06-27-2006 07:39 AM
Hello,
I've tried to set up blackhole routing in our network using guide at http://www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf
We have two Cat 6506 (BGP route reflectors), some Cat 3750/3550 (RR clients) and Cisco 7505 as the trigger router. We use Multi VRF CE, OSPF is the main routing protocol in every VRF, BGP is used only for distributing blackhole information.
Using following configuration I've succesfully distributed blackhole route 10.0.0.1/32 from 7505 to 6506 in the core network, but not in VRF. I must be missisng something, can you help me ?
Thanks. Jan Klicka
===== Trigger router configuration - Loopback0 (CORE) 192.168.0.54 =====
ip vrf XXX
rd 65000:4
router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute static route-map static-to-BGP
neighbor 192.168.0.50 remote-as 65000
neighbor 192.168.0.50 update-source Loopback0
no auto-summary
!
address-family ipv4 vrf XXX
redistribute static route-map static-to-BGP-vrf-XXX
no auto-summary
no synchronization
exit-address-family
!
route-map static-to-BGP-vrf-XXX permit 10
match tag 666
set ip next-hop 192.168.255.254
set local-preference 50
set origin igp
set extcommunity rt 65000:66604
set community no-export
!
route-map static-to-BGP-vrf-JKPS deny 20
!
route-map static-to-BGP permit 10
match tag 666
set ip next-hop 192.168.255.254
set local-preference 50
set origin igp
set community no-export
!
route-map static-to-BGP deny 20
!
ip route 10.0.0.1 255.255.255.255 Null0 tag 666
ip route vrf JKPS 10.0.0.1 255.255.255.255 Null0 tag 666
===== Core Cat 6506 - Loopback0 (CORE) 192.168.0.50 =====
ip vrf XXX
rd 65000:4
route-target export 65000:66604
route-target import 65000:66604
router bgp 65000
bgp router-id 192.168.0.50
bgp cluster-id 300
bgp log-neighbor-changes
neighbor 192.168.0.54 remote-as 65000
neighbor 192.168.0.54 update-source Loopback0
!
address-family ipv4
neighbor 192.168.0.54 activate
neighbor 192.168.0.54 route-reflector-client
no auto-summary
no synchronization
exit-address-family
!
ip route 192.168.255.254 255.255.255.255 Null0
ip route vrf XXX 192.168.255.254 255.255.255.255 Null0
Solved! Go to Solution.
06-27-2006 10:28 AM
Jan,
The reason is that the BGP NH is changed to the PE loopback address before the update is sent therefore overwriting the NH that you set in you static-to-bgp route-map.
You can set an outbound route-map on the VPNv4 session to alter the NH to 192.168.255.254.
Hope this helps,
06-27-2006 08:28 AM
Hi, looks like you are missing a static route in the trigger router:
ip route vrf XXX 10.0.0.1 255.255.255.255 Null0 tag 666
Or you configure everything for VRF JKPS in the trigger router.
Hope this helps! please rate all posts.
Regards, Martin
06-27-2006 08:47 AM
Sorry, cut&paste operation was "off-by-one-line". The route is in the configuration of trigger router:
ip route vrf XXX 10.0.0.1 255.255.255.255 Null0 tag 666
06-27-2006 09:06 AM
Hello Jan,
hopefully your editor did not cut the following :)
Trigger router:
router bgp 65000
address-family vpnv4
neighbor 192.168.0.50 activate
neighbor 192.168.0.50 send-community both
exit-address-family
In the 6506:
router bgp 65000
address-family vpnv4
neighbor 192.168.0.54 activate
neighbor 192.168.0.54 send-community both
exit-address-family
This will ensure the VPNv4 routes are sent as well.
You can check the state of your VPNv4 BGP session by:
show ip bgp vpnv4 all summary
or
show bgp vpnv4 unicast all summary
Make sure there is no (NoNeg), as this refers to a session to the neighbor, which did not negotiate VPNv4 capabilities.
Hope this helps! Please rate all posts.
Regards, Martin
06-27-2006 10:07 AM
Hello, Martin,
Bingo! Now I see correct prefix in VRF XXX, but the next-hop is rewritten to Loopback address of the trigger router. It is probably the last reason, why I cannot see the route in the routing table.
Thanks a lot for your patience. Jan Klicka
d4-cat6506-sw#sh ip bgp ipv4 unicast
BGP table version is 15, local router ID is 192.168.0.50
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i10.0.0.1/32 192.168.255.254 0 50 0 i
d4-cat6506-sw#sh ip bgp vpnv4 all
BGP table version is 36, local router ID is 192.168.0.50
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:4 (default for vrf XXX)
*>i10.0.0.1/32 192.168.0.54 0 50 0 i
06-27-2006 10:28 AM
Jan,
The reason is that the BGP NH is changed to the PE loopback address before the update is sent therefore overwriting the NH that you set in you static-to-bgp route-map.
You can set an outbound route-map on the VPNv4 session to alter the NH to 192.168.255.254.
Hope this helps,
06-27-2006 10:16 PM
Jan,
as Harold pointed out BGP next hop processing needs an adjustment. As he stated a route-map could do the trick. Alternatively one could configure:
ip vrf XXX
rd 65000:4
bgp next-hop 192.168.255.254
and there should be no "next-hop-self" command under address-family vpnv4 on the trigger router.
Hope this helps! Please rate all posts.
Regards, Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: