The first thing you'll need to do is log into your Juniper and hop into edit mode.
Next, you need to create a new policy-statement inside your policy options:
edit policy-options set policy-statement provider_blackhole edit policy-statement provider_blackhole set term match_666 from protocol static set term match_666 from tag 666 set term match_666 then origin igp set term match_666 then community set provider_blackhole set term match_666 then acceptTo check your work, type show and you should see:
policy-statement provider_blackhole { term match_666 { from { protocol static; tag 666; } then { origin igp; community set provider_blackhole; accept; } } }Now we have to create that actual community:
edit policy-options set community provider_blackhole members AS###:COM###;...replace AS### with the providers ASN number, and replace COM### with the community tag your provider gave you for the BGP blackhole.
Next we have to update the BGP group for this provider so we are announcing the community:
edit protocols bgp group provider set export provider_blackhole...one VERY important thing to note is that export ordering MATTERS. The most specific routes are announced left to right, so always ensure your blackhole export is listed first.
The very last thing to do is actually route IP's to this blackhole:
edit routing-options static set route a.b.c.d/cidr discard set route a.b.c.d/cidr tag 666...that's it.
So what we've done here is:
1) Added a static route that is discarded and tagged "666"
2) Our policy-statement then grabs all static routes with a tag of "666" and then assigns them to the BGP blackhole community.
3) Our BGP group announces that community within the BGP session to the provder
4) The provider then drops all traffic to the IP's announced in that community.
You can use whatever "tag" number you want so long as it's being used consistently.
You can also have multiple policy-statements for multiple providers matching the tag and pushing to multiple communities (you may even want to condense them down into one policy-statement by setting multiple communities)
Thank you so much for this. Very helpful.
ReplyDelete