Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
An E8000E-X16 firewall was attached to an NE5000E at the MAN egress. The firewall was used to perform NAT for services on the BRAS connected to the NE5000E.
A user ran the <RT01-NE5KE>dis cpu command and found that the CPU usage of the NE5000E reached 99%.
TaskName CPU Runtime(CPU Tick High/Tick Low) Task ExplanationROUT 99% 0/ 6667f5d ROUTRoute task
For an upstream service, a BRAS transmitted the service to a city-level NE5000E along the default route, the NE5000E transmitted the service to the E8000E-X16 firewall according to the routing policy, and the E8000E-X16 firewall transmitted the service back to the NE5000E along the default route after performing NAT. Then, the city-level NE5000E transmitted the service to a province-level NE5000E, and the province-level NE5000E transmitted it out of the MAN.
For a downstream service, a province-level NE5000E transmitted the service to a city-level NE5000E, the city-level NE5000E transmitted the service to the E8000E-X16 firewall long a static route, the E8000E-X16 firewall found the corresponding SESSION entry and transmitted the service back to the city-level NE5000E along the static route, and the city-level NE5000E transmitted the service to the BRAS.The error occurred during the process when the service was transmitted from the E8000E-X16 firewall back to the city-level NE5000E. When the city-level private network encountered an attack of unknown traffic from an external network, the traffic was transmitted from the province-level NE5000E to the city-level NE5000E. The city-level NE5000E transmitted the traffic to the E8000E-X16 firewall along the static route. However, the E8000E-X16 firewall could not find the corresponding SESSION entry, so transmitted the traffic back to the NE5000E along the default route. A loop was formed.
A black hole route was added on the E8000E-X16 firewall attached to the city-level NE5000E. That is, at least the following three static routes must be configured on the firewall:
ip route-static 0.0.0.0 0 x.x.x.x (Configures a default route.)
ip route-static x.x.x.x x.x.x.x x.x.x.x (Configures a static route to the private network.)
ip route-static x.x.x.x x.x.x.x NULL0 (Configures a black hole route for the NAT address pool.)After traffic destined for the private network segment was transmitted to the E8000E-X16 firewall, the firewall matched the black hole route if it did not find the corresponding SESSION entry. In this manner, no loop would be formed.