An E8000E-X16 firewall was attached to an NE5000E at the MAN egress. The firewall was used to perform NAT for services on the BRAS connected to the NE5000E.
A user ran the <RT01-NE5KE>dis cpu command and found that the CPU usage of the NE5000E reached 99%.
TaskName CPU Runtime(CPU Tick High/Tick Low) Task ExplanationROUT 99% 0/ 6667f5d ROUTRoute task
For an upstream service, a BRAS transmitted the service to a city-level NE5000E along the default route, the NE5000E transmitted the service to the E8000E-X16 firewall according to the routing policy, and the E8000E-X16 firewall transmitted the service back to the NE5000E along the default route after performing NAT. Then, the city-level NE5000E transmitted the service to a province-level NE5000E, and the province-level NE5000E transmitted it out of the MAN.
For a downstream service, a province-level NE5000E transmitted the service to a city-level NE5000E, the city-level NE5000E transmitted the service to the E8000E-X16 firewall long a static route, the E8000E-X16 firewall found the corresponding SESSION entry and transmitted the service back to the city-level NE5000E along the static route, and the city-level NE5000E transmitted the service to the BRAS.The error occurred during the process when the service was transmitted from the E8000E-X16 firewall back to the city-level NE5000E. When the city-level private network encountered an attack of unknown traffic from an external network, the traffic was transmitted from the province-level NE5000E to the city-level NE5000E. The city-level NE5000E transmitted the traffic to the E8000E-X16 firewall along the static route. However, the E8000E-X16 firewall could not find the corresponding SESSION entry, so transmitted the traffic back to the NE5000E along the default route. A loop was formed.
A black hole route was added on the E8000E-X16 firewall attached to the city-level NE5000E. That is, at least the following three static routes must be configured on the firewall:
ip route-static 0.0.0.0 0 x.x.x.x (Configures a default route.)
ip route-static x.x.x.x x.x.x.x x.x.x.x (Configures a static route to the private network.)
ip route-static x.x.x.x x.x.x.x NULL0 (Configures a black hole route for the NAT address pool.)After traffic destined for the private network segment was transmitted to the E8000E-X16 firewall, the firewall matched the black hole route if it did not find the corresponding SESSION entry. In this manner, no loop would be formed.