Mailing List Archive

My own research on MLX support for uRPF made me very disappointed:



Note this from the release notes:

- If a default route is present on the router, loose mode will permit all traffic

- RPF can only be configured at the physical port level. It should not be configured on virtual interfaces on the Brocade MLX series and Brocade NetIron XMR.

o Brocade MLX series and Brocade NetIron XMR devices do not support uRPF for VE interfaces.

Also RPF is not compatible with this CAM profile: “ipv4-ipv6” I think we’re using that one.

https://tnotez.files.wordpress.com/2013/05/netironunified_05400a_configguide.pdf



Frank



From: foundry-nsp [mailto:foundry-nsp-bounces@puck.nether.net] On Behalf Of Michael Gehrmann
Sent: Wednesday, July 13, 2016 12:11 AM
To: foundry-nsp@puck.nether.net
Subject: [f-nsp] MLX and uRPF for RTBH



Hi All,



Wondering if anyone has used the uRPF feature on MLX to have the source address of traffic matched to null0 routes?



My reading so far has lead me to a config like this:



reverse-path-check
urpf-exclude-default
!
interface eth1/1
rpf-mode loose log
!



Example routes look like this:



device#sh ip route 2.144.0.0/24 <http://2.144.0.0/24>

Destination Gateway Port Cost Type Uptime src-vrf

1 2.144.0.0/24 <http://2.144.0.0/24> DIRECT drop 20/0 Be 3d1h -



My next step is the lab.



Cheers

--

Michael Gehrmann

Hi,

ipv4-ipv6-2 and multi-service-4 are supported profiles.

For my network I always lock down the individual physical ports facing
customers to strict modes, while keeping IX-ports loose and core-ports
without any.

Regards
Jörg Kost


On 15 Jul 2016, at 4:32, frnkblk@iname.com wrote:

> My own research on MLX support for uRPF made me very disappointed:
>
>
>
> Note this from the release notes:
>
> - If a default route is present on the router, loose mode
> will permit all traffic
>
> - RPF can only be configured at the physical port level. It
> should not be configured on virtual interfaces on the Brocade MLX
> series and Brocade NetIron XMR.
>
> o Brocade MLX series and Brocade NetIron XMR devices do not support
> uRPF for VE interfaces.
>
> Also RPF is not compatible with this CAM profile: “ipv4-ipv6” I
> think we’re using that one.
>
> https://tnotez.files.wordpress.com/2013/05/netironunified_05400a_configguide.pdf
>
>
>
> Frank
>
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

My gotcha is that I have a default router and I want to use it against ve's.

Frank

-----Original Message-----
From: Jörg Kost [mailto:jk@ip-clear.de]
Sent: Saturday, July 16, 2016 2:48 AM
To: frnkblk@iname.com
Cc: Michael Gehrmann <mgehrmann@atlassian.com>; foundry-nsp@puck.nether.net
Subject: Re: [f-nsp] MLX and uRPF for RTBH

Hi,

ipv4-ipv6-2 and multi-service-4 are supported profiles.

For my network I always lock down the individual physical ports facing
customers to strict modes, while keeping IX-ports loose and core-ports
without any.

Regards
Jörg Kost


On 15 Jul 2016, at 4:32, frnkblk@iname.com wrote:

> My own research on MLX support for uRPF made me very disappointed:
>
>
>
> Note this from the release notes:
>
> - If a default route is present on the router, loose mode
> will permit all traffic
>
> - RPF can only be configured at the physical port level. It
> should not be configured on virtual interfaces on the Brocade MLX
> series and Brocade NetIron XMR.
>
> o Brocade MLX series and Brocade NetIron XMR devices do not support
> uRPF for VE interfaces.
>
> Also RPF is not compatible with this CAM profile: “ipv4-ipv6” I
> think we’re using that one.
>
> https://tnotez.files.wordpress.com/2013/05/netironunified_05400a_configguide.pdf
>
>
>
> Frank
>


_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

Let's see how we go. Working great at the moment.

Thanks all for your feedback.

Mike

On 13 July 2016 at 17:04, Takahiro Masuda <tmasuda@vpls.com> wrote:

> I use this but sometimes during dos attacks it takes a toll on the lp cpu
> and have to remove it.
>
> ------------------------------
>
> *From: *"Michael Gehrmann" <mgehrmann@atlassian.com>
> *To: *foundry-nsp@puck.nether.net
> *Sent: *Tuesday, July 12, 2016 10:11:15 PM
> *Subject: *[f-nsp] MLX and uRPF for RTBH
>
> Hi All,
> Wondering if anyone has used the uRPF feature on MLX to have the source
> address of traffic matched to null0 routes?
>
> My reading so far has lead me to a config like this:
>
> reverse-path-check
> urpf-exclude-default
> !interface eth1/1
> rpf-mode loose log
>
> !
>
>
> Example routes look like this:
>
> device#sh ip route 2.144.0.0/24
> Destination Gateway Port Cost
> Type Uptime src-vrf
> 1 2.144.0.0/24 DIRECT drop 20/0 Be
> 3d1h -
>
> My next step is the lab.
>
> Cheers
> --
> Michael Gehrmann
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>


--
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658