Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NSP
Redistribute interface address as a /32 or /128 into BGP
jo+cisco-nsp at swagspace
Mar 10, 2021, 2:51 AM
Post #1 of 6 (610 views)
Permalink
Hello.

I have a network, e.g. 10.0.0.0/24 with several routers that have
interfaces (lets say they are 10.0.0.2 and .3) that are connected in the
same L2 (because they are running VRRP). The routers are connected to a
backbone network. There is also a customer in this network. Of course I
want to put an ACL for anti spoofing (and some other things) on the
customer facing interfaces of the routers.

Now some of my monitoring and management traffic, which is addressed to
the customer facing interface addresses takes the shortest path into
10.0.0.0/24 and through this network and might then hit the interface of
the router. But there is a ACL that blocks that, because it looks like
the customer spoofed the source address of the monitoring system.

I basically see 2 "solutions":
1. open up the ACL to allow monitoring/management traffic from inside
the network. Not nice, because that allows the customer to spoof some of
our addresses...
2. announce the interface addresses (10.0.0.2 and 10.0.0.3 in this case)
as a /32 into the backbone so that they are more specifics and take the
right way through the backbone and not through the 10.0.0.0/24 network.

My problem is that I can not convince my router to announce the
interface addresses. I tried to simply add a

network 10.0.0.2

to the BGP config, but apparently the local routes that the router
creates for it's interfaces are not announced.
Also there is no "redistribute local" to tell the router to do that.
Adding a null-route with 10.0.0.2/32 does not work because the local
route exists in the routing table and the null route is therefor not
considered for redistribution.

Does anyone know of any hacks I could do to achieve this?

Of course the same problem exists for IPv6 with the appropriate subnet
masks.

Greetings
Jo
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Redistribute interface address as a /32 or /128 into BGP [ In reply to ]
saku at ytti
Mar 10, 2021, 4:21 AM
Post #2 of 6 (610 views)
Permalink
You can create a static route pointing to the interface and
redistribute that static route.

But you're doing it wrong. I'm not sure what is right without
understanding more accurately what you are doing, but some flavor of

a) have different logical interface for edge and !edge, with different ACL
b) have VRF

On Wed, 10 Mar 2021 at 13:02, Johannes Erwerle
<jo+cisco-nsp@swagspace.org> wrote:
>
> Hello.
>
> I have a network, e.g. 10.0.0.0/24 with several routers that have
> interfaces (lets say they are 10.0.0.2 and .3) that are connected in the
> same L2 (because they are running VRRP). The routers are connected to a
> backbone network. There is also a customer in this network. Of course I
> want to put an ACL for anti spoofing (and some other things) on the
> customer facing interfaces of the routers.
>
> Now some of my monitoring and management traffic, which is addressed to
> the customer facing interface addresses takes the shortest path into
> 10.0.0.0/24 and through this network and might then hit the interface of
> the router. But there is a ACL that blocks that, because it looks like
> the customer spoofed the source address of the monitoring system.
>
> I basically see 2 "solutions":
> 1. open up the ACL to allow monitoring/management traffic from inside
> the network. Not nice, because that allows the customer to spoof some of
> our addresses...
> 2. announce the interface addresses (10.0.0.2 and 10.0.0.3 in this case)
> as a /32 into the backbone so that they are more specifics and take the
> right way through the backbone and not through the 10.0.0.0/24 network.
>
> My problem is that I can not convince my router to announce the
> interface addresses. I tried to simply add a
>
> network 10.0.0.2
>
> to the BGP config, but apparently the local routes that the router
> creates for it's interfaces are not announced.
> Also there is no "redistribute local" to tell the router to do that.
> Adding a null-route with 10.0.0.2/32 does not work because the local
> route exists in the routing table and the null route is therefor not
> considered for redistribution.
>
> Does anyone know of any hacks I could do to achieve this?
>
> Of course the same problem exists for IPv6 with the appropriate subnet
> masks.
>
> Greetings
> Jo
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Redistribute interface address as a /32 or /128 into BGP [ In reply to ]
michele.bergonzoni at labs
Mar 10, 2021, 5:37 AM
Post #3 of 6 (610 views)
Permalink
>> Now some of my monitoring and management traffic, which is addressed to
>> the customer facing interface addresses takes the shortest path into
>> 10.0.0.0/24 and through this network and might then hit the interface of
>> the router. But there is a ACL that blocks that, because it looks like
>> the customer spoofed the source address of the monitoring system.

> But you're doing it wrong. I'm not sure what is right without
> understanding more accurately what you are doing, but some flavor of

If I understand correctly, you are monitoring ICMP reachability of, say, 10.0.0.2, because reaching the router itself (e.g. its loopback or its backbone address) and getting via SNMP the state of its interface is not enough for you, you want to make sure to be able to reach addresses in the actual customer prefix, to detect routing problems with that specific prefix.

If this is the case, I have a very similar situation and I did not come up with a solution. Injecting host routes, as you tried to do and Saku explained how to do, should work but is actually cheating: you will detect routing problems with the host route, not with the customer prefix.

Or, maybe, the customer facing interface is in a VRF and the backbone/loopback is not, and you are monitoring from the VRF. Then the host route is OK, you could add a loopback in the VRF to distinguish router down vs. interface down.

Regards,
Bergonz

--
Michele Bergonzoni
Network Management and Security
Network Design Team Leader
Laboratori Guglielmo Marconi
Via Porrettana 123
40037 Pontecchio Marconi (BO) - Italy
Phone +39 051 6781926
Mobile +39 3484135807
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Redistribute interface address as a /32 or /128 into BGP [ In reply to ]
cisco-nsp at puck
Mar 10, 2021, 7:41 AM
Post #4 of 6 (610 views)
Permalink
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Attached Files:

Re: Redistribute interface address as a /32 or /128 into BGP [ In reply to ]
max at rfc2324
Mar 27, 2021, 8:01 AM
Post #5 of 6 (598 views)
Permalink
Anno domini 2021 Johannes Erwerle scripsit:

Hi,

[...]
> 2. announce the interface addresses (10.0.0.2 and 10.0.0.3 in this case)
> as a /32 into the backbone so that they are more specifics and take the
> right way through the backbone and not through the 10.0.0.0/24 network.
>
> My problem is that I can not convince my router to announce the
> interface addresses. I tried to simply add a
>
> network 10.0.0.2
>
> to the BGP config, but apparently the local routes that the router
> creates for it's interfaces are not announced.
[...]

I'm wondering if the default classfulness is biting you here. Have you
tried

network 10.0.0.2 mask 255.255.255.255

by any chance?

Best
Max
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Redistribute interface address as a /32 or /128 into BGP [ In reply to ]
saku at ytti
Mar 27, 2021, 8:34 AM
Post #6 of 6 (598 views)
Permalink
On Sat, 27 Mar 2021 at 17:11, Maximilian Wilhelm <max@rfc2324.org> wrote:

> I'm wondering if the default classfulness is biting you here. Have you
> tried
>
> network 10.0.0.2 mask 255.255.255.255

His problem is that the connected network is less specific and he
wants to (potentially incorrect solution) advertise some addresses of
connected network as more-specific. So the problem is getting that /32
to RIB in the first place, the problem is not how to advertise after
he gets it to the RIB, which is what you're solving.

And solution to the question (probably not right solution) is to
static route /32 to the interface:

int eth42
192.0.2.1/24
ip route 192.0.2.2/32 eth42

Now you can advertise 192.0.2.2/32. This trick is particularly useful
so limit attack surface of your infrastructure, so instead of having
every PE-CE/31 address reachable, you can make it so that only CE/32
address is reachable, limiting DFZ wide surface.

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal