[c-nsp] BGP Black hole
Anton Turygin
pa3op at tsua.net
Wed Mar 2 16:27:36 EST 2011
On Wed, 2 Mar 2011, Jay Nakamura wrote:
> That made it work. Why does that make it work? I thought
> ebgp-multihop was used when the peer was not directly connected. I
> will go look up the command....
IOS "thinks" that your 192.168.255.1 is 2 hops away because it is a static
route. That is why multihop must be configured.
It is a hint ;-)
>
> On Wed, Mar 2, 2011 at 3:56 PM, Anton Turygin <pa3op at tsua.net> wrote:
>> Hello,
>>
>> neighbor 3.0.0.1 ebgp-multihop 2
>>
>> on the receiving router will help.
>>
>> On Wed, 2 Mar 2011, Jay Nakamura wrote:
>>
>>> I am testing BGP black hole setup in my GNS3. One AS announcing to
>>> the other AS to black hole a prefix. I am hitting a wall where the
>>> receiving AS shows the prefix I am trying to black hole as
>>> inaccessible and packets gets through. I thought the basic principle
>>> was to match routes based on community and set the next hop to an IP
>>> that is pointed to null.
>>>
>>> ISP2#sh ip bgp 1.0.0.1
>>> BGP routing table entry for 1.0.0.1/32, version 9
>>> Paths: (1 available, no best path)
>>> Not advertised to any peer
>>> 1
>>> 192.168.255.1 (inaccessible) from 3.0.0.1 (1.0.0.1)
>>> Origin IGP, metric 0, localpref 100, valid, external
>>> Community: 1:666
>>>
>>> Here is my config.
>>> The side sending the prefix
>>>
>>> hostname ISP1
>>> interface Loopback0
>>> ip address 1.0.0.1 255.255.255.255
>>> !
>>> interface FastEthernet1/0
>>> ip address 3.0.0.1 255.255.255.0
>>> duplex auto
>>> speed auto
>>> router bgp 1
>>> no synchronization
>>> bgp log-neighbor-changes
>>> network 1.0.0.0
>>> network 1.0.0.1 mask 255.255.255.255
>>> neighbor 3.0.0.2 remote-as 2
>>> neighbor 3.0.0.2 send-community both
>>> neighbor 3.0.0.2 route-map ISP2Out out
>>> no auto-summary
>>> !
>>> ip route 1.0.0.0 255.0.0.0 Null0 200
>>> !
>>> ip bgp-community new-format
>>> !
>>> ip prefix-list BlackHole seq 5 permit 1.0.0.1/32
>>> !
>>> route-map ISP2Out permit 10
>>> match ip address prefix-list BlackHole
>>> set community 1:666
>>> !
>>> route-map ISP2Out permit 20
>>>
>>> The receiving side router
>>>
>>> hostname ISP2
>>> interface Loopback0
>>> ip address 2.0.0.1 255.255.255.255
>>> !
>>> interface FastEthernet1/0
>>> ip address 3.0.0.2 255.255.255.0
>>> duplex auto
>>> speed auto
>>> !
>>> interface FastEthernet1/1
>>> ip address 192.168.52.3 255.255.255.0
>>> duplex auto
>>> speed auto
>>> !
>>> router bgp 2
>>> no synchronization
>>> bgp log-neighbor-changes
>>> network 2.0.0.0
>>> network 192.168.52.0
>>> neighbor 3.0.0.1 remote-as 1
>>> neighbor 3.0.0.1 route-map ISP1In in
>>> no auto-summary
>>> ip route 192.168.255.1 255.255.255.255 Null0
>>> !
>>> ip bgp-community new-format
>>> ip community-list 1 permit 1:666
>>> !
>>> route-map ISP1In permit 10
>>> match community 1
>>> set ip next-hop 192.168.255.1
>>> !
>>> route-map ISP1In permit 20
>>>
>>>
>>> What am I missing?
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>> --
>> RAZ-RIPE
>> Technological Systems CJSC
>> Senior Network Engineer
>>
>>
>
--
RAZ-RIPE
Technological Systems CJSC
Senior Network Engineer
More information about the cisco-nsp
mailing list