06-07-2021 11:10 AM
Good morning all,
I have a quick question about the blackhole. Currently my forwarder told me that his BGP community for a blackhole prefix (/ 32) was 65535: 666.
I have configured the options in my router and indeed, if I blackhole a prefix, it is no longer reachable by anyone.
But how did my forwarder make sure to say that "if there is a / 32 advertised, then stop advertising this IP" ?
How was the BGP community chosen?
I dug the internet and it's not very self-explanatory, so if anyone could clarify this for me ...
My wish would therefore be to create a BGP community so that my customers can blackhole prefixes, and which summarizes all the BGP communities that I use for the blackhole at the level of my transits.
My configuration work for MY IPs :
--------------- ip route 185.171.202.114/32 Null0 ------------ route-map blackhole permit 10 set community 65535:666 ------- router bgp 212815 address-family ipv4 unicast network 185.171.202.114/32 route-map blackhole ------- PAR-N9K-1# sh bgp ip unicast 185.171.202.114 BGP routing table information for VRF default, address family IPv4 Unicast BGP routing table entry for 185.171.202.114/32, version 27759173 Paths: (1 available, best #1) Flags: (0x080002) (high32 00000000) on xmit-list, is not in urib Advertised path-id 1 Path type: local, path is valid, is best path, no labeled nexthop AS-Path: NONE, path locally originated 0.0.0.0 (metric 0) from 0.0.0.0 (193.38.250.1) Origin IGP, MED not set, localpref 100, weight 32768 Community: 65535:666 Path-id 1 advertised to peers: 37.49.236.63 37.49.236.174 37.49.236.175 37.49.236.250 37.49.236.251 100.64.70.5 185.171.202.92 185.171.202.204 185.171.202.246 PAR-N9K-1#
Thanks
Axel
Solved! Go to Solution.
06-09-2021 09:47 PM - edited 06-09-2021 09:48 PM
Hello @axelhauguel ,
>> Should I configure the blackhole community for each route-map received from my peers?
Yes, you should check on receving route-map direction in if any of the received prefixes match your own BGP community for blackholing then you accept the prefix but you add the other BGP community that has been given to you by your upstream provider.
route-map RPL-AS212053-CUST-IN-V4 permit 50 match ip address prefix-list PFX-AS212053-IRR-V4
match community 12
set community 65535:666 additive
route-map RPL-AS212053-CUST-IN-V4 permit 100
match ip address prefix-list PFX-AS212053-IRR-V4
Yes I realize it may be a lot of work , but I don't see any other way to do it if you want to extend the black holing service to your customer's prefixes.
Hope to help
Giuseppe
06-07-2021 01:56 PM
Axel
You ask several questions. I will start with the one that is relatively easy to answer: "How was the BGP community chosen?" Your forwarder chose this value. There are a few well known community values but not a well known value for blackhole. So your forwarder chose a value and this was probably a relatively arbitrary choice. This article discusses BGP communities and the well known communities. I hope it gives you some helpful insight.
I am not clear what you are asking here "But how did my forwarder make sure to say that "if there is a / 32 advertised, then stop advertising this IP" ?" Your forwarder has a route map configured in the BGP configuration for your neighbor establishment. In that route map is a statement what checks the community value for every prefix that you advertise to them. If they detect a prefix for which this community is assigned in your advertisement then they have logic that does not accept that particular prefix advertisement.
06-08-2021 06:26 AM
Hello @axelhauguel ,
>> My wish would therefore be to create a BGP community so that my customers can blackhole prefixes, and which summarizes all the BGP communities that I use for the blackhole at the level of my transits.
First of all, a BGP NLRI can have multiple BGP communities associated with it, and when checking with match community in a route-map you look for a specific value regardless of its position in the sequence of strings that are the BGP communities associated to the prefix ( unless you add the exact keyword)
So, exactly as your upstream ISP provider did for you you can select a BGP community value that your customers can use when sending a prefix to you that will signal their intention to blackhole it.
The action that you need to perform is simply:
use a route-map that will match that community value using a standard community-list
ip communitty-list 12 permit 65000:987
You configure a route-map for the neighbor that:
route-map From-Customer-X permit 10
match community 12
set community 65535:666 additive
route-map From-customer-X permit 20
! other criteria here if needed
In this way you can easily extend to your's customer's prefixes the blackholing services . The additive keyword allows to add the black-holing community to the set of BGP communities already attached to the prefix.
The well known BGP community NO_EXPORT can be used in a similar way it allows the prefix to be advertised within your AS but not to another AS.
Hope to help
Giuseppe
06-08-2021 11:41 AM
Hi,
Thanks for your two for answer.
I have read and reread, and there is something that I did not understand.
Should I configure the blackhole community for each route-map received from my peers?
Let's admit I have this, what should I add:
neighbor 185.171.202.204 inherit peer NBRGRP-AS212053-CUST-V4 Cust description: AS212053 no shutdown template peer NBRGRP-AS212053-CUST-V4 remote-as 212053 remove-private-as address-family ipv4 unicast send-community route-map RPL-AS212053-CUST-IN-V4 in route-map RPL-AS212053-CUST-OUT-V4 out maximum-prefix 50 soft-reconfiguration inbound always route-map RPL-AS212053-CUST-IN-V4 permit 100 match ip address prefix-list PFX-AS212053-IRR-V4 route-map RPL-AS212053-CUST-OUT-V4 permit 100
This allows to accept by entering only the prefixes that I defined in a prefix-list and to filter nothing in what I send to it.
Thanks a lot,
Axel
06-09-2021 09:47 PM - edited 06-09-2021 09:48 PM
Hello @axelhauguel ,
>> Should I configure the blackhole community for each route-map received from my peers?
Yes, you should check on receving route-map direction in if any of the received prefixes match your own BGP community for blackholing then you accept the prefix but you add the other BGP community that has been given to you by your upstream provider.
route-map RPL-AS212053-CUST-IN-V4 permit 50 match ip address prefix-list PFX-AS212053-IRR-V4
match community 12
set community 65535:666 additive
route-map RPL-AS212053-CUST-IN-V4 permit 100
match ip address prefix-list PFX-AS212053-IRR-V4
Yes I realize it may be a lot of work , but I don't see any other way to do it if you want to extend the black holing service to your customer's prefixes.
Hope to help
Giuseppe
06-11-2021 06:09 AM
Hi,
Thanks for your help. I'have searched and tested but no working. When a put "
match community 12
set community 65535:666 additive
in the route-map IN, it block all prefixes in IN.
Axel
06-11-2021 06:09 AM
Also, can you tell me what "ip community-list" need to be created?
Thanks
06-11-2021 07:55 AM
Hello Axel,
I apologize
you nee to create a community list to match the specific value agree with customer
ip community-list 12 permit 65000:987
if you don't create the ip community-list then the route-map treats a non existing community list as a match any and you get all routes blackholed.
Hope to help
Giuseppe
06-11-2021 08:11 AM
Hi !
Thanks, all works !
06-11-2021 08:53 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide