Hello.
I'm having problems implementing blackhole routes on MX platform for bad networks that we get a feed from a EBGP peer. All trafic with destination of a prefix that is in the BGP feed should be next-hop discard interface dsc.0.
I have been looking around for different implemantations and with filter logs on dsc.0 I get zero hits. BGP feed provider has given me a cisco tepmplate of the setup and I think this is the correct configuration for JUNOS but something is not working.
BGP routes from peer ends up in the routing-table with state "hidden":
show route hidden extensive
x.x.x.x/21 (1 entry, 0 announced)
BGP Preference: 170/-101
Next hop type: Unusable, Next hop index: 0
Address: 0x3750298
Next-hop reference count: 1464
State: <Hidden Ext>
Local AS: Peer AS: xxxx
Age: 3d 21:18:03 Metric: 0
Validation State: unverified
Task: BGP_
AS path: I
Communities: no-export
Accepted
Localpref: 100
Router ID: xx.xx.xx.xx
Indirect next hops: 1
Protocol next hop: 192.0.2.1
Indirect next hop: 0x0 - INH Session ID: 0x0
Network is not using dsc.0 interface for next-hop:
show route x.x.x.x/21
x.x.x.x/21 *[BGP/170] 1d 05:35:07, localpref 100
AS path: xx I, validation-state: unverified
> via ge-1/1/0.0
[BGP/170] 1d 05:35:17, localpref 100, from 10.40.0.1
AS path: xx I, validation-state: unverified
> to via ae0.0
Configuraion:
BGP group
type external;
import dsc-feed;
export deny-all;
peer-as xxxx;
neighbor x.x.x.x {
multihop {
ttl 255;
}
local-address xx.xx.xx.xx;
family inet {
unicast;
}
}
Policy-statement
from {
family inet;
community blackhole-routes;
}
then {
community set blackhole-routes;
next-hop 192.0.2.2;
accept;
}
community blackhole-routes members [ xxxx:1000 xxxx:2000 xxxx:3000 ];
dsc interface
unit 0 {
family inet {
filter {
input log-discard;
output log-discard;
}
address 192.0.2.102/32 {
destination 192.0.2.2;
}
}
}