From: Jamie Caesar (jamie.caesar@gmail.com)
Date: Wed Mar 09 2005 - 18:53:04 GMT-3
We use this feature of BGP to help quickly blackhole traffic to or
from a particular address or network. This is just one way that it
can be used. The short of it is:
1) You have a control router that does nothing but BGP peers with all
other routers in your network. Normally this router won't advertise
any routes to its peers, unless you want them blackholed.
2) Define a static host route to any arbitrary address that isn't used
in your network (perhaps 10.255.255.254) to null0 on every router in
the network.
3) If you want to blackhole a particular router, you bring the
host/network into BGP so that it is advertised with a BGP next-hop of
10.255.255.254 (via a route-map applied ot the neighbor statement).
Once all neighbors have received this update, and it sees a packet
sent to the offending IP address, the router will drop it (route it to
null0). The way we've set this up is that if a static route is added
with a specific tag, it will be redistributed into BGP and then
advertised to all neighbors with a next-hop address of 10.255.255.254.
4) We also use uRPF (Unicast Reverse Path Forwarding) on all routers
to drop traffic if it is sourced from the offending address. uRPF
will check for the existance of an entry in the routing table
(actually, CEF table) for the source address. Since that traffic is
now being routed to null0, it is considered an invalid address, so any
traffic sourced from that address will also be dropped.
So, this allows us quickly block all traffic to and from a host (or
network) with the addition of a single route on the control router.
The traffic will be dropped at the first router that it reaches inside
our network. This is useful in situations where you know which host
is causing network floods, spreading viruses, etc, but do not know the
exact location. You can shut it down without needing to trace
routing, ARP and CAM tables to shut down a switch port or physically
find the machine.
I'm not aware of any name for this "feature", and it was explained in
one of the seminars at Networkers. I tried to keep this as short as
possible, so if I haven't explained this clearly please let me know.
Jamie
On Wed, 9 Mar 2005 06:39:12 -0800, Jonathan ZD <Nuvo25@hotmail.com> wrote:
> Has anyone ever used the BGP "set ip next-hop" command (under route-map)
> with either IP-addr or peer-add? I've read the command guide from Cisco Doc,
> but still have no clue what they're talking about. If anyone ever use and
> understand this command, please kindly share the knowledge of how to use this
> command.
>
> Thanks.
>
> Jonathan
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:44 GMT-3