Overview of black hole routing
Whether a route is static or dynamic, it needs to be associated with an outgoing interface. The routing out interface generally refers to the outbound interface of the device to reach a destination network. The outbound interface of the route can be the physical interface of the device (Gigabit port, 100M port), or logical interface (VLAN interface, Tunnel interface, etc.).
When the network device forwards data packets, if the route of the outbound interface Null0 is used, these packets will be directly discarded, as if they are lost in a black hole. Therefore, the route with the outbound interface of Null0 is called a black hole route.
NULL0 interface
The Null0 interface (invalid interface) is a logical interface reserved by the system, and it is also a special interface. This interface has only one number, which is 0.
Black hole routing experiment topology
Black hole routing configuration
Router R1 configuration
In order to allow the PC to access the server on the right side of R2, R1 is configured with a default route ip route-static 0.0.0.0 0 20.1.1.2. When the PC accesses resources outside the local network segment 10.1.1.0, the traffic will be sent to R1 and then R1 Forward to R2
<Huawei>system-view
[Huawei]interface Ethernet 0/0/0
[Huawei-Ethernet0/0/0]ip address 10.1.1.1 24
[Huawei-Ethernet0/0/0]quit
[Huawei]interface Ethernet 0/0/1
[Huawei-Ethernet0/0/1]ip address 20.1.1.1 24
[Huawei-Ethernet0/0/1]quit
[Huawei]ip route-static 0.0.0.0 0 20.1.1.2
Router R2 configuration
In order for traffic to pass through, a default route needs to be configured, and the next hop address is set to the IP address of the right interface of R1.
<Huawei>system-view
[Huawei]interface ethernet 0/0/0
[Huawei-Ethernet0/0/0]ip address 20.1.1.2 24
[Huawei-Ethernet0/0/0]quit
[Huawei]ip route-static 0.0.0.0 0 20.1.1.1
[Huawei]interface ethernet 0/0/1
[Huawei-Ethernet0/0/1]ip address 30.1.1.1 24
The route configuration is complete, and the route reachability is tested.
Route reachability test
Ping PC2 from PC1 (ping 30.1.1.2), if it fails, you can use display ip routing-table to check whether there is a route for the 30.1.1.0/24 network address in the routing table.
Ping PC1 from PC2
There is no problem in the test. PC1 and PC2 can communicate with each other. If there is a demand in the network, PC2 as a server does not want to be accessed by the network address 10.1.1.0/24, can it be achieved only through the configuration of routing , At this time, use black hole routing, R1 adds the following configuration
[Huawei]ip route-static 30.1.1.0 24 NULL 0
After adding the configuration, use the display ip routing-table command to view the routing table of R1
From the routing table, you can see the black hole route of R1. When PC1 accesses 30.1.1.0/24, the data packet is forwarded to R1. R1 queries the routing table and finds that the address matched by the destination IP of the data packet matches 30.1.1.0/24, and The outgoing interface of this route is Null0, so it directly discards the data packet, and PC1 will not be able to access PC2.
Test PC1 accesses PC2, the result is that the request timed out and the data packet was discarded.
In this way, PC1 will not be able to access the 30.1.1.0/24 network segment, which is actually a simple and effective method of traffic filtering.
Other usage scenarios for black hole routing
In addition to the above scenarios, black hole routing can also be used to:
- In the deployment of route summary, used to prevent data forwarding loops
- In the deployment of NAT (Network Address Translation) networks, it is used to prevent loops in data forwarding.
- In a BGP network, it is used to advertise routes of a specific network segment,