CCIE SPv5.1 Labs
  • Page
  • Intro
    • Setup
  • MVPN
    • Start
    • Topology
    • Profile 0
    • Profile 0 with data MDTs
    • Profile 1
    • Profile 1 w/ Redundant Roots
    • Profile 1 with data MDTs
    • Profile 6
    • Profile 7
    • Profile 3
    • Profile 3 with S-PMSI
    • Profile 11
    • Profile 11 with S-PMSI
    • Profile 11 w/ Receiver-only Sites
    • Profile 9 with S-PMSI
    • Profile 12
    • Profile 13
    • UMH (Upstream Multicast Hop) Challenge
    • Profile 13 w/ Configuration Knobs
    • Profile 13 w/ PE RP
    • Profile 12 w/ PE Anycast RP
    • Profile 14 (Partitioned MDT)
    • Profile 14 with Extranet option #1
    • Profile 14 with Extranet option #2
    • Profile 14 w/ IPv6
    • Profile 17
    • Profile 19
    • Profile 21
  • MVPN SR
    • Start
    • Topology
    • Profile 27
    • Profile 27 w/ Constraints
    • Profile 27 w/ FRR
    • Profile 28
    • Profile 28 w/ Constraints and FRR
    • Profile 28 w/ Data MDTs
    • Profile 29
  • Segment Routing
    • Start
    • Topology
    • Basic SR with ISIS
    • Basic SR with OSPF
    • SRGB Modifcation
    • SR with ExpNull
    • SR Anycast SID
    • SR Adjacency SID
    • SR LAN Adjacency SID (Walkthrough)
    • SR and RSVP-TE interaction
    • SR basic inter-area with ISIS
    • SR basic inter-area with OSPF
    • SR basic inter-IGP (redistribution)
    • SR basic inter-AS using BGP
    • SR BGP Data Center (eBGP)
    • SR BGP Data Center (iBGP)
    • LFA
    • LFA Tiebreakers (ISIS)
    • LFA Tiebreakers (OSPF)
    • Remote LFA
    • RLFA Tiebreakers?
    • TI-LFA
    • Remote LFA or TILFA?
    • TI-LFA Node Protection
    • TI-LFA SRLG Protection
    • TI-LFA Protection Priorities (ISIS)
    • TI-LFA Protection Priorities (OSPF)
    • Microloop Avoidance
    • SR/LDP Interworking
    • SR/LDP SRMS OSPF Inter-Area
    • SR/LDP Design Challenge #1
    • SR/LDP Design Challenge #2
    • Migrate LDP to SR (ISIS)
    • OAM with SR
    • SR-MPLS using IPv6
    • Basic SR-TE with AS
    • Basic SR-TE with AS and ODN
    • SR-TE with AS Primary/Secondary Paths
    • SR-TE Dynamic Policies
    • SR-TE Dynamic Policy with Margin
    • SR-TE Explicit Paths
    • SR-TE Disjoint Planes using Anycast SIDs
    • SR-TE Flex-Algo w/ Latency
    • SR-TE Flex-Algo w/ Affinity
    • SR-TE Disjoint Planes using Flex-Algo
    • SR-TE BSIDs
    • SR-TE RSVP-TE Stitching
    • SR-TE Autoroute Include
    • SR inter-IGP using PCE
    • SR-TE PCC Features
    • SR-TE PCE Instantiated Policy
    • SR-TE PCE Redundancy
    • SR-TE PCE Redundancy w/ Sync
    • SR-TE Basic BGP EPE
    • SR-TE BGP EPE for Unified MPLS
