Howto for BGP black holing/null routing
Randy McAnally
rsm at fast-serv.com
Wed Feb 23 16:54:44 UTC 2011
On Tue, 22 Feb 2011 16:42:28 -0500, David Hubbard wrote
> I was wondering if anyone has a howto floating around on the
> step by step setup of having an internal bgp peer for sending
> quick updates to border routers to null route sources of
> undesirable traffic? I've seen it discussed on nanog from
> time to time, typically suggesting using Zebra, but could
> not search up a link on a step by step.
Ultimately it depends on the transit provider.
For example, some have you set up a separate BGP session with a black hole
router. Any prefix sent will be blackholed network wide.
Some, such as the case of Level3, they are looking for specific community tags
on your primary BGP session.
So in a nutshell...lets blackhole a host:
ip route x.x.x.x 255.255.255.255 null0 tag 255
Then set up a static-to-bgp with route-map to add community strings (for
example 3356:9999 for level3) to your routes with tag 255.
route-map STATIC-TO-BGP permit 10
match tag 255
set community 3356:9999
set origin igp
And in your BGP config:
redistribute static route-map STATIC-TO-BGP
Now, for the case of level3, you're already set (just be sure to apply
send-community on the neighbor).
Now for a provider having a unique blackhole BGP session, you want a special
route-map to filter prefixes going out that session:
ip community-list BLACKHOLE seq 10 permit 3356:9999
route-map BLACKHOLE permit 10
match community BLACKHOLE
Now for the blackhole session:
neighbor <blackhole_peer> route-map out BLACKHOLE
It can get more complicated than this (for example, you've got more than one
EBGP router) but this is just a simple case.
I hope it helps...
~Randy
More information about the NANOG
mailing list