Solved: Re: blackhole routing and MultiVRF CE - Cisco Community

1255

Views

8

Helpful

6

Replies

Hello,

I've tried to set up blackhole routing in our network using guide at http://www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf

We have two Cat 6506 (BGP route reflectors), some Cat 3750/3550 (RR clients) and Cisco 7505 as the trigger router. We use Multi VRF CE, OSPF is the main routing protocol in every VRF, BGP is used only for distributing blackhole information.

Using following configuration I've succesfully distributed blackhole route 10.0.0.1/32 from 7505 to 6506 in the core network, but not in VRF. I must be missisng something, can you help me ?

Thanks. Jan Klicka

===== Trigger router configuration - Loopback0 (CORE) 192.168.0.54 =====

ip vrf XXX

rd 65000:4

router bgp 65000

no synchronization

bgp log-neighbor-changes

redistribute static route-map static-to-BGP

neighbor 192.168.0.50 remote-as 65000

neighbor 192.168.0.50 update-source Loopback0

no auto-summary

!

address-family ipv4 vrf XXX

redistribute static route-map static-to-BGP-vrf-XXX

no auto-summary

no synchronization

exit-address-family

!

route-map static-to-BGP-vrf-XXX permit 10

match tag 666

set ip next-hop 192.168.255.254

set local-preference 50

set origin igp

set extcommunity rt 65000:66604

set community no-export

!

route-map static-to-BGP-vrf-JKPS deny 20

!

route-map static-to-BGP permit 10

match tag 666

set ip next-hop 192.168.255.254

set local-preference 50

set origin igp

set community no-export

!

route-map static-to-BGP deny 20

!

ip route 10.0.0.1 255.255.255.255 Null0 tag 666

ip route vrf JKPS 10.0.0.1 255.255.255.255 Null0 tag 666

===== Core Cat 6506 - Loopback0 (CORE) 192.168.0.50 =====

ip vrf XXX

rd 65000:4

route-target export 65000:66604

route-target import 65000:66604

router bgp 65000

bgp router-id 192.168.0.50

bgp cluster-id 300

bgp log-neighbor-changes

neighbor 192.168.0.54 remote-as 65000

neighbor 192.168.0.54 update-source Loopback0

!

address-family ipv4

neighbor 192.168.0.54 activate

neighbor 192.168.0.54 route-reflector-client

no auto-summary

no synchronization

exit-address-family

!

ip route 192.168.255.254 255.255.255.255 Null0

ip route vrf XXX 192.168.255.254 255.255.255.255 Null0

1 Accepted Solution

Accepted Solutions

Jan,

The reason is that the BGP NH is changed to the PE loopback address before the update is sent therefore overwriting the NH that you set in you static-to-bgp route-map.

You can set an outbound route-map on the VPNv4 session to alter the NH to 192.168.255.254.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

6 Replies 6

Hi, looks like you are missing a static route in the trigger router:

ip route vrf XXX 10.0.0.1 255.255.255.255 Null0 tag 666

Or you configure everything for VRF JKPS in the trigger router.

Hope this helps! please rate all posts.

Regards, Martin

Sorry, cut&paste operation was "off-by-one-line". The route is in the configuration of trigger router:

ip route vrf XXX 10.0.0.1 255.255.255.255 Null0 tag 666

Hello Jan,

hopefully your editor did not cut the following :)

Trigger router:

router bgp 65000

address-family vpnv4

neighbor 192.168.0.50 activate

neighbor 192.168.0.50 send-community both

exit-address-family

In the 6506:

router bgp 65000

address-family vpnv4

neighbor 192.168.0.54 activate

neighbor 192.168.0.54 send-community both

exit-address-family

This will ensure the VPNv4 routes are sent as well.

You can check the state of your VPNv4 BGP session by:

show ip bgp vpnv4 all summary

or

show bgp vpnv4 unicast all summary

Make sure there is no (NoNeg), as this refers to a session to the neighbor, which did not negotiate VPNv4 capabilities.

Hope this helps! Please rate all posts.

Regards, Martin

Hello, Martin,

Bingo! Now I see correct prefix in VRF XXX, but the next-hop is rewritten to Loopback address of the trigger router. It is probably the last reason, why I cannot see the route in the routing table.

Thanks a lot for your patience. Jan Klicka

d4-cat6506-sw#sh ip bgp ipv4 unicast

BGP table version is 15, local router ID is 192.168.0.50

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*>i10.0.0.1/32 192.168.255.254 0 50 0 i

d4-cat6506-sw#sh ip bgp vpnv4 all

BGP table version is 36, local router ID is 192.168.0.50

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 65000:4 (default for vrf XXX)

*>i10.0.0.1/32 192.168.0.54 0 50 0 i

Jan,

The reason is that the BGP NH is changed to the PE loopback address before the update is sent therefore overwriting the NH that you set in you static-to-bgp route-map.

You can set an outbound route-map on the VPNv4 session to alter the NH to 192.168.255.254.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Jan,

as Harold pointed out BGP next hop processing needs an adjustment. As he stated a route-map could do the trick. Alternatively one could configure:

ip vrf XXX

rd 65000:4

bgp next-hop 192.168.255.254

and there should be no "next-hop-self" command under address-family vpnv4 on the trigger router.

Hope this helps! Please rate all posts.

Regards, Martin