[e-nsp] Getting ExtremeWare to accept Null Routes via BGP

Jo Rhett jrhett at svcolo.com
Wed Feb 13 16:32:38 EST 2008


On Feb 13, 2008, at 12:19 PM, Drew Weaver wrote:
> Actually, 192.0.2.0 is part of IANAs "documentation network".
>
> Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
>                                   192.0.0.0 - 192.0.127.255
> Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
>                                   192.0.2.0 - 192.0.2.255

Yes, and that has been used to scan the internet for tests of various  
sorts.

> And the reason I used it was because it was the example in Cisco's  
> Real Time Black Hole documentation, so I think I'm alright.

No, Cisco got blasted for having done that.  They were supposed to  
fix all references to that.

> But I ended up with this in the end.
> ERROR: 192.0.2.1 is an interface address.

Sorry, I made a mistype when I changed my configuration to use your  
IPs.  Use this instead:

create vlan dropPackets
configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.252
enable loopback-mode vlan "dropPackets"

create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
configure iparp add 192.168.2.2 00:11:22:33:44:55

(or reverse it and use 2.1 for blackhole and 2.2 for local interface,  
doesn't matter)

> -----Original Message-----
> From: Jo Rhett [mailto:jrhett at svcolo.com]
> Sent: Wednesday, February 13, 2008 3:02 PM
> To: Drew Weaver
> Cc: 'extreme-nsp at puck.nether.net'
> Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP
>
> So first you should know that any packet you blackhole is handled in
> software at the CPU, not by ASIC.  Yeah, ignore the docs.  And yeah,
> extreme support will claim otherwise until you show them the cpu
> counters and they escalate and engineering with confirm.  You can't
> do an IP blackhole without all that traffic going to CPU.  You must
> use a mac-level blackhole.
>
> Do this:
>
> create vlan dropPackets
> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
> enable loopback-mode vlan "dropPackets"
>
> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest- 
> mac
> configure iparp add 192.168.2.1 00:11:22:33:44:55
>
> You'll notice that I changed the IP address from 192.0.2.1 to
> 192.168.2.1.  Yes, and you should too.  192.0 is a valid, routable IP
> block in use on the Internet.  192.168.x.x is non-routable, and
> that's what you should be using.
>
> On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
>>         Hi there, I am trying to add our one remaining black
>> diamond to our RTBH configuration and I am finding it difficult to
>> get ExtremeWare to accept routes into BGP which the "NextHop" is
>> unreachable.
>>
>> Of course, I made the NextHop unreachable, because that is the
>> point...
>>
>> i.e.
>>
>> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
>> 10.1.2.184 /25
>> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>>
>> configure iproute add blackhole 192.0.2.1 255.255.255.255
>>
>> we have that static route so that when we add a route to our route-
>> server with the destination of 192.0.2.1 it will automatically
>> Blackhole it on every switch on our network.
>>
>> Does anyone have any clues?
>>
>> Thanks,
>> -Drew
>> _______________________________________________
>> extreme-nsp mailing list
>> extreme-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>
> --
> Jo Rhett
> senior geek
>
> Silicon Valley Colocation
> Support Phone: 408-400-0550
>
>
>
>

-- 
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550






More information about the extreme-nsp mailing list