Discussion:
openbgpd blackhole community
(too old to reply)
Hrvoje Popovski
2016-07-20 21:05:03 UTC
Permalink
Hi all,

here at CIX we want to implement BLACKHOLE based on
https://tools.ietf.org/html/draft-ietf-grow-blackholing

presentation
https://www.ietf.org/proceedings/94/slides/slides-94-grow-1.pdf

Recommendation is to have Blackhole BGP Community: 65535:666, but when
configure that community i'm getting "Bad community AS number".

Is there any problem to allow 65535 in community ?


configuration:

AS 65005
router-id 10.192.192.124
listen on 10.192.192.124
holdtime 180
holdtime min 3
fib-update no
log updates
nexthop qualify via bgp
transparent-as yes

group rsip4 {
local-address 10.192.192.124
announce IPv6 none
announce IPv4 unicast
set nexthop no-modify
enforce neighbor-as yes
announce all
neighbor 10.192.192.65 {
remote-as 123
max-prefix 1024 restart 5
passive
}
neighbor 10.192.192.87 {
remote-as 124
max-prefix 1024 restart 5
passive
}
neighbor 10.192.192.66 {
remote-as 125
max-prefix 1024 restart 5
passive
}
}

deny from any inet prefixlen 8 >< 24
allow from any inet prefixlen 16 - 32 community 65535:666

match from any community 65535:666 set nexthop 10.192.192.90
match from any set community 65005:65000

deny to group rsip4 community 65005:65000
deny to group rsip4 community 0:65005
allow to group rsip4 community 65005:65005
deny to group rsip4 community 0:neighbor-as
allow to group rsip4 community 65005:neighbor-as

match to group rsip4 prefix 10.192.192.64/26 set prepend-self 1
Peter Hessler
2016-07-21 07:23:37 UTC
Permalink
Hi

We had previously limited which communities could be set within the Well
Known Community range, but that limitation has been fixed in 5.9.

We also support "community BLACKHOLE", as a convienence.

-peter


On 2016 Jul 20 (Wed) at 23:05:03 +0200 (+0200), Hrvoje Popovski wrote:
:Hi all,
:
:here at CIX we want to implement BLACKHOLE based on
:https://tools.ietf.org/html/draft-ietf-grow-blackholing
:
:presentation
:https://www.ietf.org/proceedings/94/slides/slides-94-grow-1.pdf
:
:Recommendation is to have Blackhole BGP Community: 65535:666, but when
:configure that community i'm getting "Bad community AS number".
:
:Is there any problem to allow 65535 in community ?
:
:
:configuration:
:
:AS 65005
:router-id 10.192.192.124
:listen on 10.192.192.124
:holdtime 180
:holdtime min 3
:fib-update no
:log updates
:nexthop qualify via bgp
:transparent-as yes
:
:group rsip4 {
: local-address 10.192.192.124
: announce IPv6 none
: announce IPv4 unicast
: set nexthop no-modify
: enforce neighbor-as yes
: announce all
: neighbor 10.192.192.65 {
: remote-as 123
: max-prefix 1024 restart 5
: passive
: }
: neighbor 10.192.192.87 {
: remote-as 124
: max-prefix 1024 restart 5
: passive
: }
: neighbor 10.192.192.66 {
: remote-as 125
: max-prefix 1024 restart 5
: passive
: }
:}
:
:deny from any inet prefixlen 8 >< 24
:allow from any inet prefixlen 16 - 32 community 65535:666
:
:match from any community 65535:666 set nexthop 10.192.192.90
:match from any set community 65005:65000
:
:deny to group rsip4 community 65005:65000
:deny to group rsip4 community 0:65005
:allow to group rsip4 community 65005:65005
:deny to group rsip4 community 0:neighbor-as
:allow to group rsip4 community 65005:neighbor-as
:
:match to group rsip4 prefix 10.192.192.64/26 set prepend-self 1
:
--
Baruch's Observation:
If all you have is a hammer, everything looks like a nail.
Claudio Jeker
2016-07-21 09:12:18 UTC
Permalink
Post by Hrvoje Popovski
Hi all,
here at CIX we want to implement BLACKHOLE based on
https://tools.ietf.org/html/draft-ietf-grow-blackholing
presentation
https://www.ietf.org/proceedings/94/slides/slides-94-grow-1.pdf
Recommendation is to have Blackhole BGP Community: 65535:666, but when
configure that community i'm getting "Bad community AS number".
Is there any problem to allow 65535 in community ?
AS 65005
router-id 10.192.192.124
listen on 10.192.192.124
holdtime 180
holdtime min 3
fib-update no
log updates
nexthop qualify via bgp
transparent-as yes
group rsip4 {
local-address 10.192.192.124
announce IPv6 none
announce IPv4 unicast
set nexthop no-modify
enforce neighbor-as yes
announce all
neighbor 10.192.192.65 {
remote-as 123
max-prefix 1024 restart 5
passive
}
neighbor 10.192.192.87 {
remote-as 124
max-prefix 1024 restart 5
passive
}
neighbor 10.192.192.66 {
remote-as 125
max-prefix 1024 restart 5
passive
}
}
deny from any inet prefixlen 8 >< 24
allow from any inet prefixlen 16 - 32 community 65535:666
match from any community 65535:666 set nexthop 10.192.192.90
match from any set community 65005:65000
deny to group rsip4 community 65005:65000
deny to group rsip4 community 0:65005
allow to group rsip4 community 65005:65005
deny to group rsip4 community 0:neighbor-as
allow to group rsip4 community 65005:neighbor-as
match to group rsip4 prefix 10.192.192.64/26 set prepend-self 1
Just use "community BLACKHOLE" instead of 65535:666 and it will work.
--
:wq Claudio
Hrvoje Popovski
2016-07-25 17:05:19 UTC
Permalink
Post by Claudio Jeker
Just use "community BLACKHOLE" instead of 65535:666 and it will work.
thank you guys

Loading...