Junos OS

Expand all | Collapse all

Peer ISP Blackhole

Jump to Best Answer
  • 1.  Peer ISP Blackhole

     
    Posted 06-20-2018 05:34

    Quick question:

     

    Our upstream ISP offeres us a "Blackhole" service for prefix's we consider disingenious....

     

    I have configured an external-peer in BGP, and now want to test a prefix. Will the following configuration simply drop the packets or will they send to the blackhole please?

     

    set policy-options policy-statement blackhole term 1 from route-filter xxx.xxx.xxx.xxx/32 exact

    set policy-options policy-statement blackhole term 1 then discard

     

    set protocols bgp group blackhole export blackhole

     

    Thanks



  • 2.  RE: Peer ISP Blackhole

    Posted 06-20-2018 05:53
    This policy won’t work.

    You should inform ISP about the prefix from which you don’t want to receive the traffic.

    This can be done by adding a specific community while advertising the route to ISP and then based on the community, ISP will blackhole the traffic form that source or towards that destination.

    You can refer to BGP FlowSpec day one guide for complete understanding.


  • 3.  RE: Peer ISP Blackhole

     
    Posted 06-20-2018 06:18

    Hi Kingsman

     

    Yes. Understood. We inform the ISP via the route to the blackhole peer. Any prefix they recieve from the blackhole they will block.


    What I am trying to work out is how to advertise that prefix to the black hole as it will not be an aggregated prefix.

     

    So, to explain a little better.


    We have a peer to our upstream provider that we receive the complete internet routing table on.

    Our upstream provider offer a "blackhole" service on a different peer.

    I have configured another external bgp group to the blackhole peer and this is established.

    So, now I need to know how to configure the junos to send a prefix to the blackhole peer (remembering that it could be a single host address so cannot use aggregation)..... Obviously we don't know the prefix unless we get hit, then we simpley announce it to the blackhole peer.

     

    What I need to know is how do I configure that announcement to the blackhole peer?



  • 4.  RE: Peer ISP Blackhole

    Posted 06-20-2018 06:34
    Hi,

    Just advertise the route with specific community and let ISP blackhole the prefix which has that community attached.

    i.e.

    set policy-option policy-statement black-hole term 1 from route-filter x.x.x.x/x exact
    set policy-option policy-statement black-hole term 1 then community add blackhole
    set policy-option policy-statement black-hole term 1 then accept

    set protocol bgp group BLAH export black-hole

    set policy-option community black-hole member x:x


    HTH


  • 5.  RE: Peer ISP Blackhole

     
    Posted 06-20-2018 06:43

    Hi Kingsman,

     

    Sorry if I am asking a stupid question but I am not experienced with the community string.....

     

    What do I put int the "black-hole member x:x" section?

     

    Just been informed no community is needed, so I just need a way to advetrtise to the blackhole peer a prefix... that is it.... but cant do it for some reason..



  • 6.  RE: Peer ISP Blackhole

     
    Posted 06-20-2018 07:15

    So, here is the actual problem.

     

    I need to advertise these /32 node addresses or whatever prefix's it may be, to the blackhole upstream ISP. Normally we would do this with aggregation, which is no problem, except for the fact that the aggregation is always a /24 or greater prefix and that is not usable in this case..... it may be that the /32 is all I want to advertise..... not the /24 aggregate.... as that would block the complete ;24 and not just the /32.....



  • 7.  RE: Peer ISP Blackhole
    Best Answer

    Posted 06-20-2018 07:51
    So, here is the actual problem.

    I need to advertise these /32 node addresses or whatever prefix's it may be, to the blackhole upstream ISP. Normally we would do this with aggregation, which is no problem, except for the fact that the aggregation is always a /24 or greater prefix and that is not usable in this case..... it may be that the /32 is all I want to advertise..... not the /24 aggregate.... as that would block the complete ;24 and not just the /32.....



    Ok.. So in that case you can just create a static /32 discard route and advertise it in BGP to upstream ISP (If only advertising /32 will work for them)

    i.e. set routing-option static route x.x.x.x/32 discard

    set policy-option policy-statement blackhole from route-filter x.x.x.x/32 exact
    set policy-option policy-statement blackhole then accept

    set protocol bgp group BLAH export blackhole


  • 8.  RE: Peer ISP Blackhole

     
    Posted 06-20-2018 08:57

    That, Mr. Kingsman, is spot on.... works a treat.

     

    Thank you. Much Much Kudos.... I was just missing the discard statement.... 🙂

     

     



  • 9.  RE: Peer ISP Blackhole

    Posted 06-20-2018 07:48
    You have to check with your ISP.

    How will they identify which prefix to block?

    IMO there should be some sort of signaling/tag/community in the route unless they want you to call them and inform about the prefix you want them to block.