The VRF table is a virtual routing and forwarding instance separating sites with the same connectivity requirements, to configure VRF tables you are required to define the vrf name, RD and import and export RTs.
SPs offering MPLS VPN Services are at risk of a DOS attack similar to those from ISP that offers BGP connectivity to customer, the customer can generate any number of routers, using all resources in the RE Router, so, resources have to be limited to a customer, the Cisco IOS Software offers 2 solutions.
A.- You can limit the number of routes received from a BGP neighbor
B.- You can limit the total number of routes in a VRF
for the 1st Option (A):
R1#conf ter Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router bgp 17 R1(config-router)#neigh 192.168.12.2 maximum-prefix ? 1-2147483647; maximum no. of prefix limit R1(config-router)#neigh 192.168.12.2 maximum-prefix 3 ? 1-100; Threshold value (%) at which to generate a warning msg restart Restart bgp connection after limit is exceeded warning-only Only give warning message when limit is exceeded
The optional threshold parameter specifies the percentage where a warning message is logged (75% is the default value)
R1(config-router)#neigh 192.168.12.2 maximum-prefix 3 75 ? restart Restart bgp connection after limit is exceeded warning-only Only give warning message when limit is exceeded
the warning-only keyword, allows the router to generate a log message when the maximum is exceeded instead of terminating the peering, the default action is to drop the peering if exceeding the maximum number.
Also you can limit the total number of VRF routes. the maximum route limit command inside the vrf configuration.
Routes coming from CE routers, or, routes coming from other PE routers, that are imported to this vrf would be checked as well
This command in contrary to the BGP maximum prefix limit, limits the overall number of routes in a VRF regardless of their origin. Similar to the BGP feature, the command generates a syslog message when the number of routes exceeds a certain threshold.
The Second option (B):
R1(config)#ip vrf CC R1(config-vrf)#maximum ? routes Maximum number of routes allowed in this routing table
R1(config-vrf)#maximum routes ? 1-4294967295; Maximum number of routes allowed R1(config-vrf)#maximum routes 22 ? 1-100; Threshold value (%) at which to generate a warning msg warning-only Only give a warning message if is limit exceeded
When the PE router that have this configured receives the maximum number of routes is exceeded, then the new arriving route for that VRF is ignored.