Wednesday, February 27, 2013

Create Setup BGP Blackhole Community In Juniper Junos

Before you start, you'll want to have spoken with your upstreams and ensured you are enrolled in their BGP Blackhole program and that your BGP session(s) are currently given access to the communities.

The first thing you'll need to do is log into your Juniper and hop into edit mode.

Next, you need to create a new policy-statement inside your policy options:
edit policy-options
set policy-statement provider_blackhole 
edit policy-statement provider_blackhole 
set term match_666 from protocol static
set term match_666 from tag 666
set term match_666 then origin igp
set term match_666 then community set provider_blackhole
set term match_666 then accept
To check your work, type show and you should see:
policy-statement provider_blackhole {
    term match_666 {
        from {
            protocol static;
            tag 666;
        then {
            origin igp;
            community set provider_blackhole;
Now we have to create that actual community:
edit policy-options
set community provider_blackhole members AS###:COM###;
...replace AS### with the providers ASN number, and replace COM### with the community tag your provider gave you for the BGP blackhole.

Next we have to update the BGP group for this provider so we are announcing the community:
edit protocols bgp group provider
set export provider_blackhole VERY important thing to note is that export ordering MATTERS. The most specific routes are announced left to right, so always ensure your blackhole export is listed first.

The very last thing to do is actually route IP's to this blackhole:
edit routing-options static
set route a.b.c.d/cidr discard
set route a.b.c.d/cidr tag 666
...that's it.

So what we've done here is:
1) Added a static route that is discarded and tagged "666"
2) Our policy-statement then grabs all static routes with a tag of "666" and then assigns them to the BGP blackhole community.
3) Our BGP group announces that community within the BGP session to the provder
4) The provider then drops all traffic to the IP's announced in that community.

You can use whatever "tag" number you want so long as it's being used consistently.

You can also have multiple policy-statements for multiple providers matching the tag and pushing to multiple communities (you may even want to condense them down into one policy-statement by setting multiple communities)

1 comment: