Scenario:
You are applying for a new job at a Dutch networking company specialised in routing & switching solutions. One of the senior networking engineers decides to take you up the test and see what your skills are like. He shows you an IBGP problem where traffic is being blackholed…time for you to show him a trick or two.
Goal:
- IP addresses have been preconfigured as specified in the topology picture.
- Configure IBGP AS 123 on router King and Queen, use the physical interfaces.
- The senior network engineer has prohibited you from making any changes to router Prince.
- Advertise the loopback0 interfaces from router King and Queen into BGP.
- You are not allowed to use static routes to reach the loopback interfaces, use IBGP to achieve this.
- Ensure you can ping each others loopback addresses from router King or Queen.
It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the routing protocols for CCNP.
Would you like to be a master of routing too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?
I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of routing.
You will learn all the secrets about BGP, routing, null0, blackholing traffic and more.
Does this sound interesting to you? Take a look here and let me show you how to Master CCNP ROUTE
IOS:
c3640-jk9s-mz.124-16.bin
Topology:
Video Solution:
Configuration Files
You need to register to download the GNS3 topology file. (Registration is free!)Once you are logged in you will find the configuration files right here.
The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.
Written by RenΓ© Molenaar - CCIE #41726
Hi, this almost took me one hour to solve using a GRE tunnel, is very tricky the GRE tunnel is not enough, thanks for this LAB.
Glad you like it π Once you solve this one you’ll never forget about this problem anymore π
Hi Dear,
Could any one inform me where the right solution is because I think that the lab done right I need to confirm it.
thank you in advance.
Hector
Rene,
Thanks a lot, do you have the right solution.
The solution has something to do with a GRE tunnel…8)
Great lab, I used GRE with 2 protocols (including BGP) and one static route (but not to the loopbacks). Is that about right Renee?
King#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
ping 3.3.3.3 source tunnel 0
lets see if its working right, I think you are pinging outside the tunnel. Also you MUSTN’T touch Prince router.
Is not a straight forward lab.
Yep, I can ping when sourcing from tun0. Did a debu ip packet
King#ping 3.3.3.3 sour t0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 172.12.23.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/212/368 ms
King#
*Mar 1 00:07:49.879: IP: s=172.12.23.3 (Tunnel0), d=224.0.0.10, len 60, rcvd 0, proto=88
*Mar 1 00:07:50.295: IP: s=1.1.1.1 (local), d=224.0.0.10 (Loopback0), len 60, sending broad/multicast, proto=88
*Mar 1 00:07:50.303: IP: s=1.1.1.1 (Loopback0), d=224.0.0.10, len 60, rcvd 2, proto=88!
*Mar 1 00:07:50.911: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB
*Mar 1 00:07:50.915: IP: s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), len 100, sending
*Mar 1 00:07:50.919: ICMP type=8, code=0
*Mar 1 00:07:50.923: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 124, sending, proto=47
*Mar 1 00:07:51.371: IP: tableid=0, s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), routed via RIB
*Mar 1 00:07:51.375: IP: s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:07:51.379: ICMP type=0, code=0
*Mar 1 00:07:51.387: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB!
*Mar 1 00:07:51.391: IP: s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), len 100, sending
*Mar 1 00:07:51.395: ICMP type=8, code=0
*Mar 1 00:07:51.395: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 124, sending, proto=47
*Mar 1 00:07:51.499: IP: s=172.12.23.1 (local), d=224.0.0.10 (Tunnel0), len 60, sending broad/multicast, proto=88
*Mar 1 00:07:51.503: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 84, sending, proto=47
*Mar 1 00:07:52.111: IP: tableid=0, s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), routed via RIB
*Mar 1 00:07:52.115: IP: s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), len 100, rcvd 3!
*Mar 1 00:07:52.119: ICMP type=0, code=0
*Mar 1 00:07:52.123: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB
*Mar 1 00:07:52.127: IP: s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), len 100, sending
*Mar 1 00:07:52.131: ICMP type=8, code=0
*Mar 1 00:07:52.131: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 124, sending, proto=47
*Mar 1 00:07:53.167: IP: tableid=0, s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), routed via RIB
*Mar 1 00:07:53.171: IP: s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:07:53.175: ICMP type=0, code=0
*Mar 1 00:07:53.179: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB
show ip route please.
also remember, you don’t have to touch the middle router
The GRE and static route hints enabled me to solve it (Thanks!). Initially I used a routing protocol on the Prince router but after reading you didn’t need to touch it I removed the protocol and tried using static routes to it instead. Much to my pleasant surprise they did the trick! Was able to ping the loopbacks and verified they went via the tunnel. Great lab!
If you feel like you have everything right and still do not see your routes, don’t forget to check the subnet mask for each loopback.
Thanks for the hint on gre and static. Actually got the BGP peering and tunnel up for a couple of minutes without the static and then got a recursive routing error which shut down the tunnel and ultimately removed the BGP peering. I found a good explanation about what was happening at http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml. I believe I’ve got it now. No flapping of the tunnel, full reachability, no statics to the loopbacks, and no config change to Prince. Fun lab. And it looked so simple at first ;D
Glad you guys like it..I love this lab, it looks so simple but it’s tough…
This is a tough one. I’m currently studying CCNP Route and not sure where to start with this one other the the GRE tunnel / static route hints. Are there any reading materials I can look at since I think this is outside the scope of my exam but I’m looking to learn as much as possible!
Managed to solve it with those hints after all. Very good lab π
Cannot get it to work, unless the bgp neighboring is on the Tu interface instead of physical. What did miss?
on Queen
Queen#sh run | s bgp
router bgp 123
no synchronization
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.0
neighbor 172.16.1.2 remote-as 123
no auto-summary
S 192.168.12.0/24 [1/0] via 192.168.23.2
1.0.0.0/24 is subnetted, 1 subnets
B 1.1.1.0 [200/0] via 172.16.1.2, 00:00:04
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 192.168.23.0/24 is directly connected, FastEthernet0/0
Thankx for the hints, got it working! Tricky one
Can I change IBGP peering to Tunnel interfaces? Is this allowed?
dear
kindly make video solution for this lab
Thanks, this lab was really good practice for me as I am taking the CCNP Route next week. To provide an answer to the person above you will need to add the neighbor 172.16.1.2 update-source tunnel0 to your bgp configuration. Without this command the bgp packets will have a source address of the closest interface it is egressing from which is going to be fa0/0. If the King router receives a bgp packet from Queen’s fa0/0 it will not know how to get back to that interface as it’s IP isn’t in the Routing Table. Rene let me know if I over looked something π
this is the example of my configuration on King which should help those that are stuck.
King#show run int tun 0
Building configuration…
Current configuration : 128 bytes
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
end
King#show run | s bgp
router bgp 123
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 172.16.1.2 remote-as 123
neighbor 172.16.1.2 update-source Tunnel0
no auto-summary
King#show ip bgp summary
BGP router identifier 192.168.12.1, local AS number 123
BGP table version is 3, main routing table version 3
2 network entries using 234 bytes of memory
2 path entries using 104 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 710 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.1.2 4 123 26 26 3 0 0 00:22:03 1
King#show ip bgp
BGP table version is 3, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*>i3.3.3.0/24 172.16.1.2 0 100 0 i
Gr8 works briliantly. might I add to the previous comment, you have to use “ip route” command as well apart from the tunnel interface.
Why “[b]blackhole[/b] routing”? π
Hi Yury,
We call it [b]blackhole[/b] because the router in the middle doesn’t know about the destination in the IP packet and will drop the packet.
Rene
PS – still have to do the solution for this one…;D
Great lab!
Barry’s solution posted July 28, 2011, works but he is using Tun0 ip addresses as BGP neighbors but one of the conditions was that we have to use the physical interfaces for BGP. I tried more then once to do this lab, great lab by the way, using King and Queen Fa0/0 ip addresses but to no avail. If there is another solution to this lab I would like to see it just because it bugs me not being able to solve the lab without using tunnel interface IP as BGP neighbor.
Like Eric, I got it to work with GRE tunnel and 2 routing protocols too (Including BGP as well).
Is it the correct solution Rene?
Where is the video solutions?? Appreciate your upload the video solutions.
It’s not here yet but I’ll upload it soon π
awesome lab, needed the GRE hint to do this though. I have nearly got through all the BGP labs π
A tunnel must be used.
And I think that a good ideea is to use a route-map when anouncing the loopbacks into bgp, that sets the next hop for the route, to the tunnel interface. I did not try this yet but it should work.
Router King:
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
tunnel source 192.168.12.1
tunnel destination 192.168.23.3
router bgp 123
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 192.168.23.3 remote-as 123
neighbor 192.168.23.3 route-map nexthop in
no auto-summary
route-map nexthop permit 10
set ip next-hop 172.16.0.2
Router Queen:
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
tunnel source 192.168.23.3
tunnel destination 192.168.12.1
router bgp 123
no synchronization
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.0
neighbor 192.168.12.1 remote-as 123
neighbor 192.168.12.1 route-map nexthop in
no auto-summary
route-map nexthop permit 10
set ip next-hop 172.16.0.1
Now i have tested the proposed sollution and it works:
Queen#ping 1.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/44/68 ms
King#ping 1.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
This way BGP uses physical interfaces.
Great lab!
Don’t know if I would have solved it without the hints ;D
This one was very fun. thanks alot Rene for the labs.
Glad you liked it!
Great Lab !
You are welcome!
this lab doesn’t make any sense at all? Where are others getting the 172 subnet from?
they are choosing to use 172 subnet for their tunnel interfaces (e.g. Tu0).
Rene used 192.168.13.0/24 on his.
this lab confused me because i had not heard of “blackhole routing” used in this context before.
i thought this lab was for RTBHR (remotely triggered black hole routing) π
I come across instances every day by where I see an implementation …a solution … and no understanding as to why it was the fix. A quick fix… it seems to me should not be a permanent solution…. so explanation as to “Why” your scenarios are practical would serve me well. Obviously, I do not mean the basic labs…. but the lab such as this one would have been nice. I do like the GNS3Vault labs indeed.
Thank You
Hi Bobby,
Good question, for most of the labs I really focused on the task making the labs a bit like the CCIE lab exam tasks so it’s not always something that you could see on a real production network.
This lab is a good example of something that you could find in a CCIE lab. A requirement where we need IBGP between two routers that are not directly connected and some restrictions so we really have to know all the different options.
If you would like some more background knowledge you might like my other website too (http://networklessons.com). I write tutorials there that focus more on the “why”.
Rene