To configure a black hole MAC address on a VPLS site
Purpose
Use this procedure to configure a conditional static black hole MAC address FDB entry on a VPLS service site to mitigate potential DOS, DDOS, and worm attacks and to quarantine hostile traffic. This feature is similar to a black hole static-route for VPRNs but is not associated with any particular SAP or SDP binding. If there is a hit on the black hole FDB entry, all frame packets are immediately discarded in the data path to a null route.
You can also use this procedure to configure a black hole MAC address for IP duplicate detection and anti-MAC address spoofing by enabling the VPLS services with a proxy ARP or proxy ND. The AS-MAC address provides a method to push traffic to a given IP address when a duplicate IP address is detected. However, the NFM-P drops the traffic addressed to the AS-MAC address.
The feature is supported on 7450 ESS, 7750 SR, and 7950 XRS devices.
Steps
Create a VPLS and enable BGP-EVPN | |
1 |
Create a VPLS for a supported device type if required; see To create a VPLS . |
2 |
Create a VPLS site for the VPLS; see To configure a VPLS site . |
3 |
Choose Manage→Service→Services from the NFM-P main menu. The Manage Services form opens. |
4 |
Choose the required VPLS and click Properties. The VPLS Service (Edit) form opens. |
5 |
On the VPLS Service tree, expand the Sites icon and click on the site on which you want to configure a black hole MAC address and click Properties. The VPLS Site form opens. |
6 |
Click on the BGP tab, and then on the EVPN sub-tab. |
7 |
Click the Create button in the BGP EVPN panel and configure the parameters on the form that appears. |
Configure the static MAC address and black hole option | |
8 |
Click on the EVPN Static MAC sub-tab and click Create. The Conditional Static Mac form opens. |
9 |
Configure a MAC address for the static MAC. |
10 |
For Locale parameter, select the Blackhole option and click OK to close the form. |
11 |
Save and close the form. |
Enable a static black hole for a Proxy ARP or Proxy ND | |
12 |
Configure a proxy ARP (address Resolution Protocol) for a VPLS site; see To configure proxy ARP for a VPLS site . |
13 |
Configure a proxy ND (node discovery) for a VPLS site; see To configure proxy node discovery for a VPLS site . |
14 |
On the VPLS Service tree, expand the Sites icon and click on the site on which you want to configure a black hole MAC address and click Properties. The VPLS Site form opens. |
15 |
Perform one of the following:
|
16 |
Save and close the form. End of steps |