cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8008
Views
0
Helpful
13
Replies

BGP: Cogent blackhole service

tdale1987
Level 1
Level 1

Hello all,

Is anyone out there using cogent blackhole service. If so can you share how you have it set up on an iOS cisco device. They don't tell you how to set it up they just turn it on. It's a separate bgp session that I need to announce ip blocks that I want nulled at the edge.

Thanks!

-Tom

1 Accepted Solution

Accepted Solutions

Hello,

I just labbed this in GNS3. With your current configuration, you are not filtering anything. The below config results in just the to-be-blackholed network being sent to 66.28.8.2:

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
neighbor 66.28.8.2 route-map BLACKHOLE out
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.xx mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip prefix-list BH seq 5 permit 38.10.10.8/32
!
route-map BLACKHOLE permit 10
match ip address prefix-list BH

ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

The result:

R1#sh ip bgp neighbors 66.28.8.2 advertised-routes
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 38.10.10.8/32 0.0.0.0 0 32768 i

Total number of prefixes 1

You are obviously still sending the balckholed route to the other neighbor, 38.xx.xx.xx, so you need to apply a route map to that neighbor as well:

route-map BLACKHOLE deny 10
match ip address prefix-list BH

route-map BLACKHOLE permit 20

neighbor 38.xx.xx.xx route-map BLACKHOLE out

View solution in original post

13 Replies 13

Hello,

you peer with Cogent's AS 174. The peering IP address differs per region:

North American/Asia Pacific Customers
neighbor 66.28.8.2 remote-as 174

European Customers
neighbor 130.117.20.2 remote-as 174

You can then use route maps, distribute or prefix lists to send routes to that peer. Everything you send will be blackholed. I think Cogent has a limit of 50 prefixes.

Check the link below:

http://www.cogentco.com/files/docs/customer_service/guide/global_cogent_customer_user_guide.pdf

I got that part. I don't understand how to do the "route maps, distribute or prefix lists" correctly i suppose.

Anytime i try i either announce nothing to the blackhole server or everything. I havent even attempted the IPv6 part yet i figured i'd get the v4 part working first :)

Here is my config (as you can see i edited my ips and ASN number out of the config):

router bgp xxxxx
 bgp router-id 00.00.00.1
 bgp log-neighbor-changes
 neighbor 2001:550::::1:1 remote-as 174
 neighbor 2001:550::::1:1 description Cogent-v6
 neighbor 38.xx.xx.xx remote-as 174
 neighbor 38.xx.xx.xx description Cogent-v4
 neighbor 66.28.8.2 remote-as 174
 neighbor 66.28.8.2 ebgp-multihop 255
 neighbor 66.28.8.2 password xxxxxxxxx
 !
 address-family ipv4
  no neighbor 2001:550::::1:1 activate
  neighbor 38.xx.xx.xx activate
  neighbor 38.xx.xx.xx send-community
  neighbor 38.xx.xx.xx next-hop-self
  neighbor 66.28.8.2 activate
  neighbor 66.28.8.2 route-map blackhole in
  neighbor 66.28.8.2 route-map blackhole out
  no auto-summary
  no synchronization
  network 38.xx.xx.0 mask 255.255.255.0
  network 38.xx.xx.blacklist mask 255.255.255.255 route-map blackhole
 exit-address-family
 !
 address-family ipv6
  neighbor 2001:550::::1:1 activate
  neighbor 2001:550::::1:1 send-community
  neighbor 2001:550::::1:1 next-hop-self
  network 2001:550:::/48
 exit-address-family
!
ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

!
route-map blackhole permit 10
!

Hello,

try and set the community 174:3000 or 174:991  your route map (that is supposed to be the 'do not send route to peers' community':

route-map blackhole permit 10

set community 174:3000 or 174:991

Make sure you have 'ip bgp-community new-format' configured globally on your router...

Unfortunately its not a community its an entirely separate BGP session that i have to announce the /32s at.

