[j-nsp] RTBH

Hugo Slabbert hugo at slabnet.com
Fri Jan 15 11:40:00 EST 2016 

-- 
Hugo
cell: 604-617-3133

hugo at slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on Signal)

On Thu 2016-Jan-14 22:10:46 +0100, Johan Borch <johan.borch at gmail.com> wrote:

>Hi!
>
>I have implemented RTBH in my small network of 8 routers. DFZ is running in
>a L3VPN and each router has an multihop ibgp-session with my RTBH-router
>and it works, but I have one thing that annoys me.
>
>If I announce an offending IP to be black holed, only one of the routers
>will point to the discard route. The other 7 will see the announced route
>via BGP från the one that got it first I guess and send the traffic to that
>one where is is discarded. 

Sounds like the router that receives the initial RTBH /32 is re-advertising 
that to your other peers, i.e.:

- RTBH box announces /32 with a.b.c.d/32 next-hop discard via BGP
- RTBH BGP peer #1 receives and installs the route
- that discard route on RTBH BGP peer #2 is picked up in its IGP export 
   policy, so it exports it into your IGP
- other RTBH BGP peers receive both the original BGP route from the RTBH 
   box as well as the route RTBH BGP peer #1 injected into your IGP
- IGP preference beats BGP, therefore remaining RTBH BGP peers prefer the 
   IGP route that peer #1 injected

Check your IGP export policy; you shouldn't be exporting the RTBH route 
into your IGP.

>If I do show extensive on the route it is prefer
>because of IGP. I can't figure out how to get each router to prefer the
>discard localy. If I do local pref on one router the other 7 will send the
>traffic there instead.
>
>Every router has
>
>     route a.b.c.d/32 {
>            discard;
>            install;
>        }
>
>And from sending RTBH router, they are announced with next-hop a.b.c.d.
>
>Idéas? :)
>
>Regards
>Johan
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20160115/eee2a7de/attachment.sig>

More information about the juniper-nsp mailing list