There is no reason to limit customer to blackhole only /32, allow them to blackhole anything from them.
Something like this:
policy-statement AS42-IN {
term blackhole {
from {
community BLACKHOLE;
prefix-list-filter AS42 orlonger;
}
then {
community add NO-EXPORT;
next-hop 192.0.2.1;
accept;
}
}
term advertise {
from {
prefix-list AS42;
}
then {
community add ADVERTISE;
next-hop peer-address;
accept;
}
}
term reject {
then reject;
}
}
Remember to set 'accept-remote-nexthop' under BGP settings, so that the next-hop can be changed to something else than link address.
I also strongly support that providers start to support different blackhole communities than just 'full blackhole'. Especially if you operate in more than one country usually attack is from transit and often customer actually mostly wants to access domestic peerings, so it's useful to implement several levels of blackhhole:
- Full
- Outside local country (local IXP, whole own AS + customers seen)
- Outside local area (if applicable, like for me it could be 'Nordics')
- Include/Exclude specific peering router in blackhole
I'm happy to give example how to implement something like this with JNPR DCU/SCU, provided your peering routers are JNPR, but it's possible with just communities, just bit more awkward.
If you absolutely want to limit your customer's options you can add this:
policy-statement /32 {
term /32 {
from {
route-filter 0.0.0.0/0 prefix-length-range /32-/32;
}
then accept;
}
term reject {
then reject;
}
}
policy-statement AS42-IN {
term blackhole {
from {
community BLACKHOLE;
policy /32;
prefix-list-filter AS42 orlonger;
}
..
}
This way it should be logical AND. But I really don't see the value in creating complexity to reduce expressiveness of configuration.
Yes, this data is populated in the Firewall MIB
- .1.3.6.1.4.1.2636.3.5.2.1.5 contains your counters
- .1.3.6.1.4.1.2636.3.5.2.1.6 contains your filter names
- .1.3.6.1.4.1.2636.3.5.2.1.7 contains your counter names
show firewall filter RE-FILTER | match mgmt_ntp
mgmt_ntp 199728 2628
% snmpbulkwalk jnpr .1.3.6.1.4.1.2636.3.5.2.1.7|grep mgmt_ntp
.1.3.6.1.4.1.2636.3.5.2.1.7.9.82.69.45.70.73.76.84.69.82.8.109.103.109.116.95.110.116.112.2 = STRING: "mgmt_ntp"
% snmpbulkwalk jnpr .1.3.6.1.4.1.2636.3.5.2.1.5.9.82.69.45.70.73.76.84.69.82.8.109.103.109.116.95.110.116.112.2
.1.3.6.1.4.1.2636.3.5.2.1.5.9.82.69.45.70.73.76.84.69.82.8.109.103.109.116.95.110.116.112.2 = Counter64: 199728
More information on juniper.net
Best Answer
The best you'll be able to get is
inetCidrRouteTable
fromIP-FORWARD-MIB
- this will give you all routes, regardless of protocol.The OID is
.1.3.6.1.2.1.4.24.7
and if you walk it, you'll see a table of entries.The format of entries is:
If you're specifically after static routes, I would recommend ditching SNMP, and instead use the Junos REST API (available from Junos 15.1 onwards), or NETCONF calls via PyEZ.