The bh routes *are* on the border machine. The border machine is the 9k Im talking about .its a mpls l3vpn pe and internet exit point. I understand that mpls pdus arent l3 processed at typical lsr swap locations but its I guess sort of bothersome to me that at the this border node location whereas I pop (not swap) towards internet interface that I cant make l3 decision towards bh.
Aaron From: Mattias Gyllenvarg [mailto:[email protected]] Sent: Thursday, August 15, 2013 2:02 PM To: Aaron Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) Oh, I read too fast. 3600x and 901s too... that may be a problem. So just get the bh-routes on the border machine. On Thu, Aug 15, 2013 at 8:58 PM, Aaron <[email protected]> wrote: My ascii art may have gotten skewed the blackhole is connected to LER2 I really would prefer not to send all 1,000+ blackhole routes to all of my customer-facing pes .(me3600s and asr901s) . is there another way whereas I make that blackhole decision on that boundary 9k? Aaron From: Mattias Gyllenvarg [mailto:[email protected]] Sent: Thursday, August 15, 2013 1:41 PM To: Aaron Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) Now you just have to choose your solution. :-) Announced the blackhole routes or have the core route everything or don't fix at all. Den 15 aug 2013 20:20 skrev "Aaron" <[email protected]>: Yes mpls core. Traceroute on pc----- LER1---- mpls core-----LER2----- internet | Blackhole Yes LER1 doesn't not have those /32 blackhole routes.... it does have the def rt towards internet via LER2. Aaron -----Original Message----- From: LavoJM [mailto:[email protected]] Sent: Thursday, August 15, 2013 12:41 PM To: 'Aaron' Subject: RE: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) Are you running MPLS in the core, and the first LER does not have a FEC for the /32, but it does have one for default/other-internet routes? 3 -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Aaron Sent: Thursday, August 15, 2013 11:57 AM To: [email protected] Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) (x.x.x.x is one of the /32 blackhole routes) Oh and when I do this on that boundary 9k "traceroute x.x.x.x vrf xyz source y.y.y.y" it appears to NOT follow the default route out to the internet and it seems that it does follow the more specific blackhole route. why would mpls l3vpn located computers deeper into my internal network NOT follow this more specific route as the packets flow across the forwarding plane of this boundary 9k ?? Aaron -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Aaron Sent: Thursday, August 15, 2013 11:49 AM To: [email protected] Subject: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) I have a blackhole security device injecting routes into my internet boundary asr9k.. I see that the bgp prefixes are rcv'd on my 9k and the are installed in the per-vrf rib. The next hop for those routes are via a directly connected interface towards the blackhole.. But for some reason I continue to see on traceroutes from a computer that's deeper into my internal network via mpls l3vpn, that this computer's traceroutes flow right passed that 9k's more specific routes and follows the default route out to the internet. Any idea why ? Aaron _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Med Vänliga Hälsningar Mattias Gyllenvarg _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
