[c-nsp] Best practise/security design for BGP and OSPF

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Mon May 29 05:43:22 EDT 2017

> From: Saku Ytti [mailto:saku at ytti.fi]
> Sent: Tuesday, May 23, 2017 11:16 AM
> On 23 May 2017 at 13:06,  <adamv0025 at netconsultings.com> wrote:
> > Router listening for all IS m-cast MAC addresses on all interfaces rather
> than solely on interfaces actually configured with ISIS seems like a bug.
> Not all HW support per-port punt-masks. So if you have to punt ISIS frames
> on one interface, you may need to punt them on all interfaces.
> I know that 7600 will happily punt ISIS/CLNS on all interfaces. Back in 11.4R5
> Juniper MX dd this too, with just 'inet' family configured, but that was fixed.
Seems like a legacy HW/SW problem but one never knows unless tested, worse things still lure in modern ASICs and codes so I wouldn't be surprised at all. 
And thinking about it it's a specific case, the packet/frame undergoes a standard lookup in the NPU (which hosts several interfaces) and once figuring out it's a for host packet (all NPUs in the system are programed with the same forwarding info, unless explicitly disabled) it then tries to figure out what kind of exception it is and what to do with it (punt/drop), but nothing in these stages is going to check whether the packet/frame is allowed to enter the box via a specific interface -that can happen only at the filtering stage in the NPU's pipeline, and unless the system maintains these filters automatically on a per interface bases one has to do it manually -if that's even possible (e.g. in case of ISO).       


::carrier-class solutions for the telecommunications industry::

More information about the cisco-nsp mailing list