Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: extreme

Getting ExtremeWare to accept Null Routes via BGP

 

 

nsp extreme RSS feed   Index | Next | Previous | View Threaded


drew.weaver at thenap

Feb 8, 2008, 7:05 PM

Post #1 of 6 (3188 views)
Permalink
Getting ExtremeWare to accept Null Routes via BGP

Hi there, I am trying to add our one remaining black diamond to our RTBH configuration and I am finding it difficult to get ExtremeWare to accept routes into BGP which the "NextHop" is unreachable.

Of course, I made the NextHop unreachable, because that is the point...

i.e.

02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI 10.1.2.184 /25
5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable

configure iproute add blackhole 192.0.2.1 255.255.255.255

we have that static route so that when we add a route to our route-server with the destination of 192.0.2.1 it will automatically Blackhole it on every switch on our network.

Does anyone have any clues?

Thanks,
-Drew
_______________________________________________
extreme-nsp mailing list
extreme-nsp [at] puck
https://puck.nether.net/mailman/listinfo/extreme-nsp


jrhett at svcolo

Feb 13, 2008, 12:01 PM

Post #2 of 6 (3037 views)
Permalink
Re: Getting ExtremeWare to accept Null Routes via BGP [In reply to]

So first you should know that any packet you blackhole is handled in
software at the CPU, not by ASIC. Yeah, ignore the docs. And yeah,
extreme support will claim otherwise until you show them the cpu
counters and they escalate and engineering with confirm. You can't
do an IP blackhole without all that traffic going to CPU. You must
use a mac-level blackhole.

Do this:

create vlan dropPackets
configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
enable loopback-mode vlan "dropPackets"

create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
configure iparp add 192.168.2.1 00:11:22:33:44:55

You'll notice that I changed the IP address from 192.0.2.1 to
192.168.2.1. Yes, and you should too. 192.0 is a valid, routable IP
block in use on the Internet. 192.168.x.x is non-routable, and
that's what you should be using.

On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
> Hi there, I am trying to add our one remaining black
> diamond to our RTBH configuration and I am finding it difficult to
> get ExtremeWare to accept routes into BGP which the "NextHop" is
> unreachable.
>
> Of course, I made the NextHop unreachable, because that is the
> point...
>
> i.e.
>
> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
> 10.1.2.184 /25
> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>
> configure iproute add blackhole 192.0.2.1 255.255.255.255
>
> we have that static route so that when we add a route to our route-
> server with the destination of 192.0.2.1 it will automatically
> Blackhole it on every switch on our network.
>
> Does anyone have any clues?
>
> Thanks,
> -Drew
> _______________________________________________
> extreme-nsp mailing list
> extreme-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/extreme-nsp

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550




_______________________________________________
extreme-nsp mailing list
extreme-nsp [at] puck
https://puck.nether.net/mailman/listinfo/extreme-nsp


jrhett at svcolo

Feb 13, 2008, 1:32 PM

Post #3 of 6 (3045 views)
Permalink
Re: Getting ExtremeWare to accept Null Routes via BGP [In reply to]

On Feb 13, 2008, at 12:19 PM, Drew Weaver wrote:
> Actually, 192.0.2.0 is part of IANAs "documentation network".
>
> Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
> 192.0.0.0 - 192.0.127.255
> Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
> 192.0.2.0 - 192.0.2.255

Yes, and that has been used to scan the internet for tests of various
sorts.

> And the reason I used it was because it was the example in Cisco's
> Real Time Black Hole documentation, so I think I'm alright.

No, Cisco got blasted for having done that. They were supposed to
fix all references to that.

> But I ended up with this in the end.
> ERROR: 192.0.2.1 is an interface address.

Sorry, I made a mistype when I changed my configuration to use your
IPs. Use this instead:

create vlan dropPackets
configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.252
enable loopback-mode vlan "dropPackets"

create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
configure iparp add 192.168.2.2 00:11:22:33:44:55

(or reverse it and use 2.1 for blackhole and 2.2 for local interface,
doesn't matter)

> -----Original Message-----
> From: Jo Rhett [mailto:jrhett [at] svcolo]
> Sent: Wednesday, February 13, 2008 3:02 PM
> To: Drew Weaver
> Cc: 'extreme-nsp [at] puck'
> Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP
>
> So first you should know that any packet you blackhole is handled in
> software at the CPU, not by ASIC. Yeah, ignore the docs. And yeah,
> extreme support will claim otherwise until you show them the cpu
> counters and they escalate and engineering with confirm. You can't
> do an IP blackhole without all that traffic going to CPU. You must
> use a mac-level blackhole.
>
> Do this:
>
> create vlan dropPackets
> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
> enable loopback-mode vlan "dropPackets"
>
> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-
> mac
> configure iparp add 192.168.2.1 00:11:22:33:44:55
>
> You'll notice that I changed the IP address from 192.0.2.1 to
> 192.168.2.1. Yes, and you should too. 192.0 is a valid, routable IP
> block in use on the Internet. 192.168.x.x is non-routable, and
> that's what you should be using.
>
> On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
>> Hi there, I am trying to add our one remaining black
>> diamond to our RTBH configuration and I am finding it difficult to
>> get ExtremeWare to accept routes into BGP which the "NextHop" is
>> unreachable.
>>
>> Of course, I made the NextHop unreachable, because that is the
>> point...
>>
>> i.e.
>>
>> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
>> 10.1.2.184 /25
>> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>>
>> configure iproute add blackhole 192.0.2.1 255.255.255.255
>>
>> we have that static route so that when we add a route to our route-
>> server with the destination of 192.0.2.1 it will automatically
>> Blackhole it on every switch on our network.
>>
>> Does anyone have any clues?
>>
>> Thanks,
>> -Drew
>> _______________________________________________
>> extreme-nsp mailing list
>> extreme-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>
> --
> Jo Rhett
> senior geek
>
> Silicon Valley Colocation
> Support Phone: 408-400-0550
>
>
>
>

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550




_______________________________________________
extreme-nsp mailing list
extreme-nsp [at] puck
https://puck.nether.net/mailman/listinfo/extreme-nsp


jrhett at svcolo

Feb 13, 2008, 1:34 PM

Post #4 of 6 (3032 views)
Permalink
Re: Getting ExtremeWare to accept Null Routes via BGP [In reply to]

On Feb 13, 2008, at 1:12 PM, Masood Ahmad Shah wrote:
> That's nice way to answer, What exactly enable loopback-mode do on
> Extreme
> switches?

I'm not sure if the first comment is sarcastic or not. I was trying
to be helpful.

Second part, RTFM. It makes the VLAN be up/routable without having
any UP interfaces.

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550




_______________________________________________
extreme-nsp mailing list
extreme-nsp [at] puck
https://puck.nether.net/mailman/listinfo/extreme-nsp


masood at nexlinx

Feb 13, 2008, 3:51 PM

Post #5 of 6 (3034 views)
Permalink
Re: Getting ExtremeWare to accept Null Routes via BGP [In reply to]

I was appreciating your response but you got me wrong....you are so
respectable.

I will pray you get your valentines this time :)

Cheers


Regards,
Masood Ahmad Shah


-----Original Message-----
From: Jo Rhett [mailto:jrhett [at] svcolo]
Sent: Thursday, February 14, 2008 2:34 AM
To: Masood Ahmad Shah
Cc: extreme-nsp [at] puck
Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP

On Feb 13, 2008, at 1:12 PM, Masood Ahmad Shah wrote:
> That's nice way to answer, What exactly enable loopback-mode do on
> Extreme
> switches?

I'm not sure if the first comment is sarcastic or not. I was trying
to be helpful.

Second part, RTFM. It makes the VLAN be up/routable without having
any UP interfaces.

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550





_______________________________________________
extreme-nsp mailing list
extreme-nsp [at] puck
https://puck.nether.net/mailman/listinfo/extreme-nsp


infothec at web

Feb 23, 2008, 1:12 AM

Post #6 of 6 (3023 views)
Permalink
Re: Getting ExtremeWare to accept Null Routes via BGP [In reply to]

you might be right or not. about what hardware do we talk about?
i-series HW, later Summit HW 400, 450, BD10K, 12K????

Jo Rhett schrieb:
> On Feb 13, 2008, at 12:19 PM, Drew Weaver wrote:
>
>> Actually, 192.0.2.0 is part of IANAs "documentation network".
>>
>> Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
>> 192.0.0.0 - 192.0.127.255
>> Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
>> 192.0.2.0 - 192.0.2.255
>>
>
> Yes, and that has been used to scan the internet for tests of various
> sorts.
>
>
>> And the reason I used it was because it was the example in Cisco's
>> Real Time Black Hole documentation, so I think I'm alright.
>>
>
> No, Cisco got blasted for having done that. They were supposed to
> fix all references to that.
>
>
>> But I ended up with this in the end.
>> ERROR: 192.0.2.1 is an interface address.
>>
>
> Sorry, I made a mistype when I changed my configuration to use your
> IPs. Use this instead:
>
> create vlan dropPackets
> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.252
> enable loopback-mode vlan "dropPackets"
>
> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
> configure iparp add 192.168.2.2 00:11:22:33:44:55
>
> (or reverse it and use 2.1 for blackhole and 2.2 for local interface,
> doesn't matter)
>
>
>> -----Original Message-----
>> From: Jo Rhett [mailto:jrhett [at] svcolo]
>> Sent: Wednesday, February 13, 2008 3:02 PM
>> To: Drew Weaver
>> Cc: 'extreme-nsp [at] puck'
>> Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP
>>
>> So first you should know that any packet you blackhole is handled in
>> software at the CPU, not by ASIC. Yeah, ignore the docs. And yeah,
>> extreme support will claim otherwise until you show them the cpu
>> counters and they escalate and engineering with confirm. You can't
>> do an IP blackhole without all that traffic going to CPU. You must
>> use a mac-level blackhole.
>>
>> Do this:
>>
>> create vlan dropPackets
>> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
>> enable loopback-mode vlan "dropPackets"
>>
>> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-
>> mac
>> configure iparp add 192.168.2.1 00:11:22:33:44:55
>>
>> You'll notice that I changed the IP address from 192.0.2.1 to
>> 192.168.2.1. Yes, and you should too. 192.0 is a valid, routable IP
>> block in use on the Internet. 192.168.x.x is non-routable, and
>> that's what you should be using.
>>
>> On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
>>
>>> Hi there, I am trying to add our one remaining black
>>> diamond to our RTBH configuration and I am finding it difficult to
>>> get ExtremeWare to accept routes into BGP which the "NextHop" is
>>> unreachable.
>>>
>>> Of course, I made the NextHop unreachable, because that is the
>>> point...
>>>
>>> i.e.
>>>
>>> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
>>> 10.1.2.184 /25
>>> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>>>
>>> configure iproute add blackhole 192.0.2.1 255.255.255.255
>>>
>>> we have that static route so that when we add a route to our route-
>>> server with the destination of 192.0.2.1 it will automatically
>>> Blackhole it on every switch on our network.
>>>
>>> Does anyone have any clues?
>>>
>>> Thanks,
>>> -Drew
>>> _______________________________________________
>>> extreme-nsp mailing list
>>> extreme-nsp [at] puck
>>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>>>
>> --
>> Jo Rhett
>> senior geek
>>
>> Silicon Valley Colocation
>> Support Phone: 408-400-0550
>>
>>
>>
>>
>>
>
>

_______________________________________________
extreme-nsp mailing list
extreme-nsp [at] puck
https://puck.nether.net/mailman/listinfo/extreme-nsp

nsp extreme RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.