RTBH Configuration for Clients

Andrew WEISS · ‎01-23-2015

Hi all, we've been using RTBH internally for years now and we'd like to begin offering our client's the possibility of blackballing their own routes using a specific community. We've already done this on our Juniper PE and it works like a charm, however this has proven less effective on our Cisco PE running IOS.

The following client facing route-map is quite effective, however the downside is that DDOS traffic transits our backbone and is finally dropped on one the PE as opposed to earlier up the chain, which is the desired behavoir.

route-map V4-CLIENT1 permit 10
match ip address prefix-list V4-CLIENT1
match community RTBH-CLIENT-TRIGGER (123:666)
continue 50
set local-preference 6665
set origin igp
set community 123:666 no-export
set ip next-hop 172.16.66.6

....

The reason being is that when the received route that is tagged with the RTBH Trigger -- 123:666 --- is sent from the PE to the route-reflectors, the next-hop is sent with the next-hop of the eBGP address and I have not been able to identify an easy fix other than removing the next-hop self statement from the RR peer-groups which is an undesirable option. I've tried an outbound route-map, but once again, the next-hop self statement overrides this.

Can anyone think of a workaround or might be willing to share with us how they've implemented for their clients?

Kind regards,

Andrew

Andrew WEISS · ‎01-24-2015

Fixed. An outbound route-map from the PE to the RR was required in order to reset (again) the next-hop. Makes sense since the inbound client route-map is the intermediately stage of getting the route into the PE's routing table and the next-hop self overrides what is known locally.

route-map V4-IBGP-ALL-PE-ROUTES-AND-RTBH permit 10
match community RTBH-CLIENT-TRIGGER
set ip next-hop 172.16.66.6
route-map V4-IBGP-ALL-PE-ROUTES-AND-RTBH permit 20