Hi,
Try adding the following on your PE(s) to make the nexthop accessible within
the vrf:
ip route 172.31.254.254 255.255.255.255 Null0
The next-hop within the vrf for routes learned via VPNv4 needs to be
resolvable in the global table for the route to be installed... The route
within the VRF is needed, too, because we can use that to have URPF drop the
packet on ingress - both rx (obvious) or any (because it'll drop anything
that is pointing to Null0) will work so it's good for even a redundant
design.
Didn't feel like sleeping yet so a working example follows:
We want to blackhole CE sending traffic src 7.7.7.7 dst 4.4.4.4:
CE, nothing special in config:
==============================
!
interface Loopback7
ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet1/0
description PE1
ip address 9.9.9.1 255.255.255.254
speed auto
duplex auto
no cdp enable
!
router bgp 2
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 9.9.9.0 remote-as 1
neighbor 9.9.9.0 send-community
neighbor 9.9.9.0 soft-reconfiguration inbound
no auto-summary
!
PE1 is connected to CE and PE2:
===============================
ip vrf foo
rd 1:1
route-target export 1:1
route-target import 1:1
interface Null0
no ip unreachables
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no ip proxy-arp
ip ospf 1 area 0
!
interface FastEthernet0/0
description CE
ip vrf forwarding foo
ip address 9.9.9.0 255.255.255.254
ip verify unicast source reachable-via any
duplex full
no cdp enable
!
interface GigabitEthernet1/0
description PE2
ip address 10.1.1.1 255.255.255.0
no ip proxy-arp
ip ospf 1 area 0
negotiation auto
mpls ip
!
router ospf 1
log-adjacency-changes
passive-interface default
no passive-interface GigabitEthernet1/0
!
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
!
address-family ipv4 vrf foo
redistribute connected
redistribute static
neighbor 9.9.9.1 remote-as 2
neighbor 9.9.9.1 activate
neighbor 9.9.9.1 as-override
no auto-summary
no synchronization
exit-address-family
!
ip route 6.6.6.6 255.255.255.255 Null0
ip route vrf foo 6.6.6.6 255.255.255.255 Null0
PE2 (the one that triggers):
============================
interface Null0
no ip unreachables
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no ip proxy-arp
ip ospf 1 area 0
!
interface Loopback2
ip vrf forwarding foo
ip address 4.4.4.4 255.255.255.255
end
!
interface GigabitEthernet1/0
description PE1
ip address 10.1.1.2 255.255.255.0
no ip proxy-arp
ip ospf 1 area 0
negotiation auto
mpls ip
!
router ospf 1
log-adjacency-changes
passive-interface default
no passive-interface GigabitEthernet1/0
!
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
neighbor 1.1.1.1 route-map vpn-hole out
exit-address-family
!
address-family ipv4 vrf foo
redistribute connected
redistribute static route-map hole
no auto-summary
no synchronization
exit-address-family
!
ip bgp-community new-format
ip community-list standard com-hole permit 1:666
!
route-map hole permit 10
match tag 666
set ip next-hop 6.6.6.6
set local-preference 777
set origin igp
set community 1:666 no-export
!
route-map hole deny 20
!
route-map vpn-hole permit 10
match community com-hole
set ip next-hop 6.6.6.6
!
route-map vpn-hole permit 20
!
By default things work fine:
CE#ping 4.4.4.4 so 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/23/44 ms
CE#
PE1#sh bgp vpnv4 uni vrf foo 7.7.7.7
BGP routing table entry for 1:1:7.7.7.7/32, version 106
Paths: (1 available, best #1, table foo)
Advertised to update-groups:
1
2
9.9.9.1 from 9.9.9.1 (9.9.9.1)
Origin incomplete, metric 0, localpref 100, valid, external, best
Extended Community: RT:1:1
mpls labels in/out 24/nolabel
PE1#
PE1#sh ip cef vrf foo 4.4.4.4 int
4.4.4.4/32, epoch 0, RIB[B], refcount 5, per-destination sharing
sources: RIB
feature space:
LFD: 4.4.4.4/32 0 local labels
contains path extension list
label switch chain 0x64EB3F80
IPRM: 0x00018000
ifnums: (none)
path_list contains at least one resolved destination(s). HW not notified
path 643F028C, path list 643E3F50, share 1/1, type recursive nexthop, for
IPv4, flags resolved, must-be-labelled
MPLS short path extensions: MOI flags = 0x4
recursive via 2.2.2.2[IPv4:Default] label 18, fib 64435328, 1 terminal fib
path 643F085C, path list 643E4610, share 0/1, type attached nexthop, for
IPv4
MPLS short path extensions: MOI flags = 0x0
nexthop 10.1.1.2 GigabitEthernet1/0 label explicit-null, adjacency IP
adj out of GigabitEthernet1/0, addr 10.1.1.2 64640DA0
output chain: label 18 label explicit-null TAG adj out of
GigabitEthernet1/0, addr 10.1.1.2 64640C20
PE1#sh ip cef vrf foo 7.7.7.7 int
7.7.7.7/32, epoch 0, RIB[B], refcount 5, per-destination sharing
sources: RIB
feature space:
LFD: 7.7.7.7/32 1 local label
local label info: other/24
contains path extension list
disposition chain 0x64EB3FE8
IPRM: 0x00018000
ifnums:
FastEthernet0/0(3): 9.9.9.1
path_list contains at least one resolved destination(s). HW not notified
path 643F0308, path list 643E3FE0, share 1/1, type recursive nexthop, for
IPv4, flags resolved
MPLS short path extensions: MOI flags = 0x5
recursive via 9.9.9.1[IPv4:foo], fib 64434DA8, 1 terminal fib
path 643F0574, path list 643E42B0, share 1/1, type adjacency prefix, for
IPv4
attached to FastEthernet0/0, adjacency IP adj out of FastEthernet0/0,
addr 9.9.9.1 64640AA0
output chain: IP adj out of FastEthernet0/0, addr 9.9.9.1 64640AA0
PE1#
Trigger blackholing for 7.7.7.7 on PE2 within VRF foo:
PE2(config)#ip route vrf foo 7.7.7.7 255.255.255.255 Null0 tag 666
Make sure we got it on PE1:
PE1#sh bgp vpnv4 uni all 7.7.7.7
BGP routing table entry for 1:1:7.7.7.7/32, version 116
Paths: (2 available, best #2, table foo)
Flag: 0x420
Advertised to update-groups:
1
Local
6.6.6.6 (inaccessible) from 2.2.2.2 (2.2.2.2)
Origin IGP, metric 0, localpref 777, valid, internal
Community: 1:666 no-export
Extended Community: RT:1:1
mpls labels in/out 20/17
2
9.9.9.1 from 9.9.9.1 (9.9.9.1)
Origin incomplete, metric 0, localpref 100, valid, external, best
Extended Community: RT:1:1
mpls labels in/out 20/nolabel
PE1#
Yup, we got it but it's inaccessible. No change in FIB either:
PE1#
PE1#sh ip cef vr foo 7.7.7.7 de
7.7.7.7/32, epoch 0
local label info: other/24
recursive via 9.9.9.1
attached to FastEthernet0/0
PE1#
Add 6.6.6.6/32 in global on PE1:
PE1(config)#ip route 6.6.6.6 255.255.255.255 Null0
Check again:
PE1#sh bgp vpnv4 unicast all 7.7.7.7
BGP routing table entry for 1:1:7.7.7.7/32, version 118
Paths: (2 available, best #1, table foo, not advertised to EBGP peer)
Flag: 0x420
Not advertised to any peer
Local
6.6.6.6 from 2.2.2.2 (2.2.2.2)
Origin IGP, metric 0, localpref 777, valid, internal, best
Community: 1:666 no-export
Extended Community: RT:1:1
mpls labels in/out nolabel/17
2
9.9.9.1 from 9.9.9.1 (9.9.9.1)
Origin incomplete, metric 0, localpref 100, valid, external
Extended Community: RT:1:1
PE1#
Check that it got installed, too. (Note "recursive via 6.6.6.6[IPv4:default]
there in the middle):
PE1#sh ip cef vrf foo 7.7.7.7 int
7.7.7.7/32, epoch 0, RIB[B], refcount 5, per-destination sharing
sources: RIB
feature space:
LFD: 7.7.7.7/32 0 local labels
contains path extension list
label switch chain 0x64EB3FE8
IPRM: 0x00018000
ifnums: (none)
path_list contains no resolved destination(s). HW not notified
path 643F066C, path list 643E43D0, share 1/1, type recursive nexthop, for
IPv4, flags resolved, must-be-labelled
MPLS short path extensions: MOI flags = 0x4
recursive via 6.6.6.6[IPv4:Default] label 21, fib 64434EA8, 1 terminal fib
path 643F047C, path list 643E4190, share 1/1, type attached host, for
IPv4
attached to Null0, adjacency Null0
output chain: label 21 drop
PE1#
No drops so far:
PE1#sh ip int fa0/0 | i drops
0 verification drops
0 suppressed verification drops
PE1#
Ping again:
CE#ping 4.4.4.4 so 7.7.7.7 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
.....
Success rate is 0 percent (0/5)
CE#
5 packets, 5 drops:
PE1#sh ip int fa0/0 | i drops
5 verification drops
0 suppressed verification drops
PE1#
HTH :)
Kaj
> From: Bryan Bartik <[email protected]>
> Date: Thu, 27 Aug 2009 11:36:40 -0700
> To: <[email protected]>, <[email protected]>
> Subject: [OSL | CCIE_SP] SBBH in an MPLS VPN
>
> Hello,
>
> I am trying to set up a source based black hole an MPLS VPN but I cannot get
> the discard route to properly be accepted as a next hop, output says
> "inaccessible".
>
> Trigger----->PE
>
> Trigger is sending x.x.x.98/32 to the PE.
> On the PE, I have a route-map that sets all next hops (VRF) from trigger to
> 172.31.254.254.
> On the PE, I have a null route in the VRF for 172.31.254.254.
>
> lab#sho run | inc ip route
> ip route vrf INTERNET 172.31.254.254 255.255.255.255 Null0
>
> lab#sho route-map SBBH
> route-map SBBH, permit, sequence 10
> Match clauses:
> Set clauses:
> local-preference 252
> ip vrf INTERNET next-hop 172.31.254.254
> Policy routing matches: 0 packets, 0 bytes
>
> BGP routing table entry for xxx:xxx:x.x.x.98/32, version 3747716
> Paths: (2 available, best #2, table INTERNET)
> Not advertised to any peer
> 65187
> 172.31.254.254 (inaccessible) from x.x.x.x (TRIGGER IP)
> Origin incomplete, metric 0, localpref 252, valid, external
> Extended Community: RT:xxx:xxx
>
> Am I missing something?
>
> Thanks,
>
> --
> Bryan Bartik
> CCIE #23707 (R&S), CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
