Solved: Re: BGP - RTBH in IX - route-policy

franko-f1 · ‎01-24-2025

Hello everyone,

we use the Cisco ASR9902.

i am trying to set up RTBH functionality for our configuration in an IXP (internet exchange point) with route-policy :

#show running-config router bgp
---
neighbor 2001:7f8:14::11
  remote-as 47200
  use session-group sg_nix
  password encrypted ***************************************
  description nix_routeserver
  address-family ipv6 unicast
   use af-group afg6_nix200k
  !
---
#########################################################################

#show bgp af-group afg6_nix200k configuration            
af-group afg6_nix200k address-family IPv6 Unicast
  maximum-prefix 200000 75 60                     []
  next-hop-self                                   [a:afg6_nix  a:afg6_all]
  policy rp6_nix_in in                            [a:afg6_nix]
  policy rp6_nix_out out                          [a:afg6_nix]

#########################################################################

#show running-config route-policy rp6_nix_in
route-policy rp6_nix_in
  if (destination in pl6_default_ge128) and (community matches-any CM-NIX-RTBH) then
    set local-preference 666
    set next-hop 2001:7f8:14::250
    set community (no-export)
  elseif destination in pl6_own_le128 then
    drop
  elseif destination in pl6_default then
    drop
  elseif as-path in asps_lv_grupa then
    drop
  else
    set community cl_r1_nixcz
  endif
end-policy
!

#########################################################################

#show running-config community-set CM-NIX-RTBH 
community-set CM-NIX-RTBH
  #CM to drop prefix from Nix peers for RTBH
  65535:666
end-set
!

#########################################################################

#show running-config prefix-set pl6_default_ge128 
prefix-set pl6_default_ge128
  ::/0 ge 128
end-set
!

#########################################################################

Now, from the RTBH network is send the request for block the IP 2a02:38:bbbb::10/128, but it seems, that our route-policy do not accept it. And i don't know, why.

Some /128 routes are received :

#show bgp ipv6 unicast neighbor 2001:7f8:14::11 routes | utility egrep expr '/128'
*  2a00:1238::1/128   2001:7f8:14::250
*  2a01:a040:ffff:ffff:ffff:ffff:ffff:6/128
*  2a02:38:bbbb::10/128
*  2a02:c98:ffff:fe05::666/128

#########################################################################

#show bgp ipv6 unicast  2a02:38:bbbb::10/128 longer-prefixes
BGP router identifier 1.1.1.1, local AS number 000000
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0800000   RD version: 402410595
BGP main routing table version 402410595
BGP NSR Initial initsync version 189301 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*  2a02:38:bbbb::10/128
                      2001:7f8:14::250
                                                    666      0 6881 i
*                     2001:7f8:14::250
                                                    666      0 6881 i

Processed 1 prefixes, 2 paths

#########################################################################

#sh route ipv6 2a02:38:bbbb::10/128          

% Network not in table

#########################################################################

#sh route ipv6 2a02:38:bbbb::10             

Routing entry for 2a02:38::/32
  Known via "bgp 000000", distance 20, metric 0
  Tag 6881, type external
  Installed Dec 19 10:15:25.377 for 5w1d
  Routing Descriptor Blocks
    fe80::a2b4:39ff:fe55:8eec, from 2001:7f8:14::11, via TwentyFiveGigE0/0/0/7.10, BGP external
      Route metric is 0
  No advertising protos.

I am attaching the presentation of NIX.cz, how the RTBH in IX works.

I would be very grateful for any contributions and answers. What i can check ?

Many thanks.

Harold Ritter · ‎01-29-2025

Hi @franko-f1 ,

Sorry, I meant "2a02:38:", not "2001:7f8:14".

I just ran a RPKI query for 2a02:38::/32 and confirmed that the prefix 2a02:38:bbbb::10/128 will be declared invalid as the ROA does not include the /128.

You can see the same information from the router by doing a show bgp rpki table ipv6 | in "2a02:38:"

or you can check through Cloudfare:

https://rpki.cloudflare.com/?view=validator&validateRoute=6881_2a02%3A38%3Abbbb%3A%3A10%2F128

Regards,

View solution in original post

Harold Ritter · ‎01-27-2025

Hi @franko-f1 ,

I am not sure why you change the NH on your side, as it should have be changed by the RS already.

Can you attach the output from the "show bgp ipv6 unicast 2a02:38:bbbb::10/128" for us to see what is causing the prefix not to be selected as the BGP best path and therefore not being installed in the RIB.

Can you also provide a "show cef ipv6 2001:7f8:14::250" output.

Regards,

franko-f1 · ‎01-28-2025

Hi Harold,

sure, here are outputs for requested commands :

#show bgp ipv6 unicast 2a02:38:bbbb::10/128
Tue Jan 28 13:22:42.748 CET
BGP routing table entry for 2a02:38:bbbb::10/128
Versions:
Process bRIB/RIB SendTblVer
Speaker 377528327 377528327
Last Modified: Nov 13 04:40:15.195 for 10w6d
Paths: (2 available, no best path)
Not advertised to any peer
Path #1: Received by speaker 0
Not advertised to any peer
6881
2001:7f8:14::250 from 2001:7f8:14::11 (91.210.16.1)
Origin IGP, localpref 666, valid, external
Received Path ID 0, Local Path ID 0, version 0
Community: no-export
Origin-AS validity: invalid
Path #2: Received by speaker 0
Not advertised to any peer
6881
2001:7f8:14::250 from 2001:7f8:14::12 (91.210.16.2)
Origin IGP, localpref 666, valid, external
Received Path ID 0, Local Path ID 0, version 0
Community: no-export
Origin-AS validity: invalid

