BGP IBGP Blackhole Routing

Hi, this almost took me one hour to solve using a GRE tunnel, is very tricky the GRE tunnel is not enough, thanks for this LAB.

Glad you like it Once you solve this one you'll never forget about this problem anymore

Hi Dear,

Could any one inform me where the right solution is because I think that the lab done right I need to confirm it.

thank you in advance.

Hector

Rene,

Thanks a lot, do you have the right solution.

The solution has something to do with a GRE tunnel...

Great lab, I used GRE with 2 protocols (including BGP) and one static route (but not to the loopbacks). Is that about right Renee?

King#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!

ping 3.3.3.3 source tunnel 0

lets see if its working right, I think you are pinging outside the tunnel. Also you MUSTN'T touch Prince router.

Is not a straight forward lab.

Yep, I can ping when sourcing from tun0. Did a debu ip packet

King#ping 3.3.3.3 sour t0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 172.12.23.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/212/368 ms
King#

*Mar 1 007:49.879: IP: s=172.12.23.3 (Tunnel0), d=224.0.0.10, len 60, rcvd 0, proto=88
*Mar 1 007:50.295: IP: s=1.1.1.1 (local), d=224.0.0.10 (Loopback0), len 60, sending broad/multicast, proto=88
*Mar 1 007:50.303: IP: s=1.1.1.1 (Loopback0), d=224.0.0.10, len 60, rcvd 2, proto=88!
*Mar 1 007:50.911: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB
*Mar 1 007:50.915: IP: s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), len 100, sending
*Mar 1 007:50.919: ICMP type=8, code=0
*Mar 1 007:50.923: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 124, sending, proto=47
*Mar 1 007:51.371: IP: tableid=0, s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), routed via RIB
*Mar 1 007:51.375: IP: s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), len 100, rcvd 3
*Mar 1 007:51.379: ICMP type=0, code=0
*Mar 1 007:51.387: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB!
*Mar 1 007:51.391: IP: s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), len 100, sending
*Mar 1 007:51.395: ICMP type=8, code=0
*Mar 1 007:51.395: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 124, sending, proto=47
*Mar 1 007:51.499: IP: s=172.12.23.1 (local), d=224.0.0.10 (Tunnel0), len 60, sending broad/multicast, proto=88
*Mar 1 007:51.503: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 84, sending, proto=47
*Mar 1 007:52.111: IP: tableid=0, s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), routed via RIB
*Mar 1 007:52.115: IP: s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), len 100, rcvd 3!
*Mar 1 007:52.119: ICMP type=0, code=0
*Mar 1 007:52.123: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB
*Mar 1 007:52.127: IP: s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), len 100, sending
*Mar 1 007:52.131: ICMP type=8, code=0
*Mar 1 007:52.131: IP: s=192.168.12.1 (Tunnel0), d=192.168.23.3 (FastEthernet0/0), len 124, sending, proto=47
*Mar 1 007:53.167: IP: tableid=0, s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), routed via RIB
*Mar 1 007:53.171: IP: s=3.3.3.3 (Tunnel0), d=172.12.23.1 (Tunnel0), len 100, rcvd 3
*Mar 1 007:53.175: ICMP type=0, code=0
*Mar 1 007:53.179: IP: tableid=0, s=172.12.23.1 (local), d=3.3.3.3 (Tunnel0), routed via FIB

show ip route please.

also remember, you don't have to touch the middle router

The GRE and static route hints enabled me to solve it (Thanks!). Initially I used a routing protocol on the Prince router but after reading you didn't need to touch it I removed the protocol and tried using static routes to it instead. Much to my pleasant surprise they did the trick! Was able to ping the loopbacks and verified they went via the tunnel. Great lab!

If you feel like you have everything right and still do not see your routes, don't forget to check the subnet mask for each loopback.

Thanks for the hint on gre and static. Actually got the BGP peering and tunnel up for a couple of minutes without the static and then got a recursive routing error which shut down the tunnel and ultimately removed the BGP peering. I found a good explanation about what was happening at http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml. I believe I've got it now. No flapping of the tunnel, full reachability, no statics to the loopbacks, and no config change to Prince. Fun lab. And it looked so simple at first ;D

Glad you guys like it..I love this lab, it looks so simple but it's tough...