    • SR-TE Disjoint Paths
    • SR Converged SDN Transport Challenge
    • SR OAM DPM
    • SR OAM Tools
    • Performance-Measurement (Interface Delay)
  • EVPN
    • Start
    • Topology
    • EVPN VPWS
    • EVPN VPWS Multihomed
    • EVPN VPWS Multihomed Single-Active
    • Basic Single-homed EVPN E-LAN
    • EVPN E-LAN Service Label Allocation
    • EVPN E-LAN Ethernet Tag
    • EVPN E-LAN Multihomed
    • EVPN E-LAN on XRv
    • EVPN IRB
    • EVPN-VPWS Multihomed IOS-XR (All-Active)
    • EVPN-VPWS Multihomed IOS-XR (Port-Active)
    • EVPN-VPWS Multihomed IOS-XR (Single-Active)
    • EVPN-VPWS Multihomed IOS-XR (Non-Bundle)
    • PBB-EVPN (Informational)
  • VPWS
    • Start
    • Topology
    • Basic VPWS
    • VPWS with Tag Manipulation
    • Redundant VPWS
    • Redundant VPWS (IOS-XR)
    • VPWS with PW interfaces
    • Manual VPWS
    • VPWS with Sequencing
    • Pseudowire Logging
    • VPWS with FAT-PW
    • MS-PS (Pseudowire stitching)
    • VPWS with BGP AD
  • VPLS
    • Start
    • Topology
    • Basic VPLS with LDP
    • VPLS with LDP and BGP
    • VPLS with BGP only
    • Hub and Spoke VPLS
    • Tunnel L2 Protocols over VPLS
    • Basic H-VPLS
    • H-VPLS with BGP
    • H-VPLS with QinQ
    • H-VPLS with Redundancy
    • VPLS with Routing
    • VPLS MAC Protection
    • Basic E-TREE
    • VPLS with LDP/BGP-AD and XRv RR
    • VPLS with BGP and XRv RR
    • VPLS with Storm Control
  • BGP Multi-Homing (XE)
    • Start
    • Topology
    • Lab1 ECMP
    • Lab2 UCMP
    • Lab3 Backup Path
    • Lab4 Shadow Session
    • Lab5 Shadow RR
    • Lab6 RR with Add-Path
    • Lab7 MPLS + Add Path ECMP
    • Lab8 MPLS + Shadow RR
    • Lab9 MPLS + RDs + UCMP
  • BGP Multi-Homing (XR)
    • Start
    • Topology
    • Lab1 ECMP
    • Lab2 UCMP
    • Lab3 Backup Path
    • Lab4 “Shadow Session”
    • Lab5 “Shadow RR”
    • Lab6 RR with Add-Path
    • Lab7 MPLS + Add Path ECMP
    • Lab8 MPLS + “Shadow RR”
    • Lab9 MPLS + RDs + UCMP
    • Lab10 MPLS + Same RD + Add-Path + UCMP
    • Lab11 MPLS + Same RD + Add-Path + Repair Path
  • BGP
    • Start
    • Conditional Advertisement
    • Aggregation and Deaggregation
    • Local AS
    • BGP QoS Policy Propagation
    • Non-Optimal eBGP Routing
    • Multihomed Enterprise Challenge
    • Provider Communities
    • Destination-Based RTBH
    • Destination-Based RTBH (Community-Based)
    • Source-Based RTBH
    • Source-Based RTBH (Community-Based)
    • Multihomed Enterprise Challenge (XRv)
    • Provider Communities (XRv)
Powered by GitBook
On this page
  • Answer
  • Explanation
  • Verification
  • Summary
  1. BGP

