cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
917
Views
0
Helpful
7
Replies

BGP Prefix problem

joemarr_brodart
Level 1
Level 1

I have what I think is a simple problem:

I have BGP setup between a couple of providers. The provider support blackhole announcements (block traffic to one of my IPs when I announce it to them via BGP using a specific community).

I currently have a /18 that I have the following configuration for:

router bgp XXX1

network XXX.XXX.XXX.XXX mask 255.255.192.0

neighbor yyy.yyy.yyy.yyy route-map PROVIDER-TRANSIT-INBOUND out

ip route XXX.XXX.XXX.XXX 255.255.192.0 null0

ip prefix-list ISP-BlackedHole seq 1 permit ZZZ.ZZZ.ZZZ.ZZZ/32

ip prefix-list ISP-BlackedHole seq 100 deny 0.0.0.0/0 le 32

ip prefix-list Transit-00 seq 20 permit XXX.XXX.XXX.XXX/18

route-map PROVIDER-TRANSIT-INBOUND permit 10

match ip address prefix-list ISP-BlackedHole

set community XXXX:YYYY

!

route-map PROVIDER-TRANSIT-INBOUND permit 20

match ip address prefix-list Transit-00

!

The intent is to send the IP that is under attack (in this case ZZZ.ZZZ.ZZZ.ZZZ) to the provider via BGP tagged with their community.

After reseting the peering, I noticed that only the /18 was being sent out. When I do a "show ip bgp prefix ISP-BlackHole", nothing was returned. For some reason ZZZ.ZZZ.ZZZ.ZZZ is not being advertised out, only the aggregate is.

What am I doing wrong?

1 Accepted Solution

Accepted Solutions

Joe,

That is correct. You could redistribute the /32 selectively using a route-map but it would be safer to use a network statement for that specific /32 though.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

7 Replies 7

Harold Ritter
Cisco Employee
Cisco Employee

Joe,

How do you originate the /32 prefix. You need to make sure it is in the RIB and that you use a network statement or that you redistribute it in BGP.

Also make sure that you have a "neighbor send-community" if you want the ISP to receive the community that you set in the route-map. The community will not be sent by default.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

I've tried 2 methods:

* The IP is part of a /XX that is assigned to a port in our network, which is redistributed (and seen by the BGP routers) into our network via OSPF. This is prefered over the next option.

* null routing the IP on the routers doing BGP.

Joe,

If the /32 is not present in BGP then it cannot be advertised to your ISP.

Do you see the /32 in your BGP table (show ip bgp)?

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

duh,

no I only see the /18 :(

So, between the network command and the null route, I'm redistributing the /18 into BGP.

So I would need to some how redistribute the IP into BGP. I assume I dont want to redistribute my entire OSPF table for various reasons, but I could redistribute the /32 using a route-map, yes?

say

router bgp XXXX

redistribute static route-map static-routes

route-map static-routes permit 10

match ip address prefix-list ISP-Blackhole

Joe,

That is correct. You could redistribute the /32 selectively using a route-map but it would be safer to use a network statement for that specific /32 though.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

I'll give it some thought regarding network statement vs. route-map.

Thanks for the help.

Mohamed Sobair
Level 7
Level 7

Hi,

1- First of all You have to advertise ZZZ Network to ur BGP neighbor, as its not seem to be in the IP routing neither advertised . verify...

2- Ur XXX Network is not advertised but rather dropped due to the Nullo static route which preffered over the BGP AD.

3- U have to send community 2 the neighbor.

HTH

Mohamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: