Hi all, we've been using RTBH internally for years now and we'd like to begin offering our client's the possibility of blackballing their own routes using a specific community. We've already done this on our Juniper PE and it works like a charm, however this has proven less effective on our Cisco PE running IOS.
The following client facing route-map is quite effective, however the downside is that DDOS traffic transits our backbone and is finally dropped on one the PE as opposed to earlier up the chain, which is the desired behavoir.
route-map V4-CLIENT1 permit 10 match ip address prefix-list V4-CLIENT1 match community RTBH-CLIENT-TRIGGER (123:666) continue 50 set local-preference 6665 set origin igp set community 123:666 no-export set ip next-hop 172.16.66.6
The reason being is that when the received route that is tagged with the RTBH Trigger -- 123:666 --- is sent from the PE to the route-reflectors, the next-hop is sent with the next-hop of the eBGP address and I have not been able to identify an easy fix other than removing the next-hop self statement from the RR peer-groups which is an undesirable option. I've tried an outbound route-map, but once again, the next-hop self statement overrides this.
Can anyone think of a workaround or might be willing to share with us how they've implemented for their clients?