Customer BGP cliente on VyOS

Hello everyone, everything good?
I have a scenario in production that has two peer transients plus one peer IX, running normally on BGPv4 and BGPv6, for my users who belong to my IPv4 ranges. The case is that I need to configure a new client in BGP, announcing its IPv4 and IPv6 blocks for my peers and IX traffic. Could you please help me in this scenario? I looked for information but could not find it.
The staff of the IX, informed that in the announcement the ASN of the partner (client) must appear as advertiser of the route, we have a communities that informs if the advertisement is being carried out in the correct way just search the route in LG.
comun16162: 65110 is invalid
26162: 65111 is valid
26162? 65112 unknown in this case when the base is foreign and not in the registry
If the ad comes with the partner asn as the source of the advertisement and is giving as invalid he has to inform in the registry that his ASN can disclose his prefixes.
But really, I did not understand …
Thank you so much,
With Best Regards

Hi!

You just need to import the routes that you client advertise to you and export to your peers/ix/transit.

This will be tipically done allowing it on your import and export route-map.

Best regards,
Aldemaro.

This is not a Vyos configuration question nor is it something you can solve on your router, but it’s a common problem.

IX.br (AS 26162) is looking in public route registries for your customer’s route object.

26162:65111 appears to indicate that there’s something WRONG as opposed to something missing. You should query your client’s right to advertise the network, and have them check with registro.br - it’s possible that he has the legal right to advertise the network but registro.br has outdated information pointing to someone else.

I looked at:

1 Like

Hi Aldemaro, how are you? Thank you so much, in this case, just need create a new peer and add customer networks, on my prefix-list, that’t it?
With Best Regards
Josue

Hi Ron, how are you? Thank you so much, I’ll read the documment, but I think that my case is before,of this issue, hehehe. I need put customer on VyOS first, running like a charm, right?
So, I’m trying put configurations UP, including customer networks on our prefix-list, but I don’t know if just it, will be OK. I create too, static routes with customer networks to blackhole.
With Best Regards
Josue

Hello folks, how are you?
I created everything, like samples below, but not established yet, because customer is not ready.
So, I think that is OK, now, right?

Create the interface /30
vif 80 {
address XXX.XXX.XXX.XX/30

Create the police

policy {
prefix-list Customer-ASNXXXXXX {
description “Customer ASNXXXXXX”
rule 10 {
action permit
prefix XX.XX.XX.0/22 - Customer network
}
rule 11 {
action permit
prefix xx.xx.xx.0/22 - Customer network

Create route map

route-map TO-Customer-ASNXXXXXX {
    rule 10 {
        action permit
        match {
            ip {
                address {
                    prefix-list Customer-ASNXXXXXX
                }
            }
        }
    }
}
route-map TO-Customer-ASNXXXXXX-OUT {
    rule 10 {
        action deny
    }
}

Create neighbor to customer

    neighbor XXX.XXX.XXX.XXX {
        default-originate {
        }
        description Customer.ASNXXXXXX
        remote-as XXXXXX
        route-map {
            export TO-Customer-ASNXXXXXX-OUT
            import TO-Customer-ASNXXXXXX
        }
        soft-reconfiguration {
            inbound
        }
    }

Static routes to blackhole for customer networks

static {
    route xx.xx.xx.0/22 {
        blackhole {
        }
    }
    route xx.xx.xx.0/22 {
        blackhole {
        }
    }

The idea is prioritize traffic to IX before transit peers, but this is possible?

You don’t need to blackhole your costumer prefix. You just import their routes and export to the IX and your transits/peers if you want.

I do that in IX-CPV (campina grande/PB) for some clients and it works fine.

Your route-maps are also fine, but I do allow /23’s and /24’s too, so my clients are free to advertise routes to me as they please.

Hi Aldemaro, how are you? Thank you for your reply. I did blackhole to prevent DDoS, is wrong? Maybe add a community blackhole on route-map import, right?
About other configurations, some consideration? About prioritize traffic to IX, how to proceed?
With Best Regards

@josueconti do you know how to secure my /24 from layer 7 attacks? i already contacted my upstream he said:

you will have to add bgp community 940 to your advertisement in order for filtering to work properly.

Hi Noitcennok, I don’t know anything about bgp community 940, sorry my friend.