[j-nsp] BGP Blackhole communities

Jonas Frey (Probe Networks) jf at probe-networks.de
Wed Oct 20 11:03:19 EDT 2010 

Hi,

its easy:

- you need "multihop" on internal bgp sessions
- configure dsc:
unit 0 {
    family inet {
        address 10.10.20.1/32 {
            destination 10.10.20.2;
        }
    }
}

Add policy for blackhole filter:

# show policy-options policy-statement blackholefilter 
term black {
    from {
        protocol bgp;
        community blackhole;
    }
    then {
        next-hop 10.10.20.2;
    }
}



- use this policy as import on internal bgp sessions (to propagate in
your network and block traffic directly on each node)

- add policy to your bgp customer as import policy:

term 2 {
    from {
        protocol bgp;
        community blackhole;
    }
    then {
        community add no-export;
        next-hop 10.10.20.2;
        accept;
    }
}


- define community blackhole:

# show policy-options community blackhole 
members <yourAS>:9999;


You may need/want to tweak this to suit your needs. The above example
will allow everything upto /32 in size (usually what your customer will
want).

Regards,
Jonas



Am Mittwoch, den 20.10.2010, 12:46 +0100 schrieb Nick Ryce:
> Hi Guys,
> 
> I am starting to play with BGP and have set up some communities to separate customer, peer and transit routes.  I am trying to figure out how to allow customers to send me a blackhole community number and then blackhole this.  Does anyone have any examples?  I have set up most of my communities following http://puck.nether.net/bgp/juniper-config.html but still cannot find any work examples of a blackhole community and how, when a customer adds this to a prefix, I can discard/nullroute this.
> 
> Any help much appreciated
> 
> 
> Nick
> 
> 
> ________________________________
> --
> 
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses. Lumison accept no liability for any
> damage caused by any virus transmitted by this email.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20101020/1f2849d4/attachment.bin>

More information about the juniper-nsp mailing list