[c-nsp] question on s/rtbh 6500 with sup720-3cxl

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 9 06:19:12 EST 2015


On 09/02/15 04:39, John Brown wrote:
> Quick dumb question on S/RTBH.
> I get all the foo around the dynamic nature of using BGP to inject the
> bad prefix (source or dest) we want to drop.
>
> At present we do this with destination dropping / blackholing.   I
> want to drop RFC 1918 sourced packets coming to me at my edge towards
> providers / peers.  I've got one provider sending me nearly 80Mb/s
> worth traffic with the source IP being in Net-10.  Their answer is for
> me to ACL it. ICK

Well... ick that they're sending it. But I might be inclined to ACL it 
rather than enable uRPF just for this use-case, given the specifics of 
the scenario.

Unless you want it for a future, more general use of course.

>
> My thought was to enable loose uRPF on the interface  and create a
> static route for net-10 pointing to null0

It's probably not your problem, but just in case - bear in mind that 
sup720 can only support a single uRPF mode globally. You can't have some 
interfaces in loose and others in strict.

>
> interface te4/1
>     ip verify unicast source reachable-via any
>
> ip route 10.0.0.0 255.0.0.0 null0
>
> shouldn't that cause net-10 into the FIB with a ptr to null0 and thus
> uRPF will discard ??

Yes.

> Netflow still shows traffic on that interface with source's in Net-10.

As others have pointed out, the netflow might continue to appear. This 
is a "feature". See if "sh ip int" shows the uRPF counter incrementing 
at an appropriate rate.


More information about the cisco-nsp mailing list