Re: Null0 statistics or hit counts

wherewolf · ‎02-01-2023

Cisco ASR 1001x Cisco IOS XE Software, Version 17.03.05

I have implemented BGP peering with Team-Cymru for ipv4 and ipv6 bogons. The routes from this peering are community-matched for "next hop" to either 192.0.2.1 or 100::/64 - both of which have a static route to Null0 - this all seems to be working perfectly, and is a big improvement over massive ACL's that need to be updated frequently to perform the same type of filtering.

However the ACL's would allow me to see hits / matches - with the new peering, I can't see any details - when I show int Null0, it shows the interface up, but all stats are zero's

Is there some special method to show hit counts, stats or traffic numbers for packets being routed to Null0?

MHM Cisco World · ‎02-01-2023

I config static route toward null0 in R2 and advertise the static route toward null0 to R1
then I ping R1 to R2 (static route IP)
then check the null0 I see the packet output count is increase.

what you see I think that you use static route null0 as aggregate route, and when packet hit router the router do longest match
and since there is route with subnet mask better than null0 static route subnet mask the router will use the longest match and null0 interface count not count.

wherewolf · ‎02-01-2023

Thank you for try to help me understand. "since there is route with subnet mask better than static route subnet mask the router will use the longest match" I'm not sure I'm understanding this in my case. (I'm still learning - I've only been working with edge routing in the past couple of months.) And I do understand that IPv4 bogons/martians are fairly limited these days, but I'm also doing this on the IPV6 side, so the knowledge and practice is good.)

Show run:

----

ip route 192.0.2.1 255.255.255.255 Null0
----

ip community-list 100 permit 65332:888
----

route-map BOGONS-V4-IN permit 10

description IPv4 bogons

match community 100

set ip next-hop 192.0.2.1

----

#show ip route 100.64.0.1

Routing entry for 100.64.0.0/10

Known via "bgp 17218", distance 20, metric 0

Tag 65332, type external

Last update from 192.0.2.1 5d05h ago

Routing Descriptor Blocks:

* 192.0.2.1, from 38.229.50.81, 5d05h ago

opaque_ptr 0x7F3EA4E32A18

Route metric is 0, traffic share count is 1

AS Hops 1

Route tag 65332

MPLS label: none

#show bgp ipv4 unicast 100.64.0.1

BGP routing table entry for 100.64.0.0/10, version 22997010
Paths: (2 available, best #2, table default, not advertised to EBGP peer)
Multipath: eBGP

Not advertised to any peer

Refresh Epoch 1

65332, (received & used)

192.0.2.1 from 38.229.60.81 (38.229.60.81)

Origin IGP, localpref 100, valid, external

Community: 65332:888 no-export

rx pathid: 0, tx pathid: 0

Updated on Jan 27 2023 04:40:10 PST

Refresh Epoch 1

65332, (received & used)

192.0.2.1 from 38.229.50.81 (38.229.50.81)

Origin IGP, localpref 100, valid, external, best

Community: 65332:888 no-export

rx pathid: 0, tx pathid: 0x0

Updated on Jan 27 2023 04:39:59 PST

#ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 23/23/23 ms

#ping 100.64.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.64.0.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

#show int null0

Null0 is up, line protocol is up

Hardware is Unknown

MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 0 usec,

reliability 0/255, txload 0/255, rxload 0/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Last input never, output 5d02h, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

Output 0 broadcasts (0 IP multicasts)

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

MHM Cisco World · ‎02-01-2023

https://www.senki.org/operators-security-toolkit/remote-triggered-black-hole-rtbh-filtering/
you use next-hop toward null0 is RTBH BGP security, check the link above for more detail about this BGP security

wherewolf · ‎02-01-2023

Thank you for this link - this is very informative.

It's my understanding that anytime you invoke BGP, a null0 interface is created on a Cisco ASR, even though it is not explicitly defined.

That brings up my next question on this:

#show run int null0
Building configuration...

Current configuration : 5 bytes
end

I never defined Null0, it already existed.

Since it already exists, if I add routes as in the example given (using my route) will that break things? In my case, these are production routers - I don't want to send things into oblivion.

(in testing, I cannot add "routes" directly to the interface as shown in the article)

MHM Cisco World · ‎02-01-2023

https://community.cisco.com/t5/routing/bgp-flowspec-and-rtbh/m-p/4676084

I explain the RTBH in this post, please take look

wherewolf · ‎02-01-2023

I have read articles about RTBH, but generally it's coordination with your ISP to give you a way to redirect your outbound advertisement of an ip range / address (space you advertise) to a black-hole of the ISP, to prevent/mitigate DDOS on the inbound side of your router. I can wrap my head around that.

In my case, I'm using this same technique to route traffic to / from a list of potential bad actors (ip addresses or ip ranges - inbound or outbound) to a null route. This technique seems to be working correctly - with much less trouble than building unmanageable ALC's for the edge routers - it's just a matter of not being able to see stats or dropped traffic in order to monitor the efficacy.

MHM Cisco World · ‎02-01-2023

it's just a matter of not being able to see stats or dropped traffic in order to monitor the efficacy. <<-
I will do deep dive find a way you can real time see the packet drop by null 0.
I will update you soon
thanks

wherewolf · ‎02-01-2023

Thank you so much for your help. There is so much to learn, and so much documentation - some of which may or may not apply depending on the platform and release etc.....

I did find this:

show platform hardware qfp active statistics drop

but I'm not sure how I can pull it from the ASR with solarwinds in order to graph it, record it, or even display it without actually logging into the asr (both of them - since they are both active) to display the numbers.