[c-nsp] Assistance configuring a router to trigger remote blackhole

Denis Savage dsavage at castleaccess.com
Fri Sep 18 17:47:50 EDT 2009


Did your transit provider give you a community-string to match - usually
their 'AS:arbitrary-number'? Traditionally, what happens is they look for a
BGP community string to match and then accept the null route.

So you have a send-community as a neighbor statement with a route-map and
prefix-list that is sending your normal traffic:

Router bgp (ID)
neighbor (IP) send-community
neighbor (IP) route-map null-routes out
neighbor (IP) prefix-list advertisements out
!
route-map null-routes permit 10
 match interface Null0
 set community (AS):(community-string-to-match)
 route-map null-routes permit 20
!
ip prefix-list advertisements seq 10 permit (block) ge 32
!

Now, when you add a null route using the following, it will automatically
match Null0 and get the BGP-community tag set. It will also allow all other
traffic to pass

ip route (IP) (Subnet Mask) null0


> Naveen Nathan wrote:
>> Hi,
>> 
>> I am new to the list, so please go easy on me.
>> 
>> I'm in need of assistance configuring remote trigger blackhole in
>> IOS. This feature is supported by our transit provider. I'm unsure
>> if it's working or not, but since the nulled routes don't appear to
>> be advertised to the transit peer, I'm assuming not.
>> 
>> I've attached a portion of the cisco-config (substituting sensitive info,
>> but it should be easy enough to follow).
>> 
>> Would someone mind suggesting if I'm missing anything of particular
>> importance. It would be much appreciated.
> 
> If I understand you correctly, wouldn't one need an extra entry in the
> OUTBOUND prefix-list that allows host routes to be advertised to the
> transit?:
> 
> ip bgp-community new-format
> !
> ip prefix-list NULL seq 5 deny 0.0.0.0/0 le 32
> !
> ip prefix-list OUTBOUND seq 5 permit [BLOCK_B]/22
> ip prefix-list OUTBOUND seq 10 permit [BLOCK_C]/22
> ip prefix-list OUTBOUND seq 15 permit [BLOCK_A]/21
> 
> ! just an example for illustration... it looks kind of dangerous
> ip prefix-list OUTBOUND seq 20 permit 0.0.0.0/0 le 32
> 
> Steve
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3233 bytes
> Desc: S/MIME Cryptographic Signature
> URL: 
> <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090918/bd4a18be/att
> achment-0001.bin>




More information about the cisco-nsp mailing list