I have a blackhole security device injecting routes into my internet
boundary asr9k.. I see that the bgp prefixes are rcv'd on my 9k and the are
installed in the per-vrf rib. The next hop for those routes are via a
directly connected interface towards the blackhole.. But for some reason I
(x.x.x.x is one of the /32 blackhole routes)
Oh and when I do this on that boundary 9k traceroute x.x.x.x vrf xyz source
y.y.y.y it appears to NOT follow the default route out to the internet and
it seems that it does follow the more specific blackhole route. why would
mpls l3vpn located
Yes mpls core.
Traceroute on pc- LER1 mpls core-LER2- internet
|
Blackhole
Yes LER1 doesn't not have those /32 blackhole routes it does have the
def rt towards internet via LER2.
No label to the blackhole?
If LER1 isn't getting the routes how is it going to build the LSP to the
blackhole?
On Thu, Aug 15, 2013 at 2:05 PM, Aaron aar...@gvtc.com wrote:
Yes mpls core.
Traceroute on pc- LER1 mpls core-LER2- internet
If ler1 flows everything via 0/0 lsp towards ler2, doesn't ler2 pop all mpls
tags prior to routing out towards internet via def rt ?. if so couldn't
a more specific routing decision be made at that point towards blackhole /32
routes ?
Aaron
p.s. Why was vanilla ip forwarding more
It can't and it won't.
This is a nice gotcha for MPLS, we where pulling our hair for a while until
we got it in our heads that MPLS packets are not processed at every L3-hop.
On Thu, Aug 15, 2013 at 8:16 PM, Aaron dudep...@gmail.com wrote:
No label to the blackhole?
If LER1 isn't getting the
Hmmm, thanks. I really would prefer not to send all 1,000+ blackhole routes
to all of my customer-facing pe's..(me3600's and asr901's) . is there
another way whereas I make that blackhole decision on that boundary 9k?
Aaron
From: LavoJM [mailto:lav...@secureobscure.com]
Sent:
I'm 100% on this but.
Are they destined for the remote end of the link they might not get
processed.
But if they are destined for the loopback of LER2 then they should.
On Thu, Aug 15, 2013 at 8:24 PM, Aaron aar...@gvtc.com wrote:
If ler1 flows everything via 0/0 lsp towards ler2, doesn't
The bh routes *are* on the border machine. The border machine is the 9k Im
talking about
.its a mpls l3vpn pe and internet exit point. I understand
that mpls pdus arent l3 processed at typical lsr swap locations
but its
I guess sort of bothersome to me that at the this border node
The next hop of those bh routes is an ip address on the distant end of a
layer 2 segment which is connected to that border asr9k
Aaron
From: Mattias Gyllenvarg [mailto:matt...@gyllenvarg.se]
Sent: Thursday, August 15, 2013 2:27 PM
To: Aaron
Cc: Aaron; cisco-nsp; LavoJM
Subject: Re:
The internet routes are the relevant ones. Do they point too lo0 or remote
end?
Im sure one of the knights of the round table (Gert, Oliver, Adam etc)
could answer about L3 processing at the end point.
On Thu, Aug 15, 2013 at 9:35 PM, Aaron aar...@gvtc.com wrote:
The next hop of those bh
On (2013-08-15 14:35 -0500), Aaron wrote:
The next hop of those bh routes is an ip address on the distant end of a
layer 2 segment which is connected to that border asr9k
Your popped label has L2 rewrite information, so no IP lookup is required.
In VRF you can force single label for whole
Internet routes? I have only one
. Yours truly 0/0
.I learn one route via
ebgp from my upstream provider
0/0
I learn 1,000+ other routes via ebgp (multiphop serveral hops away) from
another neighbor
.this is the blackhole appliance injecting bgp routes into
my same internet border asr9k
Yeah, then its the next hop of the 0/0 thats relevant.
How many routes do you have in ibgp then? Sounds like very few...
On Thu, Aug 15, 2013 at 10:25 PM, Aaron aar...@gvtc.com wrote:
Internet routes? I have only one…. Yours truly 0/0 ….I learn one route
via ebgp from my upstream provider…
Thanks folks, as usual, very helpful
I went back to the way I tested this a
while back
simply redis bgp learned bh routes into ospf, and then ospf is
already redisd at a multihomed ce-pe location
. Thats it, now the 1,000+
routes show up in all the pes
customer facing pes and internet
There are a good many ways to deal with this. What you need to do is read
up and make sure you understand what the labels are actually pointing to
and what that means for the forwarding process, especially on a hardware
platform like your endpoint in question.
This isn't one of those tell me how
There are a good many ways to deal with this. What you need to do is read
up and make sure you understand what the labels are actually pointing to
and what that means for the forwarding process, especially on a hardware
platform like your endpoint in question.
This isn't one of those tell
17 matches
Mail list logo