[j-nsp] BGP route announcements and Blackholes

Tom Beecher beecher at beecher.cc
Wed Mar 27 11:16:21 EDT 2024 

I've read this a couple times. Also confused, but I think this is what you
are saying :

- You have a /19 aggregate that is announced via BGP to upstreams.
- You use an upstream RTBH service that will sink a particular destination
via a BGP announcement to a particular peer.
- When you add a /32 discard (presumably to send to the RTBH peer ) , your
aggregate is 'impacted' somehow.

There's not enough info to fully grasp what is going on here.(What does
"impacted" mean?)  But a couple points.

1. Aggregate routes are intentionally NH discard all the time. The intent
is that traffic for the entire /19 would come to this router, and that you
will have more specific routes for parts of the /19 you're actually using.
Anything not covered by a more specific would just be dropped. You can
change this if you want, but normally don't need to.
2. This may be part of your issue.

x.x.0.0/19     *[OSPF/125] 5d 19:26:19, metric 20, tag 0
                    >  to 10.20.20.3 via ae0.0
                    [Aggregate/130] 5d 20:18:36
                       Reject

Aggregates are not installed unless there is a contributing route present
as well. Contributing route must be a route with a longer mask covered by
the aggregate; can't be an exact match. This means that your OSPF /19 is
NOT the contributor to the aggregate, it must be something else. ( Also,
OSPF/125 ? )

If I had to guess, you're doing something here that is impacting the
contributing routes, causing the aggregate to disappear.

On Tue, Mar 19, 2024 at 1:43 PM Lee Starnes via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

> Hello Juniper gurus. I am seeing an issue where we have a carrier that does
> RTBH via BGP announcement rather than community strings. This is done via
> BGP peer to a blackhole BGP router/server.
>
> My issue here is that our aggregate IP block that is announced to our
> backbone providers gets impacted when creating a /32 static discard route
> to announce to that blackhole peer.
>
> The blackhole peer does receive the /32 announcement, but the aggregate
> route also becomes discarded and thus routes to the other peers stop
> working.
>
> Been trying to determine just how to accomplish this function without
> killing all routes.
>
> So we have several /30 to /23 routes within our /19 block that are
> announced via OSPF from our switches to the routers. The routers aggregate
> these to the /19 to announce the entire larger block to the backbone
> providers.
>
> The blackhole peer takes routes down to a /32 for mitigation of an attack.
> If we add a static route as "route x.x.22.12/32 discard" we get:
>
> show route x.x.22.10
>
> inet.0: 931025 destinations, 2787972 routes (931025 active, 0 holddown, 0
> hidden)
> @ = Routing Use Only, # = Forwarding Use Only
> + = Active Route, - = Last Active, * = Both
>
> x.x.0.0/19     *[OSPF/125] 5d 19:26:19, metric 20, tag 0
>                     >  to 10.20.20.3 via ae0.0
>                     [Aggregate/130] 5d 20:18:36
>                        Reject
>
>
> While we see the more specific route as discard:
>
> show route x.x.22.12
>
> inet.0: 931022 destinations, 2787972 routes (931022 active, 0 holddown, 0
> hidden)
> @ = Routing Use Only, # = Forwarding Use Only
> + = Active Route, - = Last Active, * = Both
> x.x.22.12/32    *[Static/5] 5d 20:20:07
>                        Discard
>
>
>
> Does anyone have a working config for this type of setup that might be able
> to share some tips or the likes on what I need to do or what I'm doing
> wrong?
>
> Best,
>
> -Lee
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list