[c-nsp] Cisco Blackhole ?

Howard Jones howie at thingy.com
Mon May 11 12:18:45 EDT 2015


Usually it is done on the same session, and the customer adds a special 
community for blackhole routes.

The method I saw was:

1) add a null route for a private or test address (e.g. 192.0.2.1/32) on 
each router.
2) enable 'ip verify unicast source reachable-via any' on edge 
interfaces so that traffic in both directions is dropped for a 
null-routed prefix.
3) add a route-map that looks for your special community and changes the 
next hop for those prefixes to 192.0.2.1 (also to make sure that the 
prefix belongs to that customer, and that the mask length is not too 
small (e.g. >28))

Here's an example for a different purpose, but basically the same idea:

http://www.team-cymru.org/bogon-reference-bgp.html

This method also allows you to republish the same blackhole prefix to 
your upstream providers if they support it, too (e.g. Level3 use 
community 3356:9999 for blackhole) to stop the traffic before it fills 
your upstream link.

On 11/05/15 17:03, Olivier CALVANO wrote:
> Hi
>
> I have a network with ~10 router cisco with the full table BGP.
> I want add for my customer a blackhole possibility.
>
> Anyone have a tuto for this ?
>
> i think's add a second bgp session with my customer and when he sent a
> prefix in this session,
> that put a route null on all of my router, it's possible ?
>
> regards
> olivier
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list