Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
990
Views
15
Helpful
8
Replies

Null0 Usage for Bogons and Ensuring BGP Advert

Go to solution
mhcraig
Level 1
Level 1

‎01-26-2006 08:14 AM - edited ‎03-03-2019 11:34 AM

I'm a bit confused about the best usage of a Null0 interface in my scenario and was wondering if someone could clear things up for me. I will be running bgp with 2 ISPs.

I was under the impression that routing our network to the Null0 interface will ensure that it is always advertised (and prevent loops?):

Example:

!ensures our locally sourced route will always be announced?

ip route 3.3.3.0 255.255.254.0 null0

While that seems strange to me, I'll except it unless someone can tell me otherwise. I've read the following URL, but I don't know if it applies to me specifically --> Use a Static Route to the Null0 Interface for Loop Prevention:

http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801c9a6e.shtml

Additionally, I have reviewed the following template (among others) for a secure border router:

http://www.cymru.com/Documents/secure-ios-template.html

Notice that in this template they are routing bogons to the Null0 interface. That makes sense to me - trap them as they arrive - avoid unnecessary processing.

ip route 1.0.0.0 255.0.0.0 null0

ip route 2.0.0.0 255.0.0.0 null0

....etc....

Is this going to be a problem for me or can I use the Null0 interface for both purposes?:

1. Ensuring our network is always announced / prevent routing loops

2. Black hole bogons

Thanks in advance for advice,

Hutch

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mheusinger
Level 10
Level 10

‎01-26-2006 09:32 AM

Hello,

BGP will only announce a network through a "network" command in case the entry has a match in the IP routing table. This is why you use the Null0 route, to organize this entry and additionally have stability in it.

I would recommend in this case to use a floating static route to Null0, like:

ip route 3.3.3.0 255.255.255.0 Null0 190

This will ensure, that any IGP announcing it will take precedence over Null0. In case there is no IGP announcing it, you still have it statically in the IP routing table.

Black holing bogons is another valid use of Null0 routes.

So you can for sure use them for both purposes.

Hope this helps! Please rate all posts.

Regards, Martin

View solution in original post

0 Helpful
8 Replies 8

Go to solution
mheusinger
Level 10
Level 10

‎01-26-2006 09:32 AM

Hello,

BGP will only announce a network through a "network" command in case the entry has a match in the IP routing table. This is why you use the Null0 route, to organize this entry and additionally have stability in it.

I would recommend in this case to use a floating static route to Null0, like:

ip route 3.3.3.0 255.255.255.0 Null0 190

This will ensure, that any IGP announcing it will take precedence over Null0. In case there is no IGP announcing it, you still have it statically in the IP routing table.

Black holing bogons is another valid use of Null0 routes.

So you can for sure use them for both purposes.

Hope this helps! Please rate all posts.

Regards, Martin

0 Helpful

Go to solution
mhcraig
Level 1
Level 1
In response to mheusinger

‎01-27-2006 01:06 PM

Martin, perfect - thanks for the response - that answered my question.

I have another related question now....

We'll won't be getting full routing tables from either ISP. If I route our netblock to null0 with a high AD, should I also route our exits of last resort (assuming I filter any default route sent to me by either ISP). So something like this:

ip route 3.3.3.0 255.255.254.0 null0 248

ip route 0.0.0.0 0.0.0.0 1.1.1.1 249

ip route 0.0.0.0 0.0.0.0 2.2.2.2 250

...I was told yes a while back, but then recently someone else said (a Juniper admin of all people) that it would be a bad idea because if the line was up but the protocol was down it would still route out that dead interface. That doesn't seem right to me.

As I mentioned in a post a couple months ago - my hope was that:

The second "ip route" line will send any traffic through ISP #1 if a route has not been learned/found in BGP. The third line says if ISP #1 is down then send that traffic that doesn’t have a matching route from BGP out ISP #2."

Can you confirm my theory?

Thanks,

Hutch

For Reference, my older post was:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd9ddc1

0 Helpful

Go to solution
pkhatri
Level 11
Level 11
In response to mhcraig

‎01-27-2006 01:34 PM

Hi Hutch,

Your idea is right, but there is a chance you could run into problems.

Let's walk through this:

- if you no longer receive a default via BGP, your second line will kick in (as long as the link to ISP1 is up)

- if the link to ISP1 is down, there will be no route to 1.1.1.1 so the second static will not be installed

- if the link to ISP1 is up at this point, the third static will be installed.

- as soon as that is done, there will now be a route to 1.1.1.1 (since IOS will try to recursively find the next-hop) so the second static route will now come up, displacing the third

- when the third static is removed from the routing table, the route to 1.1.1.1 goes down so the second static is again removed from the routing table

- this process will continue indefinitely...

The solution is to use something like this:

ip route 0.0.0.0 0.0.0.0 Serial0 1.1.1.1 249

ip route 0.0.0.0 0.0.0.0 Serial1 2.2.2.2 250

When you do the above, the route will only be up if the specified next-hop is reachable through the specified interface and your setup will work as expected.

The following link may also help:

http://www.cisco.com/warp/public/105/ip_static_routes.html

Hope that helps - pls rate posts that help.

Regards,

Paresh

Go to solution
mhcraig
Level 1
Level 1
In response to pkhatri

‎01-31-2006 07:41 AM

I read through the link you provided and it all makes sense that it will only install the route if the *specific* interface is available.

This will be perfect for the time being. Now I'm going to dig a bit further and try to better balance traffic outbound continuously using bgp link bandwidth or other methods.

Thanks for your help Paresh,

Hutch

0 Helpful

Go to solution
d1701
Level 1
Level 1

‎02-14-2007 08:16 AM

What did you guys think about the bogon's routing to null0? I had the same question about this. Would this cause issues with BGP? Would an ACL be sufficient?

Thanks,

Matthew

0 Helpful

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to d1701

‎02-15-2007 08:22 PM

I only route my prefix to null plus the RFC1918.

I have bogons in BGP and also in ACL. If you will be routing them to null, just make sure you remember that you did that. In prefix-list and access-list I always put the version and the date of implementation (or update) to remind me, but statically routing them to null have to put something to remind you.

Go to solution
d1701
Level 1
Level 1
In response to Danilo Dy

‎02-16-2007 05:04 AM

Do you have an example of how you used it in BGP?

Thanks,

Matthew

0 Helpful

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to d1701

‎02-16-2007 05:47 AM

From http://www.cymru.com/Documents/secure-bgp-template.html

and

http://www.cymru.com/Documents/secure-ios-template.html

Use only what you feel is appropriate to you and you understand its operation and impact.

Preview file
8 KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card