[c-nsp] BGP Black hole

Chris Evans chrisccnpspam2 at gmail.com
Wed Mar 2 16:26:24 EST 2011


You also need to configure IP reverse path verify on your incoming
interface.  That is what you are missing...
On Mar 2, 2011 3:58 PM, "Jay Nakamura" <zeusdadog at gmail.com> wrote:
> I am testing BGP black hole setup in my GNS3. One AS announcing to
> the other AS to black hole a prefix. I am hitting a wall where the
> receiving AS shows the prefix I am trying to black hole as
> inaccessible and packets gets through. I thought the basic principle
> was to match routes based on community and set the next hop to an IP
> that is pointed to null.
>
> ISP2#sh ip bgp 1.0.0.1
> BGP routing table entry for 1.0.0.1/32, version 9
> Paths: (1 available, no best path)
> Not advertised to any peer
> 1
> 192.168.255.1 (inaccessible) from 3.0.0.1 (1.0.0.1)
> Origin IGP, metric 0, localpref 100, valid, external
> Community: 1:666
>
> Here is my config.
> The side sending the prefix
>
> hostname ISP1
> interface Loopback0
> ip address 1.0.0.1 255.255.255.255
> !
> interface FastEthernet1/0
> ip address 3.0.0.1 255.255.255.0
> duplex auto
> speed auto
> router bgp 1
> no synchronization
> bgp log-neighbor-changes
> network 1.0.0.0
> network 1.0.0.1 mask 255.255.255.255
> neighbor 3.0.0.2 remote-as 2
> neighbor 3.0.0.2 send-community both
> neighbor 3.0.0.2 route-map ISP2Out out
> no auto-summary
> !
> ip route 1.0.0.0 255.0.0.0 Null0 200
> !
> ip bgp-community new-format
> !
> ip prefix-list BlackHole seq 5 permit 1.0.0.1/32
> !
> route-map ISP2Out permit 10
> match ip address prefix-list BlackHole
> set community 1:666
> !
> route-map ISP2Out permit 20
>
> The receiving side router
>
> hostname ISP2
> interface Loopback0
> ip address 2.0.0.1 255.255.255.255
> !
> interface FastEthernet1/0
> ip address 3.0.0.2 255.255.255.0
> duplex auto
> speed auto
> !
> interface FastEthernet1/1
> ip address 192.168.52.3 255.255.255.0
> duplex auto
> speed auto
> !
> router bgp 2
> no synchronization
> bgp log-neighbor-changes
> network 2.0.0.0
> network 192.168.52.0
> neighbor 3.0.0.1 remote-as 1
> neighbor 3.0.0.1 route-map ISP1In in
> no auto-summary
> ip route 192.168.255.1 255.255.255.255 Null0
> !
> ip bgp-community new-format
> ip community-list 1 permit 1:666
> !
> route-map ISP1In permit 10
> match community 1
> set ip next-hop 192.168.255.1
> !
> route-map ISP1In permit 20
>
>
> What am I missing?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list