Thanks folks, as usual, very helpful I went back to the way I tested this a while back simply redis bgp learned bh routes into ospf, and then ospf is already redisd at a multihomed ce-pe location . Thats it, now the 1,000+ routes show up in all the pes customer facing pes and internet facing pes I watched the cpu on the me3600s and one of the asr901s and spiked on asr901 during route learning but settled back down to about 10/20%.... so I feel ok about this.
Thanks again Aaron From: Mattias Gyllenvarg [mailto:[email protected]] Sent: Thursday, August 15, 2013 3:28 PM To: Aaron Cc: Aaron; cisco-nsp; LavoJM Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) Yeah, then its the next hop of the 0/0 thats relevant. How many routes do you have in ibgp then? Sounds like very few... On Thu, Aug 15, 2013 at 10:25 PM, Aaron <[email protected]> wrote: Internet routes? I have only one . Yours truly 0/0 .I learn one route via ebgp from my upstream provider 0/0 I learn 1,000+ other routes via ebgp (multiphop serveral hops away) from another neighbor .this is the blackhole appliance injecting bgp routes into my same internet border asr9k .all those bh routes have a next hop of a private ip subnet that this same asr9k is directly connected to so those routes have next hop of the bh interface of the appliance . Aaron From: Mattias Gyllenvarg [mailto:[email protected]] Sent: Thursday, August 15, 2013 3:02 PM To: Aaron Cc: Aaron; cisco-nsp; LavoJM Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) The internet routes are the relevant ones. Do they point too lo0 or remote end? Im sure one of the knights of the round table (Gert, Oliver, Adam etc) could answer about L3 processing at the end point. On Thu, Aug 15, 2013 at 9:35 PM, Aaron <[email protected]> wrote: The next hop of those bh routes is an ip address on the distant end of a layer 2 segment which is connected to that border asr9k Aaron From: Mattias Gyllenvarg [mailto:[email protected]] Sent: Thursday, August 15, 2013 2:27 PM To: Aaron Cc: Aaron; cisco-nsp; LavoJM Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) I'm 100% on this but. Are they destined for the remote end of the link they might not get processed. But if they are destined for the loopback of LER2 then they should. On Thu, Aug 15, 2013 at 8:24 PM, Aaron <[email protected]> wrote: If ler1 flows everything via 0/0 lsp towards ler2, doesn't ler2 pop all mpls tags prior to routing out towards internet via def rt ?..... if so couldn't a more specific routing decision be made at that point towards blackhole /32 routes ? Aaron p.s. Why was vanilla ip forwarding more straightforward and easier than this ? J From: Aaron [mailto:[email protected]] Sent: Thursday, August 15, 2013 1:16 PM To: Aaron Cc: LavoJM; cisco-nsp Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) No label to the blackhole? If LER1 isn't getting the routes how is it going to build the LSP to the blackhole? On Thu, Aug 15, 2013 at 2:05 PM, Aaron <[email protected]> wrote: Yes mpls core. Traceroute on pc----- LER1---- mpls core-----LER2----- internet | Blackhole Yes LER1 doesn't not have those /32 blackhole routes.... it does have the def rt towards internet via LER2. Aaron -----Original Message----- From: LavoJM [mailto:[email protected]] Sent: Thursday, August 15, 2013 12:41 PM To: 'Aaron' Subject: RE: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) Are you running MPLS in the core, and the first LER does not have a FEC for the /32, but it does have one for default/other-internet routes? 3 -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Aaron Sent: Thursday, August 15, 2013 11:57 AM To: [email protected] Subject: Re: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) (x.x.x.x is one of the /32 blackhole routes) Oh and when I do this on that boundary 9k "traceroute x.x.x.x vrf xyz source y.y.y.y" it appears to NOT follow the default route out to the internet and it seems that it does follow the more specific blackhole route. why would mpls l3vpn located computers deeper into my internal network NOT follow this more specific route as the packets flow across the forwarding plane of this boundary 9k ?? Aaron -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Aaron Sent: Thursday, August 15, 2013 11:49 AM To: [email protected] Subject: [c-nsp] why are packets not following the more specific route - xr 4.1.2 (asr9k) I have a blackhole security device injecting routes into my internet boundary asr9k.. I see that the bgp prefixes are rcv'd on my 9k and the are installed in the per-vrf rib. The next hop for those routes are via a directly connected interface towards the blackhole.. But for some reason I continue to see on traceroutes from a computer that's deeper into my internal network via mpls l3vpn, that this computer's traceroutes flow right passed that 9k's more specific routes and follows the default route out to the internet. Any idea why ? Aaron _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Med Vänliga Hälsningar Mattias Gyllenvarg -- Med Vänliga Hälsningar Mattias Gyllenvarg -- Med Vänliga Hälsningar Mattias Gyllenvarg _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
