Solved: How to tell router stop announce /32 (blackhole)

axelhauguel · ‎06-07-2021

Good morning all,

I have a quick question about the blackhole. Currently my forwarder told me that his BGP community for a blackhole prefix (/ 32) was 65535: 666.

I have configured the options in my router and indeed, if I blackhole a prefix, it is no longer reachable by anyone.

But how did my forwarder make sure to say that "if there is a / 32 advertised, then stop advertising this IP" ?

How was the BGP community chosen?

I dug the internet and it's not very self-explanatory, so if anyone could clarify this for me ...

My wish would therefore be to create a BGP community so that my customers can blackhole prefixes, and which summarizes all the BGP communities that I use for the blackhole at the level of my transits.

My configuration work for MY IPs :

---------------
ip route 185.171.202.114/32 Null0
------------
route-map blackhole permit 10
  set community 65535:666 
-------
router bgp 212815
address-family ipv4 unicast
    network 185.171.202.114/32 route-map blackhole
-------
PAR-N9K-1# sh bgp ip unicast 185.171.202.114
BGP routing table information for VRF default, address family IPv4 Unicast
BGP routing table entry for 185.171.202.114/32, version 27759173
Paths: (1 available, best #1)
Flags: (0x080002) (high32 00000000) on xmit-list, is not in urib

  Advertised path-id 1
  Path type: local, path is valid, is best path, no labeled nexthop
  AS-Path: NONE, path locally originated
    0.0.0.0 (metric 0) from 0.0.0.0 (193.38.250.1)
      Origin IGP, MED not set, localpref 100, weight 32768
      Community: 65535:666 

  Path-id 1 advertised to peers:
    37.49.236.63       37.49.236.174      37.49.236.175      37.49.236.250  
    37.49.236.251      100.64.70.5        185.171.202.92     185.171.202.204
    185.171.202.246

PAR-N9K-1#

Thanks

Axel

Giuseppe Larosa · ‎06-09-2021

Hello @axelhauguel ,

>> Should I configure the blackhole community for each route-map received from my peers?

Yes, you should check on receving route-map direction in if any of the received prefixes match your own BGP community for blackholing then you accept the prefix but you add the other BGP community that has been given to you by your upstream provider.

route-map RPL-AS212053-CUST-IN-V4 permit 50
match ip address prefix-list PFX-AS212053-IRR-V4
match community 12
set community 65535:666 additive
route-map RPL-AS212053-CUST-IN-V4 permit 100 
match ip address prefix-list PFX-AS212053-IRR-V4

Yes I realize it may be a lot of work , but I don't see any other way to do it if you want to extend the black holing service to your customer's prefixes.

Hope to help

Giuseppe

View solution in original post

Richard Burts · ‎06-07-2021

Axel

You ask several questions. I will start with the one that is relatively easy to answer: "How was the BGP community chosen?" Your forwarder chose this value. There are a few well known community values but not a well known value for blackhole. So your forwarder chose a value and this was probably a relatively arbitrary choice. This article discusses BGP communities and the well known communities. I hope it gives you some helpful insight.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-sy/irg-15-sy-book/irg-named-community-list.pdf

I am not clear what you are asking here "But how did my forwarder make sure to say that "if there is a / 32 advertised, then stop advertising this IP" ?" Your forwarder has a route map configured in the BGP configuration for your neighbor establishment. In that route map is a statement what checks the community value for every prefix that you advertise to them. If they detect a prefix for which this community is assigned in your advertisement then they have logic that does not accept that particular prefix advertisement.

HTH

Rick

Giuseppe Larosa · ‎06-08-2021

Hello @axelhauguel ,

>> My wish would therefore be to create a BGP community so that my customers can blackhole prefixes, and which summarizes all the BGP communities that I use for the blackhole at the level of my transits.

First of all, a BGP NLRI can have multiple BGP communities associated with it, and when checking with match community in a route-map you look for a specific value regardless of its position in the sequence of strings that are the BGP communities associated to the prefix ( unless you add the exact keyword)

So, exactly as your upstream ISP provider did for you you can select a BGP community value that your customers can use when sending a prefix to you that will signal their intention to blackhole it.

The action that you need to perform is simply:

use a route-map that will match that community value using a standard community-list

ip communitty-list 12 permit 65000:987

You configure a route-map for the neighbor that:

route-map From-Customer-X permit 10

match community 12

set community 65535:666 additive

route-map From-customer-X permit 20

! other criteria here if needed

In this way you can easily extend to your's customer's prefixes the blackholing services . The additive keyword allows to add the black-holing community to the set of BGP communities already attached to the prefix.

The well known BGP community NO_EXPORT can be used in a similar way it allows the prefix to be advertised within your AS but not to another AS.

Hope to help

Giuseppe

axelhauguel · ‎06-08-2021

Hi,

Thanks for your two for answer.

I have read and reread, and there is something that I did not understand.

Should I configure the blackhole community for each route-map received from my peers?

Let's admit I have this, what should I add:

neighbor 185.171.202.204
inherit peer NBRGRP-AS212053-CUST-V4
Cust description: AS212053
no shutdown

template peer NBRGRP-AS212053-CUST-V4
remote-as 212053
remove-private-as
address-family ipv4 unicast
send-community
route-map RPL-AS212053-CUST-IN-V4 in
route-map RPL-AS212053-CUST-OUT-V4 out
maximum-prefix 50
soft-reconfiguration inbound always

route-map RPL-AS212053-CUST-IN-V4 permit 100
match ip address prefix-list PFX-AS212053-IRR-V4
route-map RPL-AS212053-CUST-OUT-V4 permit 100

This allows to accept by entering only the prefixes that I defined in a prefix-list and to filter nothing in what I send to it.

Thanks a lot,

Axel

Giuseppe Larosa · ‎06-09-2021

Hello @axelhauguel ,

>> Should I configure the blackhole community for each route-map received from my peers?

Yes, you should check on receving route-map direction in if any of the received prefixes match your own BGP community for blackholing then you accept the prefix but you add the other BGP community that has been given to you by your upstream provider.

route-map RPL-AS212053-CUST-IN-V4 permit 50
match ip address prefix-list PFX-AS212053-IRR-V4
match community 12
set community 65535:666 additive
route-map RPL-AS212053-CUST-IN-V4 permit 100 
match ip address prefix-list PFX-AS212053-IRR-V4

Yes I realize it may be a lot of work , but I don't see any other way to do it if you want to extend the black holing service to your customer's prefixes.

Hope to help

Giuseppe

axelhauguel · ‎06-11-2021

Hi,

Thanks for your help. I'have searched and tested but no working. When a put "

match community 12
set community 65535:666 additive

in the route-map IN, it block all prefixes in IN.

Axel

axelhauguel · ‎06-11-2021

Also, can you tell me what "ip community-list" need to be created?

Thanks

Giuseppe Larosa · ‎06-11-2021

Hello Axel,

I apologize

you nee to create a community list to match the specific value agree with customer

ip community-list 12 permit 65000:987

if you don't create the ip community-list then the route-map treats a non existing community list as a match any and you get all routes blackholed.

Hope to help

Giuseppe

axelhauguel · ‎06-11-2021

Hi !

Thanks, all works !

Giuseppe Larosa · ‎06-11-2021

Hello @axelhauguel ,

nice to hear it works now

Thanks for your kind remarks

Best Regards

Giuseppe