Mailing List Archive

So first you should know that any packet you blackhole is handled in
software at the CPU, not by ASIC. Yeah, ignore the docs. And yeah,
extreme support will claim otherwise until you show them the cpu
counters and they escalate and engineering with confirm. You can't
do an IP blackhole without all that traffic going to CPU. You must
use a mac-level blackhole.

Do this:

create vlan dropPackets
configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
enable loopback-mode vlan "dropPackets"

create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
configure iparp add 192.168.2.1 00:11:22:33:44:55

You'll notice that I changed the IP address from 192.0.2.1 to
192.168.2.1. Yes, and you should too. 192.0 is a valid, routable IP
block in use on the Internet. 192.168.x.x is non-routable, and
that's what you should be using.

On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
> Hi there, I am trying to add our one remaining black
> diamond to our RTBH configuration and I am finding it difficult to
> get ExtremeWare to accept routes into BGP which the "NextHop" is
> unreachable.
>
> Of course, I made the NextHop unreachable, because that is the
> point...
>
> i.e.
>
> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
> 10.1.2.184 /25
> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>
> configure iproute add blackhole 192.0.2.1 255.255.255.255
>
> we have that static route so that when we add a route to our route-
> server with the destination of 192.0.2.1 it will automatically
> Blackhole it on every switch on our network.
>
> Does anyone have any clues?
>
> Thanks,
> -Drew
> _______________________________________________
> extreme-nsp mailing list
> extreme-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/extreme-nsp

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550




_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

On Feb 13, 2008, at 12:19 PM, Drew Weaver wrote:
> Actually, 192.0.2.0 is part of IANAs "documentation network".
>
> Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
> 192.0.0.0 - 192.0.127.255
> Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
> 192.0.2.0 - 192.0.2.255

Yes, and that has been used to scan the internet for tests of various
sorts.

> And the reason I used it was because it was the example in Cisco's
> Real Time Black Hole documentation, so I think I'm alright.

No, Cisco got blasted for having done that. They were supposed to
fix all references to that.

> But I ended up with this in the end.
> ERROR: 192.0.2.1 is an interface address.

Sorry, I made a mistype when I changed my configuration to use your
IPs. Use this instead:

create vlan dropPackets
configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.252
enable loopback-mode vlan "dropPackets"

create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
configure iparp add 192.168.2.2 00:11:22:33:44:55

(or reverse it and use 2.1 for blackhole and 2.2 for local interface,
doesn't matter)

> -----Original Message-----
> From: Jo Rhett [mailto:jrhett@svcolo.com]
> Sent: Wednesday, February 13, 2008 3:02 PM
> To: Drew Weaver
> Cc: 'extreme-nsp@puck.nether.net'
> Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP
>
> So first you should know that any packet you blackhole is handled in
> software at the CPU, not by ASIC. Yeah, ignore the docs. And yeah,
> extreme support will claim otherwise until you show them the cpu
> counters and they escalate and engineering with confirm. You can't
> do an IP blackhole without all that traffic going to CPU. You must
> use a mac-level blackhole.
>
> Do this:
>
> create vlan dropPackets
> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
> enable loopback-mode vlan "dropPackets"
>
> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-
> mac
> configure iparp add 192.168.2.1 00:11:22:33:44:55
>
> You'll notice that I changed the IP address from 192.0.2.1 to
> 192.168.2.1. Yes, and you should too. 192.0 is a valid, routable IP
> block in use on the Internet. 192.168.x.x is non-routable, and
> that's what you should be using.
>
> On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
>> Hi there, I am trying to add our one remaining black
>> diamond to our RTBH configuration and I am finding it difficult to
>> get ExtremeWare to accept routes into BGP which the "NextHop" is
>> unreachable.
>>
>> Of course, I made the NextHop unreachable, because that is the
>> point...
>>
>> i.e.
>>
>> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
>> 10.1.2.184 /25
>> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>>
>> configure iproute add blackhole 192.0.2.1 255.255.255.255
>>
>> we have that static route so that when we add a route to our route-
>> server with the destination of 192.0.2.1 it will automatically
>> Blackhole it on every switch on our network.
>>
>> Does anyone have any clues?
>>
>> Thanks,
>> -Drew
>> _______________________________________________
>> extreme-nsp mailing list
>> extreme-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>
> --
> Jo Rhett
> senior geek
>
> Silicon Valley Colocation
> Support Phone: 408-400-0550
>
>
>
>

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550




_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

On Feb 13, 2008, at 1:12 PM, Masood Ahmad Shah wrote:
> That's nice way to answer, What exactly enable loopback-mode do on
> Extreme
> switches?

I'm not sure if the first comment is sarcastic or not. I was trying
to be helpful.

Second part, RTFM. It makes the VLAN be up/routable without having
any UP interfaces.

