infothec at web
Feb 23, 2008, 1:12 AM
Post #6 of 6
(2428 views)
Permalink
|
|
Re: Getting ExtremeWare to accept Null Routes via BGP
[In reply to]
|
|
you might be right or not. about what hardware do we talk about?
i-series HW, later Summit HW 400, 450, BD10K, 12K????
Jo Rhett schrieb:
> On Feb 13, 2008, at 12:19 PM, Drew Weaver wrote:
>
>> Actually, 192.0.2.0 is part of IANAs "documentation network".
>>
>> Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
>> 192.0.0.0 - 192.0.127.255
>> Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
>> 192.0.2.0 - 192.0.2.255
>>
>
> Yes, and that has been used to scan the internet for tests of various
> sorts.
>
>
>> And the reason I used it was because it was the example in Cisco's
>> Real Time Black Hole documentation, so I think I'm alright.
>>
>
> No, Cisco got blasted for having done that. They were supposed to
> fix all references to that.
>
>
>> But I ended up with this in the end.
>> ERROR: 192.0.2.1 is an interface address.
>>
>
> Sorry, I made a mistype when I changed my configuration to use your
> IPs. Use this instead:
>
> create vlan dropPackets
> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.252
> enable loopback-mode vlan "dropPackets"
>
> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
> configure iparp add 192.168.2.2 00:11:22:33:44:55
>
> (or reverse it and use 2.1 for blackhole and 2.2 for local interface,
> doesn't matter)
>
>
>> -----Original Message-----
>> From: Jo Rhett [mailto:jrhett [at] svcolo]
>> Sent: Wednesday, February 13, 2008 3:02 PM
>> To: Drew Weaver
>> Cc: 'extreme-nsp [at] puck'
>> Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP
>>
>> So first you should know that any packet you blackhole is handled in
>> software at the CPU, not by ASIC. Yeah, ignore the docs. And yeah,
>> extreme support will claim otherwise until you show them the cpu
>> counters and they escalate and engineering with confirm. You can't
>> do an IP blackhole without all that traffic going to CPU. You must
>> use a mac-level blackhole.
>>
>> Do this:
>>
>> create vlan dropPackets
>> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
>> enable loopback-mode vlan "dropPackets"
>>
>> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-
>> mac
>> configure iparp add 192.168.2.1 00:11:22:33:44:55
>>
>> You'll notice that I changed the IP address from 192.0.2.1 to
>> 192.168.2.1. Yes, and you should too. 192.0 is a valid, routable IP
>> block in use on the Internet. 192.168.x.x is non-routable, and
>> that's what you should be using.
>>
>> On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
>>
>>> Hi there, I am trying to add our one remaining black
>>> diamond to our RTBH configuration and I am finding it difficult to
>>> get ExtremeWare to accept routes into BGP which the "NextHop" is
>>> unreachable.
>>>
>>> Of course, I made the NextHop unreachable, because that is the
>>> point...
>>>
>>> i.e.
>>>
>>> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
>>> 10.1.2.184 /25
>>> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>>>
>>> configure iproute add blackhole 192.0.2.1 255.255.255.255
>>>
>>> we have that static route so that when we add a route to our route-
>>> server with the destination of 192.0.2.1 it will automatically
>>> Blackhole it on every switch on our network.
>>>
>>> Does anyone have any clues?
>>>
>>> Thanks,
>>> -Drew
>>> _______________________________________________
>>> extreme-nsp mailing list
>>> extreme-nsp [at] puck
>>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>>>
>> --
>> Jo Rhett
>> senior geek
>>
>> Silicon Valley Colocation
>> Support Phone: 408-400-0550
>>
>>
>>
>>
>>
>
>
_______________________________________________
extreme-nsp mailing list
extreme-nsp [at] puck
https://puck.nether.net/mailman/listinfo/extreme-nsp
|