#show cef ipv6 2001:7f8:14::250
Tue Jan 28 13:24:27.705 CET
2001:7f8:14::/64, version 277143721, attached, connected, internal 0x1000061 0x0 (ptr 0x7cc5c344) [1], 0x400 (0x9b3fe888), 0x0 (0x0)
 Updated Apr  2 19:41:13.182 
 remote adjacency to TwentyFiveGigE0/0/0/7.10
 Prefix Len 64, traffic index 0, precedence n/a, priority 0
  gateway array (0x78b61890) reference count 1, flags 0x0, source rib (7), 0 backups
                [2 type 3 flags 0x8401 (0x78c14e20) ext 0x0 (0x0)]
  LW-LDI[type=3, refc=1, ptr=0x9b3fe888, sh-ldi=0x78c14e20]
  gateway array update type-time 1 Apr  2 19:41:13.182
 LDI Update time Apr  2 19:41:13.182
 LW-LDI-TS Apr  2 19:41:13.182
   via TwentyFiveGigE0/0/0/7.10, 312 dependencies, weight 0, class 0 [flags 0x8]
    path-idx 0 NHID 0x0 [0x788db890 0x0]
    remote adjacency

    Load distribution: 0 (refcount 2)

    Hash  OK  Interface                 Address
    0     Y   TwentyFiveGigE0/0/0/7.10  remote

Harold Ritter · ‎01-28-2025

Hi @franko-f1 ,

By default, IOS-XR validates that the AS path first hop (6881) is equal to the neighbor ASN (47200). This check fails if the prefix is received through a route server, as the route server does not insert its ASN in the AS path. The following command is therefore required in such a scenario.

neighbor 2001:7f8:14::11

enforce-first-as disable

neighbor 2001:7f8:14::12

enforce-first-as disable

Regards,

franko-f1 · ‎01-29-2025

Hi @Harold Ritter,

many thanks for your help.

So, i set the enforce-first-as disable for the both neighbors, but nothing changed.

It still doesn't working :(.

Harold Ritter · ‎01-29-2025

Hi @franko-f1 ,

Can please provide the "show bgp ipv6 unicast 2a02:38:bbbb::10/128 bestpath-compare" output.

Regards,

franko-f1 · ‎01-29-2025

Hi @Harold Ritter ,

sure, here is output :

#show bgp ipv6 unicast 2a02:38:bbbb::10/128 bestpath-compare
Wed Jan 29 21:04:54.342 CET
BGP routing table entry for 2a02:38:bbbb::10/128
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker           377528327    377528327
    Flags: 0x00000001+0x20000000; 
Last Modified: Nov 13 04:40:15.195 for 11w0d
Paths: (2 available, no best path)
  Not advertised to any peer
  Path #1: Received by speaker 0
  Flags: 0x1000000000020001+0x00, import: 0x020
  Not advertised to any peer
  6881
    2001:7f8:14::250 from 2001:7f8:14::11 (91.210.16.1), if-handle 0x00000000
      Origin IGP, localpref 666, valid, external
      Received Path ID 0, Local Path ID 0, version 0
      Community: no-export
      Origin-AS validity: invalid
  Path #2: Received by speaker 0
  Flags: 0x1000000000020001+0x00, import: 0x020
  Not advertised to any peer
  6881
    2001:7f8:14::250 from 2001:7f8:14::12 (91.210.16.2), if-handle 0x00000000
      Origin IGP, localpref 666, valid, external
      Received Path ID 0, Local Path ID 0, version 0
      Community: no-export
      Origin-AS validity: invalid

Harold Ritter · ‎01-29-2025

Hi @franko-f1 ,

The issue is that you have RPKI configure on that router and the /128 prefix injection goes against the RPKI policy. This can be seen in the output:

Origin-AS validity: invalid

Can you provide the output for the following command:

show bgp rpki table ipv6 | in "20001:7f8:14"

Regards,

franko-f1 · ‎01-29-2025

Hi @Harold Ritter ,

yes, aaah, i configured RPKI before this project RTBH.....

#show bgp rpki table | in "2001:7f8:14"
Wed Jan 29 22:10:38.474 CET

No network in rpki table found.

Harold Ritter · ‎01-29-2025

Hi @franko-f1 ,

Sorry, I meant "2a02:38:", not "2001:7f8:14".

I just ran a RPKI query for 2a02:38::/32 and confirmed that the prefix 2a02:38:bbbb::10/128 will be declared invalid as the ROA does not include the /128.

You can see the same information from the router by doing a show bgp rpki table ipv6 | in "2a02:38:"

or you can check through Cloudfare:

https://rpki.cloudflare.com/?view=validator&validateRoute=6881_2a02%3A38%3Abbbb%3A%3A10%2F128

Regards,

franko-f1 · ‎01-29-2025

Hi @Harold Ritter ,

you are the best :). Many many thanks for your help.

If i tried shutdown the RPKI, then routes are accepted.

#sh route ipv6 2a02:38:bbbb::10/128
Thu Jan 30 08:02:18.409 CET

Routing entry for 2a02:38:bbbb::10/128
  Known via "bgp *******", distance 20, metric 0
  Tag 6881, type external
  Installed Jan 30 07:59:47.701 for 00:02:31
  Routing Descriptor Blocks
    2001:7f8:14::250, from 2001:7f8:14::11, BGP external
      Route metric is 0
  No advertising protos.

Harold Ritter · ‎01-30-2025

You are very welcome @franko-f1 and thanks for the feedback