[c-nsp] loop guard still useful?

Saku Ytti saku at ytti.fi
Tue Jan 19 08:07:55 EST 2016


On 19 January 2016 at 01:15, Lukas Tribus <luky-37 at hotmail.com> wrote:

>> On A-B link, where A=>B works but A<=B does not, A will go down and A
>> will assert RFI or remote fault indicator on the line. B will receive
>> this, and go down as well.
>
> This assumption breaks when you have some kind of RX or TX stall, which
> I saw first-hand on a 7600 linecard that suddenly became faulty (and
> caused a major layer 2 loop because the links had neither UDLD nor loop
> guard, just plain old rapid-pvst and autonegotiation).

Of course no solution is perfect, you just have to pick solution which
is least bad.

I view autonego least bad, compared to UDLD. UDLD is L2 BPDU and as
such huge attack vector on 7600. If you want to protect yourself from
this attack vector, you configure L2 MLS ratelimiter for BPDUs, but if
you configure rate-limiter and run UDLD, then attacker can congest the
rate-limiter easily and cause UDLD to detect fault and go down.

There is no amount of software features that fixes software defects.
It's just recursive problem trying to fix software defect by having
another software feature running.

-- 
  ++ytti


More information about the cisco-nsp mailing list