Hello,

the Cogent BGP questionnaire mentions a required password...

https://www.cogentco.com/files/docs/customer_service/faq/bgpq.txt

I wonder if that means:

neighbor 66.28.8.2 password xxxx

Did Cogent provide you with a password ?

You pick your own password. I'm not going to display my password and my ip blocks for the internet to cache :)

Hello,

I am not following. I am not asking for your password or your IP blocks, I am merely trying to help you figure out why the peering doesn't seem to work...

When you do a 'show ip bgp neighbor 66.28.8.2 advertised-routes' what is the output ?

Ok establishing the bgp session is not the problem. I can do that. The issue is its announcing all my blocks to it and not just the route with the label. Currently it comes up blank because the bgp session is admin down on cogent side because if i turn it on i lose connectivity. Something is wrong with how im telling  neighbor 66.28.8.2 what it can announce. This is what i need help with.

Hello,

understood.

I cannot find any information on route maps in conjunction with the blackhole service. Try to remove the route maps and everything route map related. Then just announce the network you want to blackhole as a /32.

So it should look like this:

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.blacklist mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

66.28.8.2 is also taking the /24 with it. it accepts subnets larger than a /32. That is the problem.

Hello,

I just labbed this in GNS3. With your current configuration, you are not filtering anything. The below config results in just the to-be-blackholed network being sent to 66.28.8.2:

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
neighbor 66.28.8.2 route-map BLACKHOLE out
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.xx mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip prefix-list BH seq 5 permit 38.10.10.8/32
!
route-map BLACKHOLE permit 10
match ip address prefix-list BH

ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist

The result:

R1#sh ip bgp neighbors 66.28.8.2 advertised-routes
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 38.10.10.8/32 0.0.0.0 0 32768 i

Total number of prefixes 1

You are obviously still sending the balckholed route to the other neighbor, 38.xx.xx.xx, so you need to apply a route map to that neighbor as well:

route-map BLACKHOLE deny 10
match ip address prefix-list BH

route-map BLACKHOLE permit 20

neighbor 38.xx.xx.xx route-map BLACKHOLE out

hi,

 

is anyone has the Cisco IOS XR  version this BGP configuration?

 

could you please share it with us?

 

thanks in advance


@Georg Pauwen wrote:

Hello,

understood.

I cannot find any information on route maps in conjunction with the blackhole service. Try to remove the route maps and everything route map related. Then just announce the network you want to blackhole as a /32.

So it should look like this:

router bgp xxxxx
bgp router-id 00.00.00.1
bgp log-neighbor-changes
neighbor 2001:550::::1:1 remote-as 174
neighbor 2001:550::::1:1 description Cogent-v6
neighbor 38.xx.xx.xx remote-as 174
neighbor 38.xx.xx.xx description Cogent-v4
neighbor 66.28.8.2 remote-as 174
neighbor 66.28.8.2 ebgp-multihop 255
neighbor 66.28.8.2 password xxxxxxxxx
!
address-family ipv4
no neighbor 2001:550::::1:1 activate
neighbor 38.xx.xx.xx activate
neighbor 38.xx.xx.xx send-community
neighbor 38.xx.xx.xx next-hop-self
neighbor 66.28.8.2 activate
no auto-summary
no synchronization
network 38.xx.xx.0 mask 255.255.255.0
network 38.xx.xx.blacklist mask 255.255.255.255
exit-address-family
!
address-family ipv6
neighbor 2001:550::::1:1 activate
neighbor 2001:550::::1:1 send-community
neighbor 2001:550::::1:1 next-hop-self
network 2001:550:::/48
exit-address-family
!
ip route 38.0.0.0 255.0.0.0 38.xx.xx.xx
ip route 38.xx.xx.0 255.255.255.0 Null0 200 < Cogent provided ip block
ip route 38.xx.xx.blacklist 255.255.255.255 Null0 < IP trying to blacklist



!

 

Eric

 

 

 

 

Hello

May I asked why you are using this service instead of performing you own filtering - is there a requirement for you to be a transit path for those isps?

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card