Howto for BGP black holing/null routing

Randy McAnally rsm at fast-serv.com
Wed Feb 23 10:54:44 CST 2011


On Tue, 22 Feb 2011 16:42:28 -0500, David Hubbard wrote
> I was wondering if anyone has a howto floating around on the
> step by step setup of having an internal bgp peer for sending
> quick updates to border routers to null route sources of
> undesirable traffic?  I've seen it discussed on nanog from
> time to time, typically suggesting using Zebra, but could
> not search up a link on a step by step.

Ultimately it depends on the transit provider.  

For example, some have you set up a separate BGP session with a black hole
router.  Any prefix sent will be blackholed network wide.

Some, such as the case of Level3, they are looking for specific community tags
on your primary BGP session.

So in a nutshell...lets blackhole a host:

ip route x.x.x.x 255.255.255.255 null0 tag 255

Then set up a static-to-bgp with route-map to add community strings (for
example 3356:9999 for level3) to your routes with tag 255.

route-map STATIC-TO-BGP permit  10
 match tag  255
 set community 3356:9999
 set origin igp

And in your BGP config:

 redistribute static route-map STATIC-TO-BGP

Now, for the case of level3, you're already set (just be sure to apply 
send-community on the neighbor).  

Now for a provider having a unique blackhole BGP session, you want a special
route-map to filter prefixes going out that session:

ip community-list BLACKHOLE seq 10 permit 3356:9999

route-map BLACKHOLE permit  10
 match community  BLACKHOLE

Now for the blackhole session:

 neighbor <blackhole_peer> route-map out BLACKHOLE

It can get more complicated than this (for example, you've got more than one
EBGP router) but this is just a simple case.

I hope it helps...

~Randy





More information about the NANOG mailing list