Cisco 6500 - BGP blackhole configuration problem - Page 2

Evgeny Khorokhorin · ‎04-10-2015

Hi all, I'm using Cisco 6513, Sup720-3bxl,

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXJ2, RELEASE SOFTWARE (fc4)

I'm trying to implement BGP blackhole mechanism so that our clients could use it via setting community 65000:666 on their prefixes.

In this example: client with AS65001 has BGP peer address 192.168.10.10 and it is multihop bgp session (192.168.10.10 is routed via 192.168.9.2).

router bgp 65000
...
 redistribute static route-map blackhole
 neighbor 192.168.10.10 remote-as 65001
 neighbor 192.168.10.10 route-map client_in in
 neighbor 192.168.10.10 ebgp-multihop 10
 neighbor 192.168.10.10 disable-connected-check
 neighbor 192.168.10.10 update-source Loopback0
!

 address-family ipv4
  redistribute static route-map blackhole
  neighbor 192.168.10.10 activate
  neighbor 192.168.10.10 send-community both
  neighbor 192.168.10.10 soft-reconfiguration inbound
  neighbor 192.168.10.10 route-map client_in in
...
  no auto-summary
  no synchronization

...
ip community-list standard clients-blackhole permit 65000:666
...
ip route 192.0.2.1 255.255.255.255 Null0 tag 666
...
route-map client_in permit 10
 match community clients-blackhole
 set ip next-hop 192.0.2.1
!
route-map client_in permit 100
 match ip address prefix-list client
 match as-path 30
 set local-preference 300
 set weight 3000
 set ip next-hop 192.168.9.2
!
route-map blackhole permit 10
 match tag 666
 set origin igp
 set community 65000:666

sh ip bgp nei 192.168.10.10 ro
BGP table version is 246438222, local router ID is 1.2.3.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24   192.168.9.2            0    300   3000 65001 i
*  10.10.10.4/32   192.0.2.1                0             0 65001 i

Total number of prefixes 2
#sh ip bgp 10.10.10.4
BGP routing table entry for 10.10.10.4/32, version 246438764
Paths: (2 available, no best path)
  Not advertised to any peer
  65001
    192.0.2.1 (inaccessible) from 192.168.10.10 (192.168.10.10)
      Origin IGP, metric 0, localpref 100, valid, external
      Community: 65000:666
  65001, (received-only)
    192.168.10.10 (metric 20) from 192.168.10.10 (192.168.10.10)
      Origin IGP, metric 0, localpref 100, valid, external
      Community: 65000:666
#sh ip bgp 192.0.2.1    
BGP routing table entry for 192.0.2.1/32, version 246291206
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
     2          8         
  Local
    0.0.0.0 from 0.0.0.0 (1.2.3.4)
      Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, best
      Community: 65000:666
#sh ip route 192.0.2.1 
Routing entry for 192.0.2.1/32
  Known via "static", distance 1, metric 0 (connected)
  Tag 666
  Redistributing via ospf 1, bgp 65000
  Advertised by ospf 1 subnets
                bgp 65000 route-map blackhole
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1
      Route tag 666

As you can see BGP router is receiving 2 prefixes: 10.10.10.0/24 and 10.10.10.4/32. Second is with blackhole community 65000:666. So I need that packects going to 10.10.10.4 to be sent to Null0. In this example show ip bgp 10.10.10.4 says that next-hop 192.0.2.1 is inaccessible so Blackhole mechanism doesn't work and traffic with dst ip 10.10.10.4 is sending to a client.

Please tell me where is my fault?

Chris Dixon · ‎07-06-2015

Hi Evgeny,

hmm id id expect this to sort it out, can you show us updated config a and new show command outputs with these changes in place?

Thanks