From: Chuck Larrieu (chuck@xxxxxxxxxxxxx)
Date: Sat Feb 17 2001 - 20:41:32 GMT-3
Hey, guys, tired of this yet ;->
Practicing the black-holing of BGP routes.
Situation:
AS 51002 ( R6) connects to AS 51002 ( R5) and to AS 51000 ( R1 )
AS 51002 ( R5) connects to AS 51002 ( R6) and to AS 51003 ( R4, which in
turn connects to AS 51000 )
AS 51001 ( R3 ) dual homes to the AS 51002 routers.
On R5 I black-hole a particular route.
Access-list 1 deny route
Access-list 1 permit any
Route-map BLACKHOLE permit 10
Match IP addr 1
Router bgp 51002
Neighbor R3 route-map BLACKHOLE out
At this point R3 sees the worlds the way I think it should, with the only
path to the black-holed route being through R6.
Next, I add a second route-map, and black-hole this route to R6 ( same AS )
Router BGP 51002
Neighbor R6 routemap BLACKHOLE out
I predict that everyone should still see the route in question via R4 the
long way.
But that is not what happens. R4 sees the route. Everyone in AS5100 sees the
route. This is according to the prediction.
But now R6 cannot see the route in BGP. It sees the route in the IGP through
its connection to R5
I shut down the interface to R5, killing the IGP connection to that router,
and now all the routes that originate on that router disappear.
At this point, I believe what I have is AS 51002 split in half because of
the interface shut down. R6, seeing routes to its own AS being advertised
through a different AS, is saying that these routes cannot be trusted, and
so is dropping them. The debugs I am running appear to indicate that is the
case. I see routes that originate on R5 being denied in the output from
debug ip bgp updates
Make sense?
Lesson to be learned - never black-hole routes to your iBGP neighbors?
Chuck
A long shot at passing is better than no shot.
Right now that's all I got to get me through,
So I gotta believe!
( paraphrased from Kathy Baille / Baille and the Boys
a song from several years ago )
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:52 GMT-3