vrf route-limiting options

The VRF table is a virtual routing and forwarding instance separating sites with the same connectivity requirements, to configure VRF tables you are required to define the vrf name, RD and import and export RTs.

SPs offering MPLS VPN Services are at risk of a DOS attack similar to those from ISP that offers BGP connectivity to customer, the customer can generate any number of routers, using all resources in the RE Router, so, resources have to be limited to a customer, the Cisco IOS Software offers 2 solutions.
A.- You can limit the number of routes received from a BGP neighbor
B.- You can limit the total number of routes in a VRF

for the 1st Option (A):

R1#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router bgp 17
R1(config-router)#neigh 192.168.12.2 maximum-prefix ?
1-2147483647; maximum no. of prefix limit

R1(config-router)#neigh 192.168.12.2 maximum-prefix 3 ?
1-100; Threshold value (%) at which to generate a warning msg
restart Restart bgp connection after limit is exceeded
warning-only Only give warning message when limit is exceeded

The optional threshold parameter specifies the percentage where a warning message is logged (75% is the default value)

R1(config-router)#neigh 192.168.12.2 maximum-prefix 3 75 ?
restart Restart bgp connection after limit is exceeded
warning-only Only give warning message when limit is exceeded

the warning-only keyword, allows the router to generate a log message when the maximum is exceeded instead of terminating the peering, the default action is to drop the peering if exceeding the maximum number.

Also you can limit the total number of VRF routes. the maximum route limit command inside the vrf configuration.
Routes coming from CE routers, or, routes coming from other PE routers, that are imported to this vrf would be checked as well

This command in contrary to the BGP maximum prefix limit, limits the overall number of routes in a VRF regardless of their origin. Similar to the BGP feature, the command generates a syslog message when the number of routes exceeds a certain threshold.

The Second option (B):

R1(config)#ip vrf CC
R1(config-vrf)#maximum ?
routes Maximum number of routes allowed in this routing table
R1(config-vrf)#maximum routes ?
1-4294967295; Maximum number of routes allowed

R1(config-vrf)#maximum routes 22 ?
1-100; Threshold value (%) at which to generate a warning msg
warning-only Only give a warning message if is limit exceeded

When the PE router that have this configured receives the maximum number of routes is exceeded, then the new arriving route for that VRF is ignored.


The Networker Blog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s