Route Advertisement to BGP Peer using null 0

Vivek Singh · ‎09-14-2015

Hi Everyone,

Can anyone please explain while advertising routes to BGP peer why we create a static route pointing towards null 0 when it won't make any value. I mean after adverting the network to our BGP peer, our router/L3 switch will consider those packets from our BGP neighbor void if we would have static route pointing towards null 0 for that particular network.

There is another thing in our network environment we got some subnets from our ISP to NAT our internal traffic to global IP address. We are advertising those subnets towards them over BGP using a static route pointing towards null 0. I am little bit confused how this setup is working.

WAN Distribution Router+FWSM module(R1)----->>Another Router(R2)----->ISP------------>Vendor

On router R2 we are advertising those prefixes which we got from ISP back to them over BGP by creating static routes for subnets pointing towards null 0 something like this.Suppose we got subnet 100.100.100.0/28 subnet from ISP

router bgp 100

network 100.100.100.0 mask 255.255.255.240

ip route 100.100.100.0 255.255.255.240 null 0

On FWSM we have static nat statements something like that

static nat (inside, outside) 100.100.100.2 192.168.10.16 netmask 255.255.255.255

Also we have an inbound rules for our vendor IP so that they could access 192.168.10.10

access-list outside-in extended permit tcp host 200.200.200.200 host 100.100.100.2 eq http log

All routing has been configured and it is working.

Now here is my doubt.

When vendor initiates a connection from IP 200.200.200.200 towards 100.100.100.2 how the connection is working if we have an intermediate router R2 which has a static route for 100.100.100.0/28 pointing towards null 0.

Please advise.

paul driver · ‎09-15-2015

Hello

The static route to null 0 is for loop prevention -

Lets say your router receives a packet for an address within that range which is not being used, and because in bgp you are advertising to others stating that anything for 100.100.100.0/28 send to this router

Then without this static NULL 0 route, this packet could loop because is hasn’t a live host and your router will look to forward this packet onwards on via its own default next hop and possibly towards the router it originated from thus resulting in a loop

With the static NULL 0 route, if your router receives the same packet instead of it being forwarded it will be sent to the NULL 0 and dropped thus preventing a loop.

Res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vivek Singh · ‎09-15-2015

Thanks Paul for your reply. I do understand we configured it for loop prevention. In our case we have a static route for 100.100.100.0/28 pointed towards null 0 and we are advertising it from intermediate router R2 to our BGP peer.

So in my understanding when our vendor initiates a connection towards 100.100.100.2, R2 should immediately drop this packet because we have a static route for 100.100.100.0/28 pointed towards null 0 and those packets from vendor won't be able to make to FWSM(R1).

However which is not the case, all communication is working correctly.

I am not sure how this is working.

paul driver · ‎09-15-2015

Hello

"So in my understanding when our vendor initiates a connection towards 100.100.100.2, R2 should immediately drop this packet " No it should be forwarded

If host 100.100.100.2 is valid , R2 should forward the packet
However is that host is not active R2 will send it to the NULL 0 interface and the packet will be dropped.

res

Paul
.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vivek Singh · ‎09-15-2015

Hi Paul,

We only have a static route for 100.100.100.0/28 pointed towards null 0 on router R2.

I am wondering how router R2 will forward that packet?

Vivek

paul driver · ‎09-15-2015

Hello

Does R2 have a connected interface for this range or an IGP route to this network?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vivek Singh · ‎09-15-2015

No. That'ts why i don't understand how this is working.

Jon Marshall · ‎09-15-2015

What subnet is used for R1 to R2 ?

What does a "sh ip route 10.100.100.2" show on R2 ?

Jon

Vivek Singh · ‎09-15-2015

Hi,

when i show ip route 100.100.100.2. It gives that 100.100.100.0/28 being redistributed into ospf, advertised by bgp and directly connected through null 0 on router R2.

We do have ospf running between R2 and R1. 100.100.100.0/28 is the subnet range which we got from ISP to nat our traffic. There is no connected interface on 100.100.100.2.

On router R1 we do have a nat statement configured

static nat (inside, outside) 100.100.100.2 192.168.10.16 netmask 255.255.255.255

192.168.10.16 is the network behind R1.

Jon Marshall · ‎09-15-2015

What IPs are used on the link between R1 and R2 and what subnet mask is being used ?

Jon

Vivek Singh · ‎09-21-2015

Sorry for the late response. I was busy with some other stuff.

We have a layer 2 vlan on R1 (Vlan no 10) and we are doing routing on FWSM for that vlan i.e. we have created a layer 3 interface on FWSM.

The subnet on FWSM is 172.16.0.21/20 and Bridge interface on R2 having IP address 172.16.0.24/20.

I am not sure about how FWSM work in this regard.

I am getting confused with this one.

Vivek Singh · ‎09-23-2015

Hi,

Can anyone provide their valuable thoughts on this.

Jon Marshall · ‎09-23-2015

From the information you have provided so far this should not work.

But it obviously does work so I suspect some information is missing.

For this to work there are two possible setups that I know of -

1) R2 would have a 100.100.100.x IP on it's interface connecting to the FWSM in which case it would arp for any of those IPs

or

2) R2 needs a route for the subnet pointing to the outside interface IP of the FWSM.

I can't see how else it would work.

Jon

Vivek Singh · ‎09-23-2015

Hi,

There is no direct connection between FWSM and R2. This is a logical connection i.e. the Layer 3 connection between them.

Since FWSM is sitting on R1.

We have a layer 2 vlan on R1 (Vlan no 10) and we are doing routing on FWSM for that vlan i.e. we have created a layer 3 interface on FWSM.

The subnet on FWSM is 172.16.0.21/20 and Bridge interface on R2 having IP address 172.16.0.24/20.

We have a BGP Peer with our ISP on router R2 and the outside interface of FWSM is pointing towards that ISP IP.

In addition to this the default route from FWSM is also pointing towards that ISP IP.

Please advise.

Jon Marshall · ‎09-24-2015

We are not getting the full picture.

You say the FWSM is pointing to the ISP router as it's default gateway but then you also say R2 is advertising subnets to the ISP router.

If R2 is acting as a L3 device then I would have thought the FWSM would be pointing to it as the default gateway. .

Perhaps if you provided all the addressing used on the links it would make more sense.

Jon