Ethernet Switches & Routers

Reply
N/A
Posts: 1
Registered: ‎01-02-2012

Connected routes in a VRF

I have an MLX set up (currently running V5.1.0cT163).  The scenario is that there is a DDoS mitigation appliance directly connected to the MLX.  If a downstream host is under attack, the appliance injects a /32 route via BGP to divert the traffic to itself, cleans it, and then reinjects the clean traffic to continue to the end host.

In a typical deployment, the clean traffic is reinjected somewhere downstream to prevent the BGP diversion route from causing a routing loop.  But in this case we only have the single MLX so we are sending the clean traffic back into the MLX and using a VRF to prevent a routing loop.

The VRF config is pretty simple, and looks like this:

vrf CleanReinject
rd 1:1
ip router-id x.x.x.x
address-family ipv4
ip route 1.0.0.0/8 ve 10
ip route 2.0.0.0/8 ve 20
etc...
exit-address-family
exit-vrf
interface ethernet 1/1
port-name "DDoS mitigation appliance"
enable
vrf forwarding CleanReinject
ip address 10.10.10.10/24
I have used this configuration many times on Cisco devices, and it works fine.  If there is a connected route in the VRF, the router continues to maintain an ARP entry in the default ARP table, even if the default routing table has a non-connected route for that host.  On the MLX however, once the diversion route is injected, the MLX stops generating ARP requests for the end host.  The ARP entry expires shortly thereafter, and the MLX can no longer forward clean traffic from the VRF to the end host.  The only way we can get it to work is to add a static ARP entry -- but that's not a feasible solution because there are thousands of potential downstream DDoS targets hanging off the VE interfaces.
FWIW, we've also tried using an import map to import the connected routes from the default table into the VRF, rather than using statically configured VRF routes.  The result is the same though.
I'm hoping someone can help me understand if this is a known/expected limitation of VRFs on Brocade gear, or if there's some Brocade-specific piece of config we're missing, or possibly a bug at play.
Thanks.
Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Connected routes in a VRF

Hi jmeehan,

     I would suggest you contact the Brocade TAC on this one.  Sorry I have no ideas on this one.

Thanks

Michael.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.