Back to All Scenarios
PASSEDnetwork / bgp_route_leak
BGP Route Leak Causing Traffic Blackhole
A misconfigured route-map on the border router leaks internal BGP prefixes to the upstream ISP. The ISP begins routing external traffic into a blackhole. Customer-facing services become unreachable from the internet while internal connectivity remains functional.
Pattern
CISCO_EVENT
Severity
CRITICAL
Confidence
92%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | CISCO_EVENT | CISCO_EVENT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 58 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Cisco ISR 4451 border router running BGP with dual ISP. Route-map misconfiguration after after-hours change. 3 public-facing services affected. Internal east-west traffic unaffected. ISP peer receiving leaked /24 prefixes.
Injected Error Messages (4)
Cisco IOS BGP session anomaly on rtr-border-01 — route-map EXPORT-FILTER permitting unintended prefixes, 47 internal /24 routes leaked to ISP peer AS65001, BGP update count spiking, traffic blackhole detected for 203.0.113.0/24
Public website unreachable from external networks — asymmetric routing detected, Cisco IOS route table showing leaked prefixes via wrong path, external users receiving destination unreachable
API gateway unreachable from internet — Cisco router BGP leak causing traffic to be routed to null0, ICMP unreachable from ISP edge, public IP 203.0.113.20 blackholed
VPN concentrator unreachable from remote sites — Cisco IOS BGP prefix 203.0.113.10/32 leaked and blackholed at ISP, remote workers unable to establish VPN tunnels
Neural Engine Root Cause Analysis
The border router rtr-border-01 has a BGP configuration error where the route-map EXPORT-FILTER is incorrectly permitting internal /24 routes to be advertised to external ISP peer AS65001. This route leak has caused 47 internal routes to be exposed externally, resulting in asymmetric routing and a traffic blackhole for the 203.0.113.0/24 prefix. The 18 correlated incidents indicate widespread connectivity issues across the network due to improper routing advertisements.
Remediation Plan
1. Immediately access rtr-border-01 via console/SSH 2. Review and correct the route-map EXPORT-FILTER configuration to deny internal prefixes 3. Apply 'clear ip bgp * soft out' to withdraw incorrect advertisements 4. Verify BGP neighbor relationships with 'show ip bgp summary' 5. Confirm only intended prefixes are advertised with 'show ip bgp neighbor AS65001 advertised-routes' 6. Monitor traffic flow restoration for blackholed prefixes 7. Document configuration changes and implement change control for BGP policies
Tested: 2026-03-30Monitors: 4 | Incidents: 4Test ID: cmncjoppu03awobqe5cu4g9lv