Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
0
Helpful
8
Replies

BGP Flowspec and RTBH

Go to solution
Siddique
Level 1
Level 1

‎08-24-2022 12:09 PM

Hello and welcome to all of you.

Please can someone help me to understand the BGP RTBH and FLOWSPEC. actually i have read some documents but not understanding. If anyone have GNS3 or EVE-NG lab including config file. Please help me to understand this 2 topics.

 

Thanks

ABSeddeeq

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Siddique

‎08-28-2022 04:12 AM - last edited on ‎08-30-2022 02:45 AM by Community Manager

kklklklkkkkkkk.png

the Admin which control R5 can make R2 PE drop traffic add only one static route



R2 PE 
interface FastEthernet0/0
 ip address 11.0.0.2 255.255.255.0
!
interface FastEthernet1/1
 ip address 100.0.0.2 255.255.255.0
!
router bgp 200
 bgp log-neighbor-changes
 network 11.0.0.0 mask 255.255.255.0
 neighbor 100.0.0.1 remote-as 100
 neighbor 100.0.0.5 remote-as 500
 neighbor 100.0.0.5 disable-connected-check
 neighbor 100.0.0.5 route-map RTBH-Edge in <<- this is route-map to change next-hop, LP and Origin for specific prefix match community 1000
!
ip forward-protocol nd
!
ip community-list 10 permit 1000
!
no ip http server
no ip http secure-server
ip route 50.50.50.50 255.255.255.255 Null0 <<- this is Static route for BlackHole, what ? let explain the next-hop of any prefix learn from Trigger (R5) have next-hop toward R5, but that meaning the traffic go to R5 and there it will drop, that no right for example there is 100 victim prefix and need to be forward to R5 then drop, instead we will change the Next-hop for specific prefix with specific community (1000) to be the IP of static route, then the R2 PE, and since this static route toward Null0 then router will drop traffic. 
!
route-map RTBH-Edge permit 10 <<- the route-map for specific prefix with specific community and change next-hop, LP and origin
 match community 10
 set local-preference 200
 set origin igp
 set ip next-hop 50.50.50.50 <<- this to set next-hop for Black Hole drop traffic in R2 PE.

R5 

interface FastEthernet1/1

ip address 100.0.0.5 255.255.255.0 
!
router bgp 500
 bgp log-neighbor-changes
 redistribute static route-map RTBH <<- this conditional Static redistribute into BGP ?? for example there are many static route advertise in R5 and only few are be use for RTBH, redistribute all static is advertise prefix no need to advertise it, so we config conditional Static redistribute.  
 neighbor 100.0.0.2 remote-as 200
 neighbor 100.0.0.2 send-community both
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 10.0.0.0 255.255.255.0 Null0 tag 1000 <<- last piece the admin when see or inform there are attack to victim prefix, he simple add static route to null 0 and tag 1000 (for conditional static redistribute) ? but why ??
simply because the BGP not advertise any prefix unless this prefix found in routing table and by this static route we add prefix into BGP and hence the BGP can advertise into other Peers.
!
route-map RTBH permit 10 <<- this route-map use for conditional static redistribute into BGP, the idea is any static route with tag 1000 will be advertise into BGP and also we will use this route-map to set community to be 1000. 
 match tag 1000
 set community 1000 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎08-24-2022 12:50 PM

Bgp security, i will try do gns3 lab with some detail, i will share here if I do lab and it work.

0 Helpful

Go to solution
Siddique
Level 1
Level 1
In response to MHM Cisco World

‎08-24-2022 01:15 PM

Thanks a lot.  I am waiting.  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Siddique

‎08-26-2022 03:54 AM - last edited on ‎08-30-2022 02:43 AM by Community Manager

I finish lab with MPLS Core but it was easy, so I will try use IP Core instead to explain the idea of set

ip next-hop

and match tag in

route-map

 
just want to inform you. 

0 Helpful

Go to solution
Siddique
Level 1
Level 1
In response to MHM Cisco World

‎08-26-2022 04:16 AM

Thanks a lot sir.  

May I get the topology and config file please for my understanding.   seddeeq4@gmail.com

 

Thanks again sir.  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Siddique

‎08-28-2022 04:12 AM - last edited on ‎08-30-2022 02:45 AM by Community Manager

kklklklkkkkkkk.png

the Admin which control R5 can make R2 PE drop traffic add only one static route



R2 PE 
interface FastEthernet0/0
 ip address 11.0.0.2 255.255.255.0
!
interface FastEthernet1/1
 ip address 100.0.0.2 255.255.255.0
!
router bgp 200
 bgp log-neighbor-changes
 network 11.0.0.0 mask 255.255.255.0
 neighbor 100.0.0.1 remote-as 100
 neighbor 100.0.0.5 remote-as 500
 neighbor 100.0.0.5 disable-connected-check
 neighbor 100.0.0.5 route-map RTBH-Edge in <<- this is route-map to change next-hop, LP and Origin for specific prefix match community 1000
!
ip forward-protocol nd
!
ip community-list 10 permit 1000
!
no ip http server
no ip http secure-server
ip route 50.50.50.50 255.255.255.255 Null0 <<- this is Static route for BlackHole, what ? let explain the next-hop of any prefix learn from Trigger (R5) have next-hop toward R5, but that meaning the traffic go to R5 and there it will drop, that no right for example there is 100 victim prefix and need to be forward to R5 then drop, instead we will change the Next-hop for specific prefix with specific community (1000) to be the IP of static route, then the R2 PE, and since this static route toward Null0 then router will drop traffic. 
!
route-map RTBH-Edge permit 10 <<- the route-map for specific prefix with specific community and change next-hop, LP and origin
 match community 10
 set local-preference 200
 set origin igp
 set ip next-hop 50.50.50.50 <<- this to set next-hop for Black Hole drop traffic in R2 PE.

R5 

interface FastEthernet1/1

ip address 100.0.0.5 255.255.255.0 
!
router bgp 500
 bgp log-neighbor-changes
 redistribute static route-map RTBH <<- this conditional Static redistribute into BGP ?? for example there are many static route advertise in R5 and only few are be use for RTBH, redistribute all static is advertise prefix no need to advertise it, so we config conditional Static redistribute.  
 neighbor 100.0.0.2 remote-as 200
 neighbor 100.0.0.2 send-community both
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 10.0.0.0 255.255.255.0 Null0 tag 1000 <<- last piece the admin when see or inform there are attack to victim prefix, he simple add static route to null 0 and tag 1000 (for conditional static redistribute) ? but why ??
simply because the BGP not advertise any prefix unless this prefix found in routing table and by this static route we add prefix into BGP and hence the BGP can advertise into other Peers.
!
route-map RTBH permit 10 <<- this route-map use for conditional static redistribute into BGP, the idea is any static route with tag 1000 will be advertise into BGP and also we will use this route-map to set community to be 1000. 
 match tag 1000
 set community 1000 
0 Helpful

Go to solution
Siddique
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2022 12:49 AM

Many many thanks sir.

If you do not mind, can you share BGP Flowspec lab like this, If you have. 

 

Thanks a lot sir.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Siddique

‎08-28-2022 04:13 AM - edited ‎08-28-2022 04:35 AM

see below comment 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎08-26-2022 07:13 AM

Hello,

what exactly are you not understanding, what configuration part(s) are you having trouble with ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card