Hi all,
A peer of ours does send us blackhole announcements through their route servers. They bear a next-hop attribute pointing to a IP address dedicated to blackhole this particular traffic.
To make sure we discard this traffic locally, i created a blackhole route for this blackhole target address:
set protocols static route 192.168.1.254/32 blackhole
Such a received route does look like this:
andri@core01# run show ip bgp XXX.XXX.XXX.XXX
BGP routing table entry for XXX.XXX.XXX.XXX/32
64512
192.168.1.254 from 192.168.1.252 (192.168.1.252)
Origin incomplete, metric 0, weight 30001, valid, external
Community: 64512:666 64512:11 64512:21 blackhole no-export
Last update: Tue Nov 16 15:56:34 2021
64512
192.168.1.254 from 192.168.1.251 (192.168.1.251)
Origin incomplete, metric 0, weight 30001, valid, external, best (Older Path)
Community: 64512:666 64512:11 64512:21 blackhole no-export
Last update: Wed Dec 22 11:24:39 2021
Which does led to the following route:
andri@core01# run show ip route XXX.XXX.XXX.XXX
Routing entry for XXX.XXX.XXX.XXX/32
Known via "bgp", distance 20, metric 0, best
Last update 03:37:59 ago
192.168.1.254 inactive, weight 1
As long as the blackhole route to 192.168.1.254/32
is installed, this route is installed as inactive
and thus not used. As soon as i remove the static blackhole route to 192.168.1.254/32
, the route gets picked up as expected:
andri@core01# run show ip route XXX.XXX.XXX.XXX
Routing entry for XXX.XXX.XXX.XXX/32
Known via "bgp", distance 20, metric 0, best
Last update 00:00:05 ago
* 192.168.1.254, via eth0.XXX, weight 1
In this scenario, we still send traffic to our peer and it gets discarded there. Obviously, i’d rather discard this destination on my local gateway already.
I also tried to create a route policy to alter next-hop to one of my own, internal blackhole destinations with the same result.
Can someone tell me what i have to configure for a BGP received route to get installed into the FIB when bearing a blackholed next-hop?