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550




_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

I was appreciating your response but you got me wrong....you are so
respectable.

I will pray you get your valentines this time :)

Cheers


Regards,
Masood Ahmad Shah


-----Original Message-----
From: Jo Rhett [mailto:jrhett@svcolo.com]
Sent: Thursday, February 14, 2008 2:34 AM
To: Masood Ahmad Shah
Cc: extreme-nsp@puck.nether.net
Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP

On Feb 13, 2008, at 1:12 PM, Masood Ahmad Shah wrote:
> That's nice way to answer, What exactly enable loopback-mode do on
> Extreme
> switches?

I'm not sure if the first comment is sarcastic or not. I was trying
to be helpful.

Second part, RTFM. It makes the VLAN be up/routable without having
any UP interfaces.

--
Jo Rhett
senior geek

Silicon Valley Colocation
Support Phone: 408-400-0550





_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

you might be right or not. about what hardware do we talk about?
i-series HW, later Summit HW 400, 450, BD10K, 12K????

Jo Rhett schrieb:
> On Feb 13, 2008, at 12:19 PM, Drew Weaver wrote:
>
>> Actually, 192.0.2.0 is part of IANAs "documentation network".
>>
>> Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
>> 192.0.0.0 - 192.0.127.255
>> Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
>> 192.0.2.0 - 192.0.2.255
>>
>
> Yes, and that has been used to scan the internet for tests of various
> sorts.
>
>
>> And the reason I used it was because it was the example in Cisco's
>> Real Time Black Hole documentation, so I think I'm alright.
>>
>
> No, Cisco got blasted for having done that. They were supposed to
> fix all references to that.
>
>
>> But I ended up with this in the end.
>> ERROR: 192.0.2.1 is an interface address.
>>
>
> Sorry, I made a mistype when I changed my configuration to use your
> IPs. Use this instead:
>
> create vlan dropPackets
> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.252
> enable loopback-mode vlan "dropPackets"
>
> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-mac
> configure iparp add 192.168.2.2 00:11:22:33:44:55
>
> (or reverse it and use 2.1 for blackhole and 2.2 for local interface,
> doesn't matter)
>
>
>> -----Original Message-----
>> From: Jo Rhett [mailto:jrhett@svcolo.com]
>> Sent: Wednesday, February 13, 2008 3:02 PM
>> To: Drew Weaver
>> Cc: 'extreme-nsp@puck.nether.net'
>> Subject: Re: [e-nsp] Getting ExtremeWare to accept Null Routes via BGP
>>
>> So first you should know that any packet you blackhole is handled in
>> software at the CPU, not by ASIC. Yeah, ignore the docs. And yeah,
>> extreme support will claim otherwise until you show them the cpu
>> counters and they escalate and engineering with confirm. You can't
>> do an IP blackhole without all that traffic going to CPU. You must
>> use a mac-level blackhole.
>>
>> Do this:
>>
>> create vlan dropPackets
>> configure vlan "dropPackets" ipaddress 192.168.2.1 255.255.255.255
>> enable loopback-mode vlan "dropPackets"
>>
>> create fdbentry 00:11:22:33:44:55 vlan "dropPackets" blackhole dest-
>> mac
>> configure iparp add 192.168.2.1 00:11:22:33:44:55
>>
>> You'll notice that I changed the IP address from 192.0.2.1 to
>> 192.168.2.1. Yes, and you should too. 192.0 is a valid, routable IP
>> block in use on the Internet. 192.168.x.x is non-routable, and
>> that's what you should be using.
>>
>> On Feb 8, 2008, at 7:05 PM, Drew Weaver wrote:
>>
>>> Hi there, I am trying to add our one remaining black
>>> diamond to our RTBH configuration and I am finding it difficult to
>>> get ExtremeWare to accept routes into BGP which the "NextHop" is
>>> unreachable.
>>>
>>> Of course, I made the NextHop unreachable, because that is the
>>> point...
>>>
>>> i.e.
>>>
>>> 02/09/2008 02:00:34.94 <Summ:BGP.UpdateIn.RtRejNhUnreach> NLRI
>>> 10.1.2.184 /25
>>> 5.255.255.248 Type unicast Reject: NextHop 192.0.2.1 is unreachable
>>>
>>> configure iproute add blackhole 192.0.2.1 255.255.255.255
>>>
>>> we have that static route so that when we add a route to our route-
>>> server with the destination of 192.0.2.1 it will automatically
>>> Blackhole it on every switch on our network.
>>>
>>> Does anyone have any clues?
>>>
>>> Thanks,
>>> -Drew
>>> _______________________________________________
>>> extreme-nsp mailing list
>>> extreme-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>>>
>> --
>> Jo Rhett
>> senior geek
>>
>> Silicon Valley Colocation
>> Support Phone: 408-400-0550
>>
>>
>>
>>
>>
>
>

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp