[c-nsp] Redistribute interface address as a /32 or /128 into BGP

Johannes Erwerle jo+cisco-nsp at swagspace.org
Wed Mar 10 05:51:35 EST 2021


Hello.

I have a network, e.g. 10.0.0.0/24 with several routers that have
interfaces (lets say they are 10.0.0.2 and .3) that are connected in the
same L2 (because they are running VRRP). The routers are connected to a
backbone network. There is also a customer in this network. Of course I
want to put an ACL for anti spoofing (and some other things) on the
customer facing interfaces of the routers.

Now some of my monitoring and management traffic, which is addressed to
the customer facing interface addresses takes the shortest path into
10.0.0.0/24 and through this network and might then hit the interface of
the router. But there is a ACL that blocks that, because it looks like
the customer spoofed the source address of the monitoring system.

I basically see 2 "solutions":
1. open up the ACL to allow monitoring/management traffic from inside
the network. Not nice, because that allows the customer to spoof some of
our addresses...
2. announce the interface addresses (10.0.0.2 and 10.0.0.3 in this case)
as a /32 into the backbone so that they are more specifics and take the
right way through the backbone and not through the 10.0.0.0/24 network.

My problem is that I can not convince my router to announce the
interface addresses. I tried to simply add a

network 10.0.0.2

to the BGP config, but apparently the local routes that the router
creates for it's interfaces are not announced.
Also there is no "redistribute local" to tell the router to do that.
Adding a null-route with 10.0.0.2/32 does not work because the local
route exists in the routing table and the null route is therefor not
considered for redistribution.

Does anyone know of any hacks I could do to achieve this?

Of course the same problem exists for IPv6 with the appropriate subnet
masks.

Greetings
Jo


More information about the cisco-nsp mailing list