To configure a black hole MAC address on a VPLS site

Purpose

Use this procedure to configure a conditional static black hole MAC address FDB entry on a VPLS service site to mitigate potential DOS, DDOS, and worm attacks and to quarantine hostile traffic. This feature is similar to a black hole static-route for VPRNs but is not associated with any particular SAP or SDP binding. If there is a hit on the black hole FDB entry, all frame packets are immediately discarded in the data path to a null route.

You can also use this procedure to configure a black hole MAC address for IP duplicate detection and anti-MAC address spoofing by enabling the VPLS services with a proxy ARP or proxy ND. The AS-MAC address provides a method to push traffic to a given IP address when a duplicate IP address is detected. However, the NFM-P drops the traffic addressed to the AS-MAC address.

The feature is supported on 7450 ESS, 7750 SR, and 7950 XRS devices.

Steps
Create a VPLS and enable BGP-EVPN
 

Create a VPLS for a supported device type if required; see To create a VPLS .


Create a VPLS site for the VPLS; see To configure a VPLS site .


Choose Manage→Service→Services from the NFM-P main menu. The Manage Services form opens.


Choose the required VPLS and click Properties. The VPLS Service (Edit) form opens.


On the VPLS Service tree, expand the Sites icon and click on the site on which you want to configure a black hole MAC address and click Properties. The VPLS Site form opens.


Click on the BGP tab, and then on the EVPN sub-tab.


Click the Create button in the BGP EVPN panel and configure the parameters on the form that appears.


Configure the static MAC address and black hole option
 

Click on the EVPN Static MAC sub-tab and click Create. The Conditional Static Mac form opens.


Configure a MAC address for the static MAC.


10 

For Locale parameter, select the Blackhole option and click OK to close the form.


11 

Save and close the form.


Enable a static black hole for a Proxy ARP or Proxy ND
 
12 

Configure a proxy ARP (address Resolution Protocol) for a VPLS site; see To configure proxy ARP for a VPLS site .


13 

Configure a proxy ND (node discovery) for a VPLS site; see To configure proxy node discovery for a VPLS site .


14 

On the VPLS Service tree, expand the Sites icon and click on the site on which you want to configure a black hole MAC address and click Properties. The VPLS Site form opens.


15 

Perform one of the following:

  1. For a Proxy ARP, click on the Proxy ARP tab and configure the Anti-Spoofing MAC Address parameter and Static Black-Hole parameter on the Proxy ARP sub-tab.

  2. For a Proxy ND, click on the Proxy ND tab and configure the Anti-Spoofing MAC Address parameter and Static Black-Hole parameter on the Proxy HD sub-tab.


16 

Save and close the form.

End of steps