Solved: Hello,

tdale1987 · ‎06-29-2017

Hello all,

Is anyone out there using cogent blackhole service. If so can you share how you have it set up on an iOS cisco device. They don't tell you how to set it up they just turn it on. It's a separate bgp session that I need to announce ip blocks that I want nulled at the edge.

Thanks!

-Tom

Georg Pauwen · ‎07-01-2017

Hello,

I just labbed this in GNS3. With your current configuration, you are not filtering anything. The below config results in just the to-be-blackholed network being sent to 66.28.8.2:

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
neighbor 66.28.8.2 route-map BLACKHOLE out
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.xx mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip prefix-list BH seq 5 permit 38.10.10.8/32
!
route-map BLACKHOLE permit 10
match ip address prefix-list BH

ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

The result:

R1#sh ip bgp neighbors 66.28.8.2 advertised-routes
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 38.10.10.8/32 0.0.0.0 0 32768 i

Total number of prefixes 1

You are obviously still sending the balckholed route to the other neighbor, 38.xx.xx.xx, so you need to apply a route map to that neighbor as well:

route-map BLACKHOLE deny 10
match ip address prefix-list BH

route-map BLACKHOLE permit 20

neighbor 38.xx.xx.xx route-map BLACKHOLE out

View solution in original post

Georg Pauwen · ‎06-29-2017

Hello,

you peer with Cogent's AS 174. The peering IP address differs per region:

North American/Asia Pacific Customers
neighbor 66.28.8.2 remote-as 174

European Customers
neighbor 130.117.20.2 remote-as 174

You can then use route maps, distribute or prefix lists to send routes to that peer. Everything you send will be blackholed. I think Cogent has a limit of 50 prefixes.

Check the link below:

http://www.cogentco.com/files/docs/customer_service/guide/global_cogent_customer_user_guide.pdf

tdale1987 · ‎06-29-2017

I got that part. I don't understand how to do the "route maps, distribute or prefix lists" correctly i suppose.

Anytime i try i either announce nothing to the blackhole server or everything. I havent even attempted the IPv6 part yet i figured i'd get the v4 part working first :)

Here is my config (as you can see i edited my ips and ASN number out of the config):

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
neighbor 66.28.8.2 route-map blackhole in
neighbor 66.28.8.2 route-map blackhole out
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.blacklist mask 255.255.255.255 route-map blackhole
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

!
route-map blackhole permit 10
!

Georg Pauwen · ‎06-29-2017

Hello,

try and set the community 174:3000 or 174:991 your route map (that is supposed to be the 'do not send route to peers' community':

route-map blackhole permit 10

set community 174:3000 or 174:991

Make sure you have 'ip bgp-community new-format' configured globally on your router...

tdale1987 · ‎06-29-2017

Unfortunately its not a community its an entirely separate BGP session that i have to announce the /32s at.

Georg Pauwen · ‎06-29-2017

Hello,

the Cogent BGP questionnaire mentions a required password...

https://www.cogentco.com/files/docs/customer_service/faq/bgpq.txt

I wonder if that means:

neighbor 66.28.8.2 password xxxx

Did Cogent provide you with a password ?

tdale1987 · ‎06-29-2017

You pick your own password. I'm not going to display my password and my ip blocks for the internet to cache :)

Georg Pauwen · ‎06-29-2017

Hello,

I am not following. I am not asking for your password or your IP blocks, I am merely trying to help you figure out why the peering doesn't seem to work...

When you do a 'show ip bgp neighbor 66.28.8.2 advertised-routes' what is the output ?

tdale1987 · ‎06-30-2017

Ok establishing the bgp session is not the problem. I can do that. The issue is its announcing all my blocks to it and not just the route with the label. Currently it comes up blank because the bgp session is admin down on cogent side because if i turn it on i lose connectivity. Something is wrong with how im telling neighbor 66.28.8.2 what it can announce. This is what i need help with.

Georg Pauwen · ‎06-30-2017

Hello,

understood.

I cannot find any information on route maps in conjunction with the blackhole service. Try to remove the route maps and everything route map related. Then just announce the network you want to blackhole as a /32.

So it should look like this:

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.blacklist mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

tdale1987 · ‎06-30-2017

66.28.8.2 is also taking the /24 with it. it accepts subnets larger than a /32. That is the problem.

Georg Pauwen · ‎07-01-2017

Hello,

I just labbed this in GNS3. With your current configuration, you are not filtering anything. The below config results in just the to-be-blackholed network being sent to 66.28.8.2:

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
neighbor 66.28.8.2 route-map BLACKHOLE out
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.xx mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip prefix-list BH seq 5 permit 38.10.10.8/32
!
route-map BLACKHOLE permit 10
match ip address prefix-list BH

ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

The result:

R1#sh ip bgp neighbors 66.28.8.2 advertised-routes
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 38.10.10.8/32 0.0.0.0 0 32768 i

Total number of prefixes 1

You are obviously still sending the balckholed route to the other neighbor, 38.xx.xx.xx, so you need to apply a route map to that neighbor as well:

route-map BLACKHOLE deny 10
match ip address prefix-list BH

route-map BLACKHOLE permit 20

neighbor 38.xx.xx.xx route-map BLACKHOLE out

eric.guo · ‎06-30-2020

hi,

is anyone has the Cisco IOS XR version this BGP configuration?

could you please share it with us?

thanks in advance

@Georg Pauwen wrote:
Hello,
understood.
I cannot find any information on route maps in conjunction with the blackhole service. Try to remove the route maps and everything route map related. Then just announce the network you want to blackhole as a /32.
So it should look like this:
router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.blacklist mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

!

Eric

paul driver · ‎07-02-2017

Hello

May I asked why you are using this service instead of performing you own filtering - is there a requirement for you to be a transit path for those isps?

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BGP: Cogent blackhole service