Routes from bgp with nexthop to blackhole

  • 0
  • 1
  • Question
  • Updated 4 years ago
Create Date: Mar 30 2012 4:26AM

Hi,

I'm trying to set up remotely triggered blackhole functionality.

From my blackhole triggering router, I send routes with next-hop of 192.0.2.1.

On all routers I have configured a static route for 192.0.2.1:

configure iproute add blackhole ipv4 192.0.2.1/32

However, it seems that whenever a route has a next-hop to a blackhole route, I is unfeasible.

# show bgp neighbor 2.13.1.6 received-routes all 
Routes:
Destination Peer Next-Hop LPref Weight MED AS-Path
----------------------------------------------------------------------------------------
u i 2.13.8.8/32 2.13.1.6 192.0.2.1 100 1 0
u i 2.13.9.2/32 2.13.1.6 192.0.2.1 100 1 0

I can't see that I'm doing anything wrong, perhaps I need some settings to allow this scenario. Similar configurations works on other implementations than Extreme??

(from Kenneth_Oestrup)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 16 2012 2:30PM

Hi,

You could have a look at the following.

create vlan "blackhole-vlan"
configure vlan blackhole-vlan tag 666
enable loopback-mode vlan blackhole-vlan
configure vlan blackhole-vlan ipaddress 192.168.123.1 255.255.255.0
enable ipforwarding vlan blackhole-vlan
disable igmp snooping vlan "blackhole-vlan"
disable igmp vlan "blackhole-vlan"
create fdbentry 00:11:22:33:44:55 vlan "blackhole-vlan" blackhole

configure iparp add 192.168.123.123 vr VR-Default 00:11:22:33:44:55
configure access-list blackhole_filter vlan "blackhole-vlan" ingress

The following policy file is used to discard any traffic that goes into the blackhole VLAN.

edit policy blackhole_filter
entry filter-blackhole {
if {
}
then {
deny ; count blackhv1 ;
}
}

Apply the following in_policy policy to BGP neighbors using the configure bgp neighbor routepolicy
command. This policy blackholes any /32 route that matches community 65123:0:

entry BLKHOLE-Filter-1 {
if match any {
community "65123:0" ;;
nlri any/32 ;
}
then {
next-hop 192.168.123.123 ;
permit ;
}
}

Let me know if this fixed the issue for you.

It fixed the issue for us, although it took a while before we were able to get our heads around how to get / keep a 'feasible' route while putting everything to a blackhole. :-)

Regards,
Erik Bais

(from Erik_Bais)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: May 11 2012 3:09AM

Hi Erik,

I forgot to thank you. This is one helluva workaround :-D thank you for sharing the example. It is working perfectly for me as well.

(from Kenneth_Oestrup)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: May 11 2012 3:12AM

your welcome.

Glad I could help.

Regards,
Erik Bais
A2B Internet

(from Erik_Bais)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: May 11 2012 3:17AM

BTW.. something you might also be interested in ...

We also tag these routes to our upstream providers..

Just put this in your upstream provider outgoing routing policy :

entry blackhole {
if {
community "65123:0" ;
}
then {
community add "Upstream blackhole community" ;
permit ;
}
}

Mvg,
Erik Bais

(from Erik_Bais)

This conversation is no longer open for comments or replies.