[c-nsp] Blackholing looped traffic
Everton da Silva Marques
everton at lab.ipaccess.diveo.net.br
Mon Aug 29 13:21:21 EDT 2005
Hello Oliver,
Thank you for your comments.
On Mon, Aug 29, 2005 at 04:41:55PM +0200, Oliver Boehmer (oboehmer) wrote:
>
> 1) route all traffic (even intra-vpn traffic)
> via the firewall and apply a central policy there
> (i.e. who is allowed to access what). Yes, this
> also involves managing ACLs/rules, but it is done
> at a central place.
Are you thinking of the hub/spoke MPLS VPN topology?
In that case, yes, it would solve the problem from a
theoretical perspective, but it would also introduce
other practical issues concerning hardware, links
and similar costs considerations. There are reasons
which urge us to make use of the so called "classical"
scenario.
> 2) If the "drop looped packet" does what you want,
> you should be able to implement this using PBR by
> matching on the next-hop (i.e. the PE interface
> address on the central CE site) and "set interface Null0"
> to drop those packets.
Yes, so far PBR seems the cleanest answer to the
problem, though the one specific command I was hoping
for would provide a more seamless solution. It would
benefit both config management and (supposedly?)
processing cost at the CE (assuming CEF-lookups are
likely to be lighter on CE's CPU than PBR).
For now, I think our best pragmatical bet is to consider
PBR, but it also seems that a per-interface command option
for discarding inbound looped traffic would be generally
useful, no? As I think, IOS already needs to detect
looped traffic in order to issue ICMP redirects,
doesn't it? It would be handy if IOS could give that
option to drop looped traffic instead of simply
forwarding it back.
Best regards,
Everton
More information about the cisco-nsp
mailing list