[c-nsp] question on s/rtbh 6500 with sup720-3cxl
Phil Mayers
p.mayers at imperial.ac.uk
Mon Feb 9 06:19:12 EST 2015
On 09/02/15 04:39, John Brown wrote:
> Quick dumb question on S/RTBH.
> I get all the foo around the dynamic nature of using BGP to inject the
> bad prefix (source or dest) we want to drop.
>
> At present we do this with destination dropping / blackholing. I
> want to drop RFC 1918 sourced packets coming to me at my edge towards
> providers / peers. I've got one provider sending me nearly 80Mb/s
> worth traffic with the source IP being in Net-10. Their answer is for
> me to ACL it. ICK
Well... ick that they're sending it. But I might be inclined to ACL it
rather than enable uRPF just for this use-case, given the specifics of
the scenario.
Unless you want it for a future, more general use of course.
>
> My thought was to enable loose uRPF on the interface and create a
> static route for net-10 pointing to null0
It's probably not your problem, but just in case - bear in mind that
sup720 can only support a single uRPF mode globally. You can't have some
interfaces in loose and others in strict.
>
> interface te4/1
> ip verify unicast source reachable-via any
>
> ip route 10.0.0.0 255.0.0.0 null0
>
> shouldn't that cause net-10 into the FIB with a ptr to null0 and thus
> uRPF will discard ??
Yes.
> Netflow still shows traffic on that interface with source's in Net-10.
As others have pointed out, the netflow might continue to appear. This
is a "feature". See if "sh ip int" shows the uRPF counter incrementing
at an appropriate rate.
More information about the cisco-nsp
mailing list