Cisco – BGP community blackhole

bgpciscoroutingSecurity

We have created peer with our ISP and my ISP send community to do backhole but how do i configure that and send community string for blackhole traffic.

ISP said use 64682:0 community for RTBH, I did following config but didn't work

router bgp 100
 bgp log-neighbor-changes
 redistribute static route-map RTBH
 neighbor 71.xxx.xxx.61 remote-as 200
 neighbor 71.xxx.xxx.61 send-community
 network 70.xx.xx.0 mask 255.255.255.0


route-map RTBH permit 10
 match tag 666
 set community 64682:666

route-map RTBH permit 20

I am configured about :0 in community because my router not accepting that.

here i am using route to send null.

ip route 71.x.x.100 255.255.255.255 Null0 tag 666

What i am doing wrong?

EDIT:

I was following this Doc to setup community RTBH http://cenic.org/network/bgp-blackhole-community

Update:

I have modify config with following info but still no luck and no auto-summary is default in BGP

route-map RTBH permit 10
 match tag 666
 set community 64682:0
 set ip next-hop 192.0.2.1
!
route-map RTBH permit 20

Debug info:

When i trigger null route i got following debug debug ip routing logs

R1#
*Jun 20 15:38:23.212: RT: updating static 70.xx.xx.1/32 (0x0)  :
    via 0.0.0.0 Nu0  0 1048578

*Jun 20 15:38:23.212: RT: rib update return code: 17

Best Answer

The Cisco documents provide a full explanation for the options, and examples of how to configure your router, depending on the ISP requirements. Be sure to read and understand the text. It explains what you need to do, and why you need to do it.

Here is a very good Cisco document, and an example of one way to do this (your ISP may not do it this way):

REMOTELY TRIGGERED BLACK HOLE FILTERING — DESTINATION BASED AND SOURCE BASED

Trigger Router

This section provides a sample configuration listing for the trigger router. In this configuration, peer groups are used because it is the preferred way to configure a large number of BGP peers with similar characteristics. You must set the send-community for all these peers so they receive the noexport community and respect it by not advertising this redistributed route to any of their external peers.

Also, make sure to set no auto-summary so that specific host routes can be black holed. Otherwise BGP will automatically summarize the route based on class boundaries. Static routes are then redistributed into BGP after applying the black hole-trigger route map.

trigger#sh run
Building configuration...
version 12.1
!
hostname trigger
!
ip subnet-zero
!
interface Loopback0
 ip address 192.168.255.245 255.255.255.255
!
interface Null0
 no ip unreachables
!
interface Ethernet0/0
 ip address 192.168.4.3 255.255.255.0
 half-duplex
!
router ospf 100
 log-adjacency-changes
 redistribute connected subnets
 network 192.168.4.0 0.0.0.255 area 0
router bgp 740
 no synchronization
 bgp log-neighbor-changes
 redistribute static route-map black-hole-trigger
 neighbor black-hole peer-group
 neighbor black-hole remote-as 740
 neighbor black-hole update-source Loopback0
 neighbor black-hole send-community
 neighbor 192.168.255.246 remote-as 740
 neighbor 192.168.255.246 update-source Loopback0
 neighbor 192.168.255.253 peer-group black-hole
 no auto-summary 
!
ip route 192.0.2.1 255.255.255.255 Null0
route-map black-hole-trigger permit 10
 match tag 66
 set ip next-hop 192.0.2.1
 set local-preference 200
 set origin igp
 set community no-export
!
route-map black-hole-trigger deny 25
!
no scheduler allocate
end

The last part of this configuration creates a route map to match the route tag 66 and sets route characteristics. A higher value of local preference is desired for choosing a route, so it is set to 200, which is greater than the default value of 100. Also, to make sure that other static routes are not affected by this route map, a deny statement is placed at the end.

Related Topic