Destination-Based RTBH (Community-Based)

Topology: bgp-mh-iol

configure replace unix:init.cfg

  • All links are in the format 100.X.Y.X/24.

    • For example, the link between R4 and R7 is 100.4.7.0/24.

  • Lo0 is X.X.X.X/32 and is used for iBGP

  • Lo1 is <AS>.0.0.X/32 and is used as a public IP address that is pingable. The public Lo1 addresses are aggregated into a /8 at each edge router.

  • eBGP and iBGP is fully preconfigured.

Configure destination-based RTBH within AS20 and blackhole traffic destined to 50.0.0.8. Use communities to signal the RTBH within AS20. Use R4 as the trigger node.

Answer

#R2, R4, R5
ip bgp new-format
ip community-list 1 permit 20:666
!
ip route 192.0.2.1 255.255.255.255 null 0
!
route-map IBGP_IN
 match community 1
 set ip next-hop 192.0.2.1
route-map IBGP_IN permit 20
!
router bgp 20
 template peer-policy IBGP
  route-map IBGP_IN in
  send-community both

#R4
ip route 50.0.0.8 255.255.255.255 null 0 tag 666
!
route-map RTBH
 match tag 666
 set community no-export 20:666
!
router bgp 20
 add ipv4
  redistribute static route-map RTBH

Explanation

There are two ways to signal a RTBH within an AS. You can signal it using the next-hop value (192.0.2.1), or you can signal it using a community (ex. ASN:666).

Using communities is a bit nicer, because now we don’t have the issue we did in the previous lab where R2 was setting next-hop to itself for all iBGP routes, overriding the 192.0.2.1 next-hop in the route-map.

In this lab, we’ve moved the RTBH trigger router to R4. The RTBH route is triggered in the same manner: using a static route with tag 666. The difference is that R4 does not change the next-hop. Instead it just tags communities 20:666 and no-export.

R2 and R5 receive this path from R4. Notice that they set next-hop to 192.0.2.1, which is seen in the BGP update:

This is due to the following route-map, applied inbound for all iBGP peers:

ip community-list 1 permit 20:666
!
route-map IBGP_IN
 match community 1
 set ip next-hop 192.0.2.1
route-map IBGP_IN permit 20
!
router bgp 20
 template peer-policy IBGP
  route-map IBGP_IN in
  send-community both

Note that on IOS-XR, this is even more elegant, because you don’t need the dummy discard route. Instead you can just set the next-hop as discard within the route-policy itself:

route-policy RP_IBGP_V4_IN
  if community matches-any (20:666) then
    set next-hop discard
  else
    pass
  endif
end-policy
PreviousDestination-Based RTBHNextSource-Based RTBH

Last updated