[c-nsp] Redistribute interface address as a /32 or /128 into BGP

Saku Ytti saku at ytti.fi
Wed Mar 10 07:21:55 EST 2021 

You can create a static route pointing to the interface and
redistribute that static route.

But you're doing it wrong. I'm not sure what is right without
understanding more accurately what you are doing, but some flavor of

a) have different logical interface for edge and !edge, with different ACL
b) have VRF

On Wed, 10 Mar 2021 at 13:02, Johannes Erwerle
<jo+cisco-nsp at swagspace.org> wrote:
>
> Hello.
>
> I have a network, e.g. 10.0.0.0/24 with several routers that have
> interfaces (lets say they are 10.0.0.2 and .3) that are connected in the
> same L2 (because they are running VRRP). The routers are connected to a
> backbone network. There is also a customer in this network. Of course I
> want to put an ACL for anti spoofing (and some other things) on the
> customer facing interfaces of the routers.
>
> Now some of my monitoring and management traffic, which is addressed to
> the customer facing interface addresses takes the shortest path into
> 10.0.0.0/24 and through this network and might then hit the interface of
> the router. But there is a ACL that blocks that, because it looks like
> the customer spoofed the source address of the monitoring system.
>
> I basically see 2 "solutions":
> 1. open up the ACL to allow monitoring/management traffic from inside
> the network. Not nice, because that allows the customer to spoof some of
> our addresses...
> 2. announce the interface addresses (10.0.0.2 and 10.0.0.3 in this case)
> as a /32 into the backbone so that they are more specifics and take the
> right way through the backbone and not through the 10.0.0.0/24 network.
>
> My problem is that I can not convince my router to announce the
> interface addresses. I tried to simply add a
>
> network 10.0.0.2
>
> to the BGP config, but apparently the local routes that the router
> creates for it's interfaces are not announced.
> Also there is no "redistribute local" to tell the router to do that.
> Adding a null-route with 10.0.0.2/32 does not work because the local
> route exists in the routing table and the null route is therefor not
> considered for redistribution.
>
> Does anyone know of any hacks I could do to achieve this?
>
> Of course the same problem exists for IPv6 with the appropriate subnet
> masks.
>
> Greetings
> Jo
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 
  ++ytti

More information about the cisco-nsp mailing list