[c-nsp] Blackholing looped traffic

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Aug 30 10:40:57 EDT 2005


Tim Franklin <> wrote on Tuesday, August 30, 2005 7:25 AM:

>>  What I'm completely uncertain is, would allowing this type of hack
>> really be beneficial, or would it encourage more people to poor
>> design. Then again, it's not like it would be only feature, thats
>> there just due to poor (as in not good but also as in ultra
>> low-budget) design :)
> 
> What's your thought as to what *is* a good design for this case? 
> (Hub and spoke VPN, spokes must not be allowed to communicate with
> each other, spokes must have a default route towards the hub (for
> Internet or other reason)) 
> 
> I've struggled with it on a couple of occasions, and can't come up
> with anything that doesn't degenerate into hacks at some point -
> either ACLs, or a plethora of VRFs and leakiness.

I acknowledge the problem in this specific case. I guess Half-Duplex
VRFs on the central-site CE could be a solution here, i.e. using a
different routing table for upstream and downstream. As far as I know,
this concept is currently only available on virtual-access interfaces to
easily prevent direct spoke communication on broadband PE's, not sure
when it will be universally be available (haven't checked). Until then,
PBR or ACLs seems like the only feasible approach.

	oli




More information about the cisco-nsp mailing list