Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
0
Helpful
7
Replies

BGP Prefix problem

Go to solution
joemarr_brodart
Level 1
Level 1

‎02-09-2009 11:00 AM - edited ‎03-04-2019 03:29 AM

I have what I think is a simple problem:

I have BGP setup between a couple of providers. The provider support blackhole announcements (block traffic to one of my IPs when I announce it to them via BGP using a specific community).

I currently have a /18 that I have the following configuration for:

router bgp XXX1

network XXX.XXX.XXX.XXX mask 255.255.192.0

neighbor yyy.yyy.yyy.yyy route-map PROVIDER-TRANSIT-INBOUND out

ip route XXX.XXX.XXX.XXX 255.255.192.0 null0

ip prefix-list ISP-BlackedHole seq 1 permit ZZZ.ZZZ.ZZZ.ZZZ/32

ip prefix-list ISP-BlackedHole seq 100 deny 0.0.0.0/0 le 32

ip prefix-list Transit-00 seq 20 permit XXX.XXX.XXX.XXX/18

route-map PROVIDER-TRANSIT-INBOUND permit 10

match ip address prefix-list ISP-BlackedHole

set community XXXX:YYYY

!

route-map PROVIDER-TRANSIT-INBOUND permit 20

match ip address prefix-list Transit-00

!

The intent is to send the IP that is under attack (in this case ZZZ.ZZZ.ZZZ.ZZZ) to the provider via BGP tagged with their community.

After reseting the peering, I noticed that only the /18 was being sent out. When I do a "show ip bgp prefix ISP-BlackHole", nothing was returned. For some reason ZZZ.ZZZ.ZZZ.ZZZ is not being advertised out, only the aggregate is.

What am I doing wrong?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Level 12
Level 12
In response to joemarr_brodart

‎02-09-2009 11:40 AM

Joe,

That is correct. You could redistribute the /32 selectively using a route-map but it would be safer to use a network statement for that specific /32 though.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Harold Ritter
Level 12
Level 12

‎02-09-2009 11:09 AM

Joe,

How do you originate the /32 prefix. You need to make sure it is in the RIB and that you use a network statement or that you redistribute it in BGP.

Also make sure that you have a "neighbor send-community" if you want the ISP to receive the community that you set in the route-map. The community will not be sent by default.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
joemarr_brodart
Level 1
Level 1
In response to Harold Ritter

‎02-09-2009 11:16 AM

I've tried 2 methods:

* The IP is part of a /XX that is assigned to a port in our network, which is redistributed (and seen by the BGP routers) into our network via OSPF. This is prefered over the next option.

* null routing the IP on the routers doing BGP.

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to joemarr_brodart

‎02-09-2009 11:23 AM

Joe,

If the /32 is not present in BGP then it cannot be advertised to your ISP.

Do you see the /32 in your BGP table (show ip bgp)?

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
joemarr_brodart
Level 1
Level 1
In response to Harold Ritter

‎02-09-2009 11:37 AM

duh,

no I only see the /18 :(

So, between the network command and the null route, I'm redistributing the /18 into BGP.

So I would need to some how redistribute the IP into BGP. I assume I dont want to redistribute my entire OSPF table for various reasons, but I could redistribute the /32 using a route-map, yes?

say

router bgp XXXX

redistribute static route-map static-routes

route-map static-routes permit 10

match ip address prefix-list ISP-Blackhole

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to joemarr_brodart

‎02-09-2009 11:40 AM

Joe,

That is correct. You could redistribute the /32 selectively using a route-map but it would be safer to use a network statement for that specific /32 though.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
joemarr_brodart
Level 1
Level 1
In response to Harold Ritter

‎02-09-2009 11:41 AM

I'll give it some thought regarding network statement vs. route-map.

Thanks for the help.

0 Helpful

Go to solution
Mohamed Sobair
Level 7
Level 7

‎02-09-2009 11:34 AM

Hi,

1- First of all You have to advertise ZZZ Network to ur BGP neighbor, as its not seem to be in the IP routing neither advertised . verify...

2- Ur XXX Network is not advertised but rather dropped due to the Nullo static route which preffered over the BGP AD.

3- U have to send community 2 the neighbor.

HTH

Mohamed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card