (i.e. the PE
interface address on the central CE site) and "set interface Null0" to
drop those packets. 

you could also use multiple VRFs, but this can get messy..

	oli


Everton da Silva Marques <> wrote on Monday, August 29, 2005 6:34 AM:

> Hello Rodney,
> 
> On Mon, Aug 29, 2005 at 08:31:14AM -0400, Rodney Dunn wrote:
>> No. What are you trying to solve?
> 
> Please consider a classic scenario for Internet
> access from a central site under MPLS VPNs:
> 
> [MPLS VPN cloud]--[PE]--[CE]--[firewall]--[Internet]
>                         ^^^^^^^^^^^^^^^^
>                         central VPN site
>                         providing
>                         Internet access
> 
> Then suppose:
> 1) remote VPN sites should have access to Internet
> 2) remote VPN sites should NOT have mutual access
> 3) central PE VRF has a default route towards central CE
> 4) central CE has a default route towards firewall
>    and multiple specific routes towards PE
> 
> Problem is, central CE could forward back packets
> received from the multiple remote VPN sites, thus
> violating the communication policy established by
> the MPLS VPN topology.
> 
> If that kind of command was available:
> 
> interface Serial0
>  ip drop incoming looped packets
> 
> then one could apply it to the interface Serial0
> at the central CE router, so it would easily
> (no need to manage addresses like in an ACL)
> and cheaply (CEF processing cost similar to uRPF)
> prevent the central CE router from violating MPLS
> VPN communication policy.
> 
> What do you think?
> 
> Thanks,
> Everton
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list