Information Technology Reference
In-Depth Information
Example 9-13
Dynamic Black Hole System Configuration
ip route 192.0.2.0 255.255.255.0 null0
...
router bgp <ASN>
...
redistribute static route-map STATIC_TO_BGP
!
route-map STATIC_TO_BGP permit 40
match tag 999
set ip next-hop 192.0.2.1
set community no-export
set origin igp
!
route-map STATIC_TO_BGP permit 50
match tag 998
set community no-export
set origin igp
!
route-map STATIC_TO_BGP deny 60
!
The BGP community is set to
no-export
to ensure that the prefix is not advertised outside
the local network. The Test Net prefix 192.0.2.0/24 can be used because it is completely
internal to the network and is not externally visible.
The route tag is used to identify the prefix that is being black-holed without requiring prefix
list configuration. The route that would be applied on the sinkhole router to activate black
holing for prefix 10.0.0.0/8 is
ip route 10.0.0.0 255.0.0.0 null0 tag 999
This prefix is installed in the routing table and is advertised via iBGP to the entire network.
The network is null-routed almost immediately. To send traffic to a sink router, the static
route deployed would not use Null0 as the next hop. The following configuration directs
traffic to the sink router if the sink router has an address of 192.168.1.1:
ip route 10.0.0.0 255.0.0.0 192.168.1.1 tag 998
The sink router address must also be advertised in the IGP to ensure next-hop reachability
for BGP propagation of the victim prefix. The next hop is not manually set in the route map
when using a sinkhole. This allows multiple sinkholes for various purposes based on the
next-hop address configured in the static route.
