Routing
Highlighted
Routing

Advertise only /32 (blackhole) only, if Prefix present

‎07-01-2015 11:38 AM
Hi, i have the following Setup: - Traffic-Analyser (centos/bird) - ISP-Router (juniper) - Customer-Router (brocade) - ISP-Router and Customer-Router talk BGP - ISP-Router and Traffic-Analyser talk BGP - Customer-Router talk BGP to some other ISPs (multihomed) If the analyser detect a DOS-Attack, the Target-IP will be advertised as a /32-Route to the ISP-Router. The ISP-Router will advertise this /32-Route to alll Upstreams with blackhole-communites. This all works very fine. But now comes the Problem: If the Customer stop advertise there Routes to the ISP, the ISP so also stop the advertise of the /32 to his upstreams. It is possible on juniper to advertise a /32 (e.g. 123.123.123.1/32) only, if any bigger Prefix (e.g. 123.123.122.0/22) is present? Thanks a lot for your ideas/help Thomas
3 REPLIES 3
Highlighted
Routing

Re: Advertise only /32 (blackhole) only, if Prefix present

[ Edited ]
‎07-01-2015 12:54 PM

I have used conditional advertisement for this in the past , its doesnt match your requirement 100% , but you can use the same principle.

 

user@test# show policy-options
policy-statement conditional-export-bgp {
term prefix_test {
from {
protocol bgp;
route-filter 123.123.122.0/22 orlonger;
}
then accept;
}
term conditional-default {
from {
route-filter 0.0.0.0/0 exact;
condition prefix_test;
}
then accept;
}
term others {
then reject;
}
}
condition prefix_test {
if-route-exists {
123.123.123.1/32;
table inet.0;
}
}

also see Example: Configuring a Routing Policy for Conditional Installation of Prefixes in a Routing Table

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
Highlighted
Routing

Re: Advertise only /32 (blackhole) only, if Prefix present

[ Edited ]
‎07-04-2015 01:03 PM

This feature i never see before, first thanks for that! I have now think a couple of Hours, how i can use that for my Problem. But without Result. I see here the following Problems (and possible more):

 

- if-route-exists check, if the defined route is in the routing-table

But i have one, or more dynamic /32 routes, who comes from the analyser server, to the isp router over BGP

 

And on the other side, routes comes also dynamic from the Customer-Router to ISP over BGP

 

The customer send his routes normaly. If it comes a /32 Blackhole-Route to the ISP, i would like to check, if the Customer-Route, where the /32 is within, is present.
- If yes, accept the /32 and send it to the ISP-Upstreams
- If no, reject the /32

 

The Result should be, that only the Blackhole-Route will send to Upstreams, if the "normaly"-Route-Prefix also send to that. Has anyone other a idea, how this can be realize?

Highlighted
Routing

Re: Advertise only /32 (blackhole) only, if Prefix present

[ Edited ]
‎07-04-2015 03:37 PM

If I understood your goal and situation correctly, I think you can just put in a "from next-hop xx.xx.xx.xx" or "from neighbor" statement in your policy-statement? Guess you'd need to be a little creative with your thens... Use then next-term or then accept where appropriate

 

Maybe post you current config again, with some specific examples of what needs to happen?

Feedback