Null0 statistics or hit counts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 09:36 AM
Cisco ASR 1001x Cisco IOS XE Software, Version 17.03.05
I have implemented BGP peering with Team-Cymru for ipv4 and ipv6 bogons. The routes from this peering are community-matched for "next hop" to either 192.0.2.1 or 100::/64 - both of which have a static route to Null0 - this all seems to be working perfectly, and is a big improvement over massive ACL's that need to be updated frequently to perform the same type of filtering.
However the ACL's would allow me to see hits / matches - with the new peering, I can't see any details - when I show int Null0, it shows the interface up, but all stats are zero's
Is there some special method to show hit counts, stats or traffic numbers for packets being routed to Null0?
- Labels:
-
ASR 1000 Series
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 09:53 AM - edited 02-01-2023 10:46 AM
I config static route toward null0 in R2 and advertise the static route toward null0 to R1
then I ping R1 to R2 (static route IP)
then check the null0 I see the packet output count is increase.
what you see I think that you use static route null0 as aggregate route, and when packet hit router the router do longest match
and since there is route with subnet mask better than null0 static route subnet mask the router will use the longest match and null0 interface count not count.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 10:41 AM
Thank you for try to help me understand. "since there is route with subnet mask better than static route subnet mask the router will use the longest match" I'm not sure I'm understanding this in my case. (I'm still learning - I've only been working with edge routing in the past couple of months.) And I do understand that IPv4 bogons/martians are fairly limited these days, but I'm also doing this on the IPV6 side, so the knowledge and practice is good.)
----
----
BGP routing table entry for 100.64.0.0/10, version 22997010
Paths: (2 available, best #2, table default, not advertised to EBGP peer)
Multipath: eBGP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 10:55 AM
https://www.senki.org/operators-security-toolkit/remote-triggered-black-hole-rtbh-filtering/
you use next-hop toward null0 is RTBH BGP security, check the link above for more detail about this BGP security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 02:04 PM - edited 02-01-2023 02:28 PM
Thank you for this link - this is very informative.
It's my understanding that anytime you invoke BGP, a null0 interface is created on a Cisco ASR, even though it is not explicitly defined.
That brings up my next question on this:
#show run int null0
Building configuration...
Current configuration : 5 bytes
end
I never defined Null0, it already existed.
Since it already exists, if I add routes as in the example given (using my route) will that break things? In my case, these are production routers - I don't want to send things into oblivion.
(in testing, I cannot add "routes" directly to the interface as shown in the article)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 02:18 PM
https://community.cisco.com/t5/routing/bgp-flowspec-and-rtbh/m-p/4676084
I explain the RTBH in this post, please take look
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 02:26 PM
I have read articles about RTBH, but generally it's coordination with your ISP to give you a way to redirect your outbound advertisement of an ip range / address (space you advertise) to a black-hole of the ISP, to prevent/mitigate DDOS on the inbound side of your router. I can wrap my head around that.
In my case, I'm using this same technique to route traffic to / from a list of potential bad actors (ip addresses or ip ranges - inbound or outbound) to a null route. This technique seems to be working correctly - with much less trouble than building unmanageable ALC's for the edge routers - it's just a matter of not being able to see stats or dropped traffic in order to monitor the efficacy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 02:50 PM
it's just a matter of not being able to see stats or dropped traffic in order to monitor the efficacy. <<-
I will do deep dive find a way you can real time see the packet drop by null 0.
I will update you soon
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 04:47 PM
Thank you so much for your help. There is so much to learn, and so much documentation - some of which may or may not apply depending on the platform and release etc.....
I did find this:
show platform hardware qfp active statistics drop
but I'm not sure how I can pull it from the ASR with solarwinds in order to graph it, record it, or even display it without actually logging into the asr (both of them - since they are both active) to display the numbers.
