[j-nsp] BGP Blackhole communities

Nick Ryce Nick.Ryce at lumison.net
Wed Oct 20 11:18:59 EDT 2010


Thanks for all the replies and help :)

Nick

-----Original Message-----
From: Jonas Frey (Probe Networks) [mailto:jf at probe-networks.de]
Sent: 20 October 2010 16:03
To: Nick Ryce
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] BGP Blackhole communities

Hi,

its easy:

- you need "multihop" on internal bgp sessions
- configure dsc:
unit 0 {
    family inet {
        address 10.10.20.1/32 {
            destination 10.10.20.2;
        }
    }
}

Add policy for blackhole filter:

# show policy-options policy-statement blackholefilter term black {
    from {
        protocol bgp;
        community blackhole;
    }
    then {
        next-hop 10.10.20.2;
    }
}



- use this policy as import on internal bgp sessions (to propagate in
your network and block traffic directly on each node)

- add policy to your bgp customer as import policy:

term 2 {
    from {
        protocol bgp;
        community blackhole;
    }
    then {
        community add no-export;
        next-hop 10.10.20.2;
        accept;
    }
}


- define community blackhole:

# show policy-options community blackhole
members <yourAS>:9999;


You may need/want to tweak this to suit your needs. The above example
will allow everything upto /32 in size (usually what your customer will
want).

Regards,
Jonas



Am Mittwoch, den 20.10.2010, 12:46 +0100 schrieb Nick Ryce:
> Hi Guys,
>
> I am starting to play with BGP and have set up some communities to separate customer, peer and transit routes.  I am trying to figure out how to allow customers to send me a blackhole community number and then blackhole this.  Does anyone have any examples?  I have set up most of my communities following http://puck.nether.net/bgp/juniper-config.html but still cannot find any work examples of a blackhole community and how, when a customer adds this to a prefix, I can discard/nullroute this.
>
> Any help much appreciated
>
>
> Nick
>
>
> ________________________________
> --
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses. Lumison accept no liability for any
> damage caused by any virus transmitted by this email.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison accept no liability for any
damage caused by any virus transmitted by this email.



More information about the juniper-nsp mailing list