This is a tough one. I'm currently studying CCNP Route and not sure where to start with this one other the the GRE tunnel / static route hints. Are there any reading materials I can look at since I think this is outside the scope of my exam but I'm looking to learn as much as possible!

Managed to solve it with those hints after all. Very good lab

Cannot get it to work, unless the bgp neighboring is on the Tu interface instead of physical. What did miss?

on Queen

Queen#sh run | s bgp
router bgp 123
no synchronization
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.0
neighbor 172.16.1.2 remote-as 123
no auto-summary

S 192.168.12.0/24 [1/0] via 192.168.23.2
1.0.0.0/24 is subnetted, 1 subnets
B 1.1.1.0 [200/0] via 172.16.1.2, 0004
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 192.168.23.0/24 is directly connected, FastEthernet0/0

Thankx for the hints, got it working! Tricky one

Can I change IBGP peering to Tunnel interfaces? Is this allowed?

dear

kindly make video solution for this lab

Thanks, this lab was really good practice for me as I am taking the CCNP Route next week. To provide an answer to the person above you will need to add the neighbor 172.16.1.2 update-source tunnel0 to your bgp configuration. Without this command the bgp packets will have a source address of the closest interface it is egressing from which is going to be fa0/0. If the King router receives a bgp packet from Queen's fa0/0 it will not know how to get back to that interface as it's IP isn't in the Routing Table. Rene let me know if I over looked something

this is the example of my configuration on King which should help those that are stuck.
King#show run int tun 0
Building configuration...

Current configuration : 128 bytes
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
end
King#show run | s bgp
router bgp 123
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 172.16.1.2 remote-as 123
neighbor 172.16.1.2 update-source Tunnel0
no auto-summary
King#show ip bgp summary
BGP router identifier 192.168.12.1, local AS number 123
BGP table version is 3, main routing table version 3
2 network entries using 234 bytes of memory
2 path entries using 104 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 710 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.1.2 4 123 26 26 3 0 0 00:223 1
King#show ip bgp
BGP table version is 3, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*>i3.3.3.0/24 172.16.1.2 0 100 0 i

Gr8 works briliantly. might I add to the previous comment, you have to use "ip route" command as well apart from the tunnel interface.

Why "blackhole routing"?

Hi Yury,

We call it blackhole because the router in the middle doesn't know about the destination in the IP packet and will drop the packet.

Rene

PS - still have to do the solution for this one...;D

Great lab!

Barry's solution posted July 28, 2011, works but he is using Tun0 ip addresses as BGP neighbors but one of the conditions was that we have to use the physical interfaces for BGP. I tried more then once to do this lab, great lab by the way, using King and Queen Fa0/0 ip addresses but to no avail. If there is another solution to this lab I would like to see it just because it bugs me not being able to solve the lab without using tunnel interface IP as BGP neighbor.

Like Eric, I got it to work with GRE tunnel and 2 routing protocols too (Including BGP as well).

Is it the correct solution Rene?

Where is the video solutions?? Appreciate your upload the video solutions.

It's not here yet but I'll upload it soon

awesome lab, needed the GRE hint to do this though. I have nearly got through all the BGP labs

A tunnel must be used.
And I think that a good ideea is to use a route-map when anouncing the loopbacks into bgp, that sets the next hop for the route, to the tunnel interface. I did not try this yet but it should work.

Router King:

interface Tunnel0
ip address 172.16.0.1 255.255.255.0
tunnel source 192.168.12.1
tunnel destination 192.168.23.3
router bgp 123
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 192.168.23.3 remote-as 123
neighbor 192.168.23.3 route-map nexthop in
no auto-summary
route-map nexthop permit 10
set ip next-hop 172.16.0.2

Router Queen:
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
tunnel source 192.168.23.3
tunnel destination 192.168.12.1
router bgp 123
no synchronization
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.0
neighbor 192.168.12.1 remote-as 123
neighbor 192.168.12.1 route-map nexthop in
no auto-summary
route-map nexthop permit 10
set ip next-hop 172.16.0.1

Now i have tested the proposed sollution and it works:
Queen#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/44/68 ms

King#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

This way BGP uses physical interfaces.

Great lab!
Don't know if I would have solved it without the hints ;D