[c-nsp] Assistance configuring a router to trigger remote blackhole
Naveen Nathan
naveen at lastninja.net
Thu Sep 17 20:23:13 EDT 2009
Hi,
I am new to the list, so please go easy on me.
I'm in need of assistance configuring remote trigger blackhole in
IOS. This feature is supported by our transit provider. I'm unsure
if it's working or not, but since the nulled routes don't appear to
be advertised to the transit peer, I'm assuming not.
I've attached a portion of the cisco-config (substituting sensitive info,
but it should be easy enough to follow).
Would someone mind suggesting if I'm missing anything of particular
importance. It would be much appreciated.
Thanks.
--
Naveen Nathan
To understand the human mind, understand self-deception. - Anon
-------------- next part --------------
router bgp [ROUTER_AS]
no synchronization
bgp router-id [ROUTER_IP]
bgp log-neighbor-changes
bgp maxas-limit 75
network [BLOCK_A] mask 255.255.248.0 route-map AS[ROUTER_AS]-internal
network [BLOCK_B] mask 255.255.252.0 route-map AS[ROUTER_AS]-internal
network [BLOCK_C] mask 255.255.252.0 route-map AS[ROUTER_AS]-internal
redistribute static route-map STATIC-TO-BGP
neighbor AS[UPSTREAM_AS] peer-group
neighbor AS[UPSTREAM_AS] remote-as [UPSTREAM_AS]
neighbor AS[UPSTREAM_AS] password 7 !!!
neighbor AS[UPSTREAM_AS] version 4
neighbor AS[UPSTREAM_AS] send-community both
neighbor AS[UPSTREAM_AS] remove-private-as
neighbor AS[UPSTREAM_AS] soft-reconfiguration inbound
neighbor AS[UPSTREAM_AS] prefix-list NULL in
neighbor AS[UPSTREAM_AS] route-map OUTBOUND out
neighbor [UPSTREAM_IP] peer-group AS[UPSTREAM_AS]
maximum-paths 2
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 [UPSTREAM_IP] name "Default Route"
ip route [BLOCK_A] 255.255.248.0 Null0 name "Component Null"
ip route [BLOCK_B] 255.255.252.0 Null0 name "Component Null"
ip route [BLOCK_C] 255.255.252.0 Null0 name "Component Null"
ip route [IP_IN_BLOCK_A] 255.255.255.255 Null0 tag 666
ip route [OUTSIDE_INTERNET_IP] 255.255.255.255 Null0 tag 666
!
ip bgp-community new-format
!
ip prefix-list NULL seq 5 deny 0.0.0.0/0 le 32
!
ip prefix-list OUTBOUND seq 5 permit [BLOCK_B]/22
ip prefix-list OUTBOUND seq 10 permit [BLOCK_C]/22
ip prefix-list OUTBOUND seq 15 permit [BLOCK_A]/21
!
route-map AS[ROUTER_AS]-internal permit 100
set local-preference 150
set weight 0
set ip next-hop [ROUTER_IP]
!
route-map OUTBOUND permit 100
description Deny Null Routes
match community [UPSTREAM_AS]:666
!
route-map OUTBOUND permit 110
description Allow internal routes
match ip address prefix-list OUTBOUND
!
route-map STATIC-TO-BGP permit 50
description Upstream Blackhole
match tag 666
set community [UPSTREAM_AS]:666
!
--- SNIP ---
lax3-core3#show ip bgp neighbors [UPSTREAM_IP] advertised-routes
BGP table version is 8, local router ID is [ROUTER_IP]
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> [BLOCK_A]/21 [ROUTER_IP] 0 150 0 i
*> [BLOCK_B]/22 [ROUTER_IP] 0 150 0 i
*> [BLOCK_C]/22 [ROUTER_IP] 0 150 0 i
Total number of prefixes 3
--- SNIP ---
lax3-core3#show ip route [IP_IN_BLOCK_A]
Routing entry for [IP_IN_BLOCK_A]/32
Known via "static", distance 1, metric 0 (connected)
Tag 666
Redistributing via bgp [ROUTER_AS]
Advertised by bgp [ROUTER_AS] route-map STATIC-TO-BGP
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 666
lax3-core3#show ip route [OUTSIDE_INTERNET_IP]
Routing entry for [OUTSIDE_INTERNET_IP]/32
Known via "static", distance 1, metric 0 (connected)
Tag 666
Redistributing via bgp [ROUTER_AS]
Advertised by bgp [ROUTER_AS] route-map STATIC-TO-BGP
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 666
More information about the cisco-nsp
mailing list