01-26-2006 08:14 AM - edited 03-03-2019 11:34 AM
I'm a bit confused about the best usage of a Null0 interface in my scenario and was wondering if someone could clear things up for me. I will be running bgp with 2 ISPs.
I was under the impression that routing our network to the Null0 interface will ensure that it is always advertised (and prevent loops?):
Example:
!ensures our locally sourced route will always be announced?
ip route 3.3.3.0 255.255.254.0 null0
While that seems strange to me, I'll except it unless someone can tell me otherwise. I've read the following URL, but I don't know if it applies to me specifically --> Use a Static Route to the Null0 Interface for Loop Prevention:
http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801c9a6e.shtml
Additionally, I have reviewed the following template (among others) for a secure border router:
http://www.cymru.com/Documents/secure-ios-template.html
Notice that in this template they are routing bogons to the Null0 interface. That makes sense to me - trap them as they arrive - avoid unnecessary processing.
ip route 1.0.0.0 255.0.0.0 null0
ip route 2.0.0.0 255.0.0.0 null0
....etc....
Is this going to be a problem for me or can I use the Null0 interface for both purposes?:
1. Ensuring our network is always announced / prevent routing loops
2. Black hole bogons
Thanks in advance for advice,
Hutch
Solved! Go to Solution.
01-26-2006 09:32 AM
Hello,
BGP will only announce a network through a "network" command in case the entry has a match in the IP routing table. This is why you use the Null0 route, to organize this entry and additionally have stability in it.
I would recommend in this case to use a floating static route to Null0, like:
ip route 3.3.3.0 255.255.255.0 Null0 190
This will ensure, that any IGP announcing it will take precedence over Null0. In case there is no IGP announcing it, you still have it statically in the IP routing table.
Black holing bogons is another valid use of Null0 routes.
So you can for sure use them for both purposes.
Hope this helps! Please rate all posts.
Regards, Martin
01-26-2006 09:32 AM
Hello,
BGP will only announce a network through a "network" command in case the entry has a match in the IP routing table. This is why you use the Null0 route, to organize this entry and additionally have stability in it.
I would recommend in this case to use a floating static route to Null0, like:
ip route 3.3.3.0 255.255.255.0 Null0 190
This will ensure, that any IGP announcing it will take precedence over Null0. In case there is no IGP announcing it, you still have it statically in the IP routing table.
Black holing bogons is another valid use of Null0 routes.
So you can for sure use them for both purposes.
Hope this helps! Please rate all posts.
Regards, Martin
01-27-2006 01:06 PM
Martin, perfect - thanks for the response - that answered my question.
I have another related question now....
We'll won't be getting full routing tables from either ISP. If I route our netblock to null0 with a high AD, should I also route our exits of last resort (assuming I filter any default route sent to me by either ISP). So something like this:
ip route 3.3.3.0 255.255.254.0 null0 248
ip route 0.0.0.0 0.0.0.0 1.1.1.1 249
ip route 0.0.0.0 0.0.0.0 2.2.2.2 250
...I was told yes a while back, but then recently someone else said (a Juniper admin of all people) that it would be a bad idea because if the line was up but the protocol was down it would still route out that dead interface. That doesn't seem right to me.
As I mentioned in a post a couple months ago - my hope was that:
The second "ip route" line will send any traffic through ISP #1 if a route has not been learned/found in BGP. The third line says if ISP #1 is down then send that traffic that doesnt have a matching route from BGP out ISP #2."
Can you confirm my theory?
Thanks,
Hutch
For Reference, my older post was:
01-27-2006 01:34 PM
Hi Hutch,
Your idea is right, but there is a chance you could run into problems.
Let's walk through this:
- if you no longer receive a default via BGP, your second line will kick in (as long as the link to ISP1 is up)
- if the link to ISP1 is down, there will be no route to 1.1.1.1 so the second static will not be installed
- if the link to ISP1 is up at this point, the third static will be installed.
- as soon as that is done, there will now be a route to 1.1.1.1 (since IOS will try to recursively find the next-hop) so the second static route will now come up, displacing the third
- when the third static is removed from the routing table, the route to 1.1.1.1 goes down so the second static is again removed from the routing table
- this process will continue indefinitely...
The solution is to use something like this:
ip route 0.0.0.0 0.0.0.0 Serial0 1.1.1.1 249
ip route 0.0.0.0 0.0.0.0 Serial1 2.2.2.2 250
When you do the above, the route will only be up if the specified next-hop is reachable through the specified interface and your setup will work as expected.
The following link may also help:
http://www.cisco.com/warp/public/105/ip_static_routes.html
Hope that helps - pls rate posts that help.
Regards,
Paresh
01-31-2006 07:41 AM
I read through the link you provided and it all makes sense that it will only install the route if the *specific* interface is available.
This will be perfect for the time being. Now I'm going to dig a bit further and try to better balance traffic outbound continuously using bgp link bandwidth or other methods.
Thanks for your help Paresh,
Hutch
02-14-2007 08:16 AM
What did you guys think about the bogon's routing to null0? I had the same question about this. Would this cause issues with BGP? Would an ACL be sufficient?
Thanks,
Matthew
02-15-2007 08:22 PM
I only route my prefix to null plus the RFC1918.
I have bogons in BGP and also in ACL. If you will be routing them to null, just make sure you remember that you did that. In prefix-list and access-list I always put the version and the date of implementation (or update) to remind me, but statically routing them to null have to put something to remind you.
02-16-2007 05:04 AM
Do you have an example of how you used it in BGP?
Thanks,
Matthew
02-16-2007 05:47 AM
From http://www.cymru.com/Documents/secure-bgp-template.html
and
http://www.cymru.com/Documents/secure-ios-template.html
Use only what you feel is appropriate to you and you understand its operation and impact.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: