[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Howto for BGP black holing/null routing

On Tue, 22 Feb 2011 16:42:28 -0500, David Hubbard wrote
> I was wondering if anyone has a howto floating around on the
> step by step setup of having an internal bgp peer for sending
> quick updates to border routers to null route sources of
> undesirable traffic?  I've seen it discussed on nanog from
> time to time, typically suggesting using Zebra, but could
> not search up a link on a step by step.

Ultimately it depends on the transit provider.  

For example, some have you set up a separate BGP session with a black hole
router.  Any prefix sent will be blackholed network wide.

Some, such as the case of Level3, they are looking for specific community tags
on your primary BGP session.

So in a nutshell...lets blackhole a host:

ip route x.x.x.x null0 tag 255

Then set up a static-to-bgp with route-map to add community strings (for
example 3356:9999 for level3) to your routes with tag 255.

route-map STATIC-TO-BGP permit  10
 match tag  255
 set community 3356:9999
 set origin igp

And in your BGP config:

 redistribute static route-map STATIC-TO-BGP

Now, for the case of level3, you're already set (just be sure to apply 
send-community on the neighbor).  

Now for a provider having a unique blackhole BGP session, you want a special
route-map to filter prefixes going out that session:

ip community-list BLACKHOLE seq 10 permit 3356:9999

route-map BLACKHOLE permit  10
 match community  BLACKHOLE

Now for the blackhole session:

 neighbor <blackhole_peer> route-map out BLACKHOLE

It can get more complicated than this (for example, you've got more than one
EBGP router) but this is just a simple case.

I hope it helps...