[c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k)

Blake Dunlap ikiris at gmail.com
Thu Aug 15 16:14:03 EDT 2013


There are a good many ways to deal with this. What you need to do is read
up and make sure you understand what the labels are actually pointing to
and what that means for the forwarding process, especially on a hardware
platform like your endpoint in question.

This isn't one of those tell me how to do it problems, but one of those you
need to understand the architecture so you can know what you want to do on
your network to fix it. I would love to help more, but you haven't given
enough information to offer suggestions on solutions, and honestly, you're
probably better off deciding them yourself since you know your network
better than anyone here would anyway.


-Blake


On Thu, Aug 15, 2013 at 2:35 PM, Aaron <aaron1 at gvtc.com> wrote:

> The next hop of those bh routes is an ip address on the distant end of a
> layer 2 segment which is connected to that border asr9k
>
>
>
> Aaron
>
>
>
> From: Mattias Gyllenvarg [mailto:mattias at gyllenvarg.se]
> Sent: Thursday, August 15, 2013 2:27 PM
> To: Aaron
> Cc: Aaron; cisco-nsp; LavoJM
> Subject: Re: [c-nsp] why are packets not following the more specific route
> -
> xr 4.1.2 (asr9k)
>
>
>
> I'm 100% on this but.
>
>
>
> Are they destined for the remote end of the link they might not get
> processed.
>
> But if they are destined for the loopback of LER2 then they should.
>
>
>
> On Thu, Aug 15, 2013 at 8:24 PM, Aaron <aaron1 at gvtc.com> wrote:
>
> If ler1 flows everything via 0/0 lsp towards ler2, doesn't ler2 pop all
> mpls
> tags prior to routing out towards internet via def rt ?..... if so couldn't
> a more specific routing decision be made at that point towards blackhole
> /32
> routes ?
>
>
>
> Aaron
>
>
>
> p.s. Why was vanilla ip forwarding more straightforward and easier than
> this
> ? J
>
>
>
>
>
> From: Aaron [mailto:dudepron at gmail.com]
> Sent: Thursday, August 15, 2013 1:16 PM
> To: Aaron
> Cc: LavoJM; cisco-nsp
>
> Subject: Re: [c-nsp] why are packets not following the more specific route
> -
> xr 4.1.2 (asr9k)
>
>
>
> No label to the blackhole?
>
> If LER1 isn't getting the routes how is it going to build the LSP to the
> blackhole?
>
>
>
> On Thu, Aug 15, 2013 at 2:05 PM, Aaron <aaron1 at gvtc.com> wrote:
>
> Yes mpls core.
>
> Traceroute on pc----- LER1---- mpls core-----LER2----- internet
>                                                 |
>                                                 Blackhole
>
> Yes LER1 doesn't not have those /32 blackhole routes.... it does have the
> def rt towards internet via LER2.
>
> Aaron
>
>
>
> -----Original Message-----
> From: LavoJM [mailto:lavojm at secureobscure.com]
> Sent: Thursday, August 15, 2013 12:41 PM
> To: 'Aaron'
> Subject: RE: [c-nsp] why are packets not following the more specific route
> -
> xr 4.1.2 (asr9k)
>
> Are you running MPLS in the core, and the first LER does not have a FEC for
> the /32, but it does have one for default/other-internet routes?
>
>
> 3
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Aaron
>
> Sent: Thursday, August 15, 2013 11:57 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] why are packets not following the more specific route
> -
> xr 4.1.2 (asr9k)
>
> (x.x.x.x is one of the /32 blackhole routes)
>
> Oh and when I do this on that boundary 9k "traceroute x.x.x.x vrf xyz
> source
> y.y.y.y" it appears to NOT follow the default route out to the internet and
> it seems that it does follow the more specific blackhole route.  why would
> mpls l3vpn located computers deeper into my internal network NOT follow
> this
> more specific route as the packets flow across the forwarding plane of this
> boundary 9k ??
>
> Aaron
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Aaron
> Sent: Thursday, August 15, 2013 11:49 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] why are packets not following the more specific route - xr
> 4.1.2 (asr9k)
>
> I have a blackhole security device injecting routes into my internet
> boundary asr9k.. I see that the bgp prefixes are rcv'd on my 9k and the are
> installed in the per-vrf rib.  The next hop for those routes are via a
> directly connected interface towards the blackhole.. But for some reason I
> continue to see on traceroutes from a computer that's deeper into my
> internal network via mpls l3vpn, that this computer's traceroutes flow
> right
> passed that 9k's more specific routes and follows the default route out to
> the internet.  Any idea why ?
>
>
>
> Aaron
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>
>
>
> --
> Med Vänliga Hälsningar
> Mattias Gyllenvarg
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list