BGP Next Hop Blackhole

Hi all,

A peer of ours does send us blackhole announcements through their route servers. They bear a next-hop attribute pointing to a IP address dedicated to blackhole this particular traffic.

To make sure we discard this traffic locally, i created a blackhole route for this blackhole target address:

set protocols static route 192.168.1.254/32 blackhole 

Such a received route does look like this:

andri@core01# run show ip bgp XXX.XXX.XXX.XXX
BGP routing table entry for XXX.XXX.XXX.XXX/32
  64512
    192.168.1.254 from 192.168.1.252 (192.168.1.252)
      Origin incomplete, metric 0, weight 30001, valid, external
      Community: 64512:666 64512:11 64512:21 blackhole no-export
      Last update: Tue Nov 16 15:56:34 2021
  64512
    192.168.1.254 from 192.168.1.251 (192.168.1.251)
      Origin incomplete, metric 0, weight 30001, valid, external, best (Older Path)
      Community: 64512:666 64512:11 64512:21 blackhole no-export
      Last update: Wed Dec 22 11:24:39 2021

Which does led to the following route:

andri@core01# run show ip route XXX.XXX.XXX.XXX
Routing entry for XXX.XXX.XXX.XXX/32
  Known via "bgp", distance 20, metric 0, best
  Last update 03:37:59 ago
    192.168.1.254 inactive, weight 1

As long as the blackhole route to 192.168.1.254/32 is installed, this route is installed as inactive and thus not used. As soon as i remove the static blackhole route to 192.168.1.254/32, the route gets picked up as expected:

andri@core01# run show ip route XXX.XXX.XXX.XXX
Routing entry for XXX.XXX.XXX.XXX/32
  Known via "bgp", distance 20, metric 0, best
  Last update 00:00:05 ago
  * 192.168.1.254, via eth0.XXX, weight 1

In this scenario, we still send traffic to our peer and it gets discarded there. Obviously, i’d rather discard this destination on my local gateway already.

I also tried to create a route policy to alter next-hop to one of my own, internal blackhole destinations with the same result.

Can someone tell me what i have to configure for a BGP received route to get installed into the FIB when bearing a blackholed next-hop?

BTW: We’re on 1.2.8

andri@core01:~$ show version 
Version:          VyOS 1.2.8
Release Train:    crux

Hi @andri , from your explanation I would like to suggest you trying the configuration example below:

Blackholed route received from peer - 1.1.1.1/32
dummy interface dum0 used for modifying next-hop - 10.10.10.10/32

set interfaces dummy dum0 address '10.10.10.10/32'
set interfaces ethernet eth1 address '10.0.0.1/31'

set policy prefix-list AS65001-blackholed rule 1 action 'permit'
set policy prefix-list AS65001-blackholed rule 1 prefix '1.1.1.1/32'
set policy route-map blackhole rule 1 action 'permit'
set policy route-map blackhole rule 1 match ip address prefix-list 'AS65001-blackholed'
set policy route-map blackhole rule 1 set ip-next-hop '10.10.10.10'
set protocols bgp 65002 address-family ipv4-unicast redistribute connected
set protocols bgp 65002 address-family ipv4-unicast redistribute static
set protocols bgp 65002 neighbor 10.0.0.0 address-family ipv4-unicast route-map import 'blackhole'
set protocols bgp 65002 neighbor 10.0.0.0 remote-as '65001'

Route information for 1.1.1.1/32 after policy applied:

vyos@vyos:~$ show ip bgp 1.1.1.1
BGP routing table entry for 1.1.1.1/32
Paths: (1 available, best #1, table default)
  Advertised to non peer-group peers:
  10.0.0.0
  65001
    10.10.10.10 from 10.0.0.0 (10.0.0.0)
      Origin incomplete, metric 0, valid, external, best (First path received)
      Last update: Fri Dec 24 07:32:54 2021

vyos@vyos:~$ show ip route 1.1.1.1
Routing entry for 1.1.1.1/32
  Known via "bgp", distance 20, metric 0, best
  Last update 00:00:52 ago
  * 10.10.10.10, via dum0, weight 1

vyos@vyos:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
149 packets transmitted, 0 received, 100% packet loss, time 151541ms

Is that what you’re trying to do?

Perfect, the dummy interface was the missing part i was looking for

Thanks a lot