Source-Based RTBH

PreviousDestination-Based RTBH (Community-Based)NextSource-Based RTBH (Community-Based)

Last updated 2 days ago

Topology: bgp-mh-iol

configure replace unix:init.cfg

  • All links are in the format 100.X.Y.X/24.

    • For example, the link between R4 and R7 is 100.4.7.0/24.

  • Lo0 is X.X.X.X/32 and is used for iBGP

  • Lo1 is <AS>.0.0.X/32 and is used as a public IP address that is pingable. The public Lo1 addresses are aggregated into a /8 at each edge router.

  • eBGP and iBGP is fully preconfigured.

Instructions:

  • Configure source-based RTBH for 10.0.0.1/32 within AS20.

    • R2 should drop traffic sourced from this IP at the edge.

  • Use the least restrictive method when dropping traffic inbound.

  • Use R4 as the blackhole trigger point, using nexthop to trigger the RTBH on PEs.

Answer

#R2, R4, R5
ip route 192.0.2.0 255.255.255.255 null0

#R2
int eth0/1
 ip verify unicast source reachable-via any

#R4
ip route 10.0.0.1 255.255.255.255 null0 tag 666
!
ip community-list 1 permit 20:666
!
route-map RTBH
 match tag 666
 set community no-export 20:666
!
route-map IBGP_OUT
 match community 1
 set ip next-hop 192.0.2.0
route-map IBGP_OUT permit 20
 set ip next-hop self
!
router bgp 20
 template peer-policy IBGP
  no next-hop-self
  route-map IBGP_OUT out
  send-community
 exit-peer-policy
 !
 redistribute static route-map RTBH

Explanation

In this scenario, AS20 has been told that 10.0.0.1/32 is a bad actor. AS20 wishes to drop traffic sourced from this IP at the edge.

To do this, we configure the same dummy null0 route as before. This is used as a nexthop for prefixes we want to blackhole.

#R2, R4, R5
ip route 192.0.2.0 255.255.255.255 null0

Next, on R4, we configure the same static to BGP redistribution that we saw before. In this scenario R4 should set nexthop to the blackhole dummy destination. If R4 sets nexthop-self, the uRPF check will still fail in strict mode, but not loose mode. For this reason, we create an IBGP_OUT route-map that only sets next-hop self if the prefix does not have the RTBH community attached.

#R4
ip community-list 1 permit 20:666
!
route-map RTBH
 match tag 666
 set community no-export 20:666
!
route-map IBGP_OUT
 match community 1
 set ip next-hop 192.0.2.0
route-map IBGP_OUT permit 20
 set ip next-hop self
!
router bgp 20
 template peer-policy IBGP
  no next-hop-self
  route-map IBGP_OUT out
  send-community
 exit-peer-policy
 !
 redistribute static route-map RTBH

Next, to implement source RTBH instead of destination RTBH, we use uRPF to our advantage. With uRPF configured on the edge interface, the router will inspect the source address. If the source address is not reachable via a route pointing out that interface (strict mode), or reachable via any route in the RIB (loose mode), the traffic is dropped. Loose mode does not allow a null0 route to be used to pass the check, so we can use loose mode to implement the least restrictive filtering, while still achieving source RTBH.

#R2
int eth0/1
 ip verify unicast source reachable-via any

Finally, to trigger the blackhole, all we have to do is inject the static route on R4.

#R4
ip route 10.0.0.1 255.255.255.255 null0 tag 666

Verification

Try to ping and trace to 50.0.0.8 from R1’s Lo1 interface. The trace is dropped right at R2 because of the uRPF check.

We can check the uRPF drop statistics on R2 to confirm uRPF is working properly.

Note, you must make sure that R1 is preferring to route to 50/8 via R2 (AS20) and not via R3 (AS30).

Also, another way to verify is to use an ACL with the uRPF check. When an ACL is added, traffic that does not pass the initial uRPF check is check against the ACL. If it passes the ACL, the uRPF check passes. This provides for an “override” of the uRPF check. Since all we’re doing is logging the uRPF drops, we can use a deny any/any ACL.

#R2
access-l 100 deny ip any any log
!
logging con 7
!
int eth0/1
 ip verify unicast source reachable-via any 100

Summary

Source-based RTBH allows an AS to drop traffic from a particular source at the edge. This is better than destination-based RTBH, which drops all traffic destined to the victim. In destination-based RTBH, the target is the victim. In source-based RTBH, the target is the bad actor. However, in the case of DDoS, a single bad source IP address might not be able to be identified.

Source-based RTBH works just like destination-based RTBH, except uRPF is implemented on the edge interfaces to drop traffic based on source address. Either loose or strict mode can be used, because a null0 route is not valid to pass the uRPF check in either mode.

Also note that source-based RTBH also implements destination-based RTBH for whatever prefix is being null-routed.