[j-nsp] Policy to allow customers to null-route traffic at edge
bbird at epik.net
bbird at epik.net
Thu Aug 28 20:22:42 EDT 2003
All,
Can someone point out the flaw in my configuration/concept (or both) please?
Some specifics have been changed or obfuscated.
I have a policy set up allowing customer-peers to tag a specific bgp
community-id (19962:911) to a route, thus causing me to black-hole the
traffic at my edge. This is obviously an attempt to keep the DOS traffic
off of the customers link, without need for my involvement.
My edge router isn't accepting the route due to an 'Unusable' next hop. I'm
attempting to do this in a recursive manner, as Juniper policy doesn't allow
me to change the next-hop to discard. Because the next-hop is 'Unusable',
the route remains inactive, and therefore the traffic still transits to the
customer, because of the less-specific the customer is also exporting to me.
Obviously, the policy-statement "<$customer-as>-routes" is applied as an
import policy facing the customer. Configuration from my edge-router,
connected to customer-peer:
static {
route 192.168.255.254/32 {
discard;
install;
}
policy-statement <$customer-as>-routes {
term prefix-list-blackhole {
from {
protocol bgp;
community customer-blackhole;
route-filter <customer-route>/19 upto /32;
}
then {
community add no-export;
next-hop 192.168.255.254;
next policy;
accept;
}
}
}
community customer-blackhole members "^19962:911$";
-------------------
user at router> show route community 19962:911 hidden extensive
inet.0: 123327 destinations, 123343 routes (123318 active, 2 holddown, 8
hidden)
<customer-route/24> (1 entry, 0 announced)
BGP /-501
Next hop type: Unusable
State: <Hidden Ext>
Local AS: 65001 Peer AS: <$customer-as>
Age: 1:42:56 Metric: 0
Task: BGP_<$customer-as>.<$customer-peer-ip>+1255
AS path: <$customer-as> <$customer-as> ?
Communities: 19962:911 19962:1004 19962:65001 no-export
Localpref: 500
Router ID: <$customer-rtr-id>
Merit (last update/now): 787/274
damping-parameters: damp-long
Last update: 00:45:37 First update: 01:46:51
Flaps: 3
History entry. Expires in: 00:13:40
<snip>
Sincerely,
-Ben Bird
More information about the juniper-nsp
mailing list