[e-nsp] Getting ExtremeWare to accept Null Routes via BGP

infothec infothec at web.de
Sat Feb 23 04:12:51 EST 2008


you might be right or not. about what hardware do we talk about?  
i-series HW,  later  Summit HW 400, 450, BD10K, 12K????

Jo Rhett schrieb:
> On Feb 13, 2008, at 12:19 PM, Drew Weaver wrote:
>   
>> Actually, 192.0.2.0 is part of IANAs "documentation network".
>>
>> Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
>>                                   192.0.0.0 - 192.0.127.255
>> Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
>>                                   192.0.2.0 - 192.0.2.255
>>     
>
> Yes, and that has been used to scan the internet for tests of various  
> sorts.
>
>   
>> And the reason I used it was because it was the example in Cisco's  
>> Real Time Black Hole documentation, so I think I'm alright.
>>     
>
> No, Cisco got blasted for having done that.  They were supposed to  
> fix all references to that.
>
>   
>> But I ended up with this in the end.
>> ERROR: 192.0.2.1 is an interface address.
>>     
>
> Sorry, I made a mistype when I changed my configuration to use your  
> IPs.  Use this instead:
>
> create vlan dropPackets
> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.252
> enable loopback-mode vlan "dropPackets"
>
> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
> configure iparp add 192.168.2.2 00:11:22:33:44:55
>
> (or reverse it and use 2.1 for blackhole and 2.2 for local interface,  
> doesn't matter)
>
>   
>> -----Original Message-----
>> From: Jo Rhett [mailto:jrhett at svcolo.com]
>> Sent: Wednesday, February 13, 2008 3:02 PM
>> To: Drew Weaver
>> Cc: 'extreme-nsp at puck.nether.net'
>> Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP
>>
>> So first you should know that any packet you blackhole is handled in
>> software at the CPU, not by ASIC.  Yeah, ignore the docs.  And yeah,
>> extreme support will claim otherwise until you show them the cpu
>> counters and they escalate and engineering with confirm.  You can't
>> do an IP blackhole without all that traffic going to CPU.  You must
>> use a mac-level blackhole.
>>
>> Do this:
>>
>> create vlan dropPackets
>> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
>> enable loopback-mode vlan "dropPackets"
>>
>> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest- 
>> mac
>> configure iparp add 192.168.2.1 00:11:22:33:44:55
>>
>> You'll notice that I changed the IP address from 192.0.2.1 to
>> 192.168.2.1.  Yes, and you should too.  192.0 is a valid, routable IP
>> block in use on the Internet.  192.168.x.x is non-routable, and
>> that's what you should be using.
>>
>> On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
>>     
>>>         Hi there, I am trying to add our one remaining black
>>> diamond to our RTBH configuration and I am finding it difficult to
>>> get ExtremeWare to accept routes into BGP which the "NextHop" is
>>> unreachable.
>>>
>>> Of course, I made the NextHop unreachable, because that is the
>>> point...
>>>
>>> i.e.
>>>
>>> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
>>> 10.1.2.184 /25
>>> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>>>
>>> configure iproute add blackhole 192.0.2.1 255.255.255.255
>>>
>>> we have that static route so that when we add a route to our route-
>>> server with the destination of 192.0.2.1 it will automatically
>>> Blackhole it on every switch on our network.
>>>
>>> Does anyone have any clues?
>>>
>>> Thanks,
>>> -Drew
>>> _______________________________________________
>>> extreme-nsp mailing list
>>> extreme-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>>>       
>> --
>> Jo Rhett
>> senior geek
>>
>> Silicon Valley Colocation
>> Support Phone: 408-400-0550
>>
>>
>>
>>
>>     
>
>   



More information about the extreme-nsp mailing list