[j-nsp] RTBH
Niall Donaghy
Niall.Donaghy at geant.org
Fri Jan 15 03:28:01 EST 2016
Hi Johan,
Exactly as Chip has put it.
In our setup we inject the routes into iBGP with this policy:
@foo.re0> show configuration policy-options policy-statement ps-RTBH-routes-export
term RTBH-injection {
from {
protocol static;
tag 666;
route-filter 0.0.0.0/0 prefix-length-range /32-/32;
}
then {
community add RTBH;
community add no-export;
next-hop 192.0.2.101;
accept;
}
}
@foo.re0> show configuration policy-options policy-statement ps-RTBH-routes-export-v6
term RTBH-injection {
from {
protocol static;
tag 666;
route-filter ::/0 prefix-length-range /128-/128;
}
then {
community add RTBH;
community add no-export;
next-hop 100::;
accept;
}
}
Then on *every* router, next-hops 192.0.2.101 and 100:: have a static discard route:
set routing-options static route 192.0.2.101/32 discard
set routing-options static route 192.0.2.101/32 no-readvertise
set routing-options rib inet6.0 static route 0100::/64 discard
set routing-options rib inet6.0 static route 0100::/64 no-readvertise
The trick is that the next-hop in the RTBH route points to the discard route; the RTBH route itself does not have next-hop discard.
Does that help you?
Kind regards,
Niall
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> chip
> Sent: 15 January 2016 01:07
> To: Johan Borch
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] RTBH
>
> A strategy that I've seen used is to pick some ip address and add a static route
> for it pointing to discard on every router. Then when you receive the route to
> black-hole, set the next-hop to the discard route. This way all routers will drop
> traffic for the prefix as soon as it enters the router instead of running through
> your network first.
>
>
>
> On Thu, Jan 14, 2016 at 4:10 PM, Johan Borch <johan.borch at gmail.com>
> wrote:
>
> > Hi!
> >
> > I have implemented RTBH in my small network of 8 routers. DFZ is
> > running in a L3VPN and each router has an multihop ibgp-session with
> > my RTBH-router and it works, but I have one thing that annoys me.
> >
> > If I announce an offending IP to be black holed, only one of the
> > routers will point to the discard route. The other 7 will see the
> > announced route via BGP från the one that got it first I guess and
> > send the traffic to that one where is is discarded. If I do show
> > extensive on the route it is prefer because of IGP. I can't figure out
> > how to get each router to prefer the discard localy. If I do local
> > pref on one router the other 7 will send the traffic there instead.
> >
> > Every router has
> >
> > route a.b.c.d/32 {
> > discard;
> > install;
> > }
> >
> > And from sending RTBH router, they are announced with next-hop a.b.c.d.
> >
> > Idéas? :)
> >
> > Regards
> > Johan
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
> --
> Just my $.02, your mileage may vary, batteries not included, etc....
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list