[j-nsp] BGP Blackhole communities
David Ball
davidtball at gmail.com
Wed Oct 20 10:45:22 EDT 2010
There use to be a great page up at www.secsup.org that provided examples
of exactly this, but I can't seem to load the page anymore.
Anyhow, for your customer, they could add a static route on their router
for the block they want to null route, and 'tag' it with, say, 666 (using
the 'tag' attribute when defining the static route). Their BGP export
policy facing you would then have a route-map which would watch for
statically-originated routes tagged with 666 and if found, set a community
of, say, yourASNhere:666.
Then on your side, as a part of your import policies for incoming customer
routes, have a match clause looking for yourASNhere:666 and if you see it,
leave the community set, and set next-hop to 'discard'. Then, in your
export policies to your upstream(s), again watch for that yourASNhere:666
community and if found, reset the community to upstreamISPasn:666 (or
whatever they've told you to use for their blackhole community).
If you have non-BGP customers that are interested in this, you could
implement the same kind of thing with static routing on your network,
whereby the customer would call you, ask you to null-route a particular
prefix, and your NOC would add the static route with the appropriate tag,
and your export policies facing your upstreams could pick up on it and set
the appropriate BGP community.
## snippet from import policy applied to incoming customer BGP routes....
[edit policy-options policy-statement your-cust-bgp-import-policy-here]
term null-route {
from community your-blackhole-community;
then {
community set your-blackhole-community; ## overwrites any other
attached communities
next-hop discard;
accept;
}
}
## and of course, define what that community is....
community your-blackhole-community members yourASN:666;
You'd then have a similar looking stanza in your export policy facing your
upstream(s), of course with the appropriate BGP community that they've told
you to use.
As someone else has mentioned, you'll need to decide how small a block you
want to null route from a given customer, and adjust their prefix-list (ie.
to allow down to a /32, for example, using route-filter x.x.x.x/y
orlonger; in their import policy) accordingly.
David
On 20 October 2010 05:46, Nick Ryce <Nick.Ryce at lumison.net> wrote:
> Hi Guys,
>
> I am starting to play with BGP and have set up some communities to separate
> customer, peer and transit routes. I am trying to figure out how to allow
> customers to send me a blackhole community number and then blackhole this.
> Does anyone have any examples? I have set up most of my communities
> following http://puck.nether.net/bgp/juniper-config.html but still cannot
> find any work examples of a blackhole community and how, when a customer
> adds this to a prefix, I can discard/nullroute this.
>
> Any help much appreciated
>
>
> Nick
>
>
> ________________________________
> --
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses. Lumison accept no liability for any
> damage caused by any virus transmitted by this email.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list