An example config for customers in this scenario would be something like this:
!
! jump into the bgp router config
!
router bgp 31337
!
! set the static redistribution to include a route-map so we can filter
! the routes somewhat... or atleast manipulate them
!
redistribute static route-map static-to-bgp
!
! Setup the neighbor to actually send-community
! Cisco won't send community by default, so...
!
neighbor < transit-provider > send-community
!
! add a stanza to the route-map to set our special community to send
! along to the ISP
!
route-map static-to-bgp permit 5
match tag 12345
set community additive XXX:12345
!
! Route the attacked ip to Null0 and tag it for the route-map's use.
!
ip route 192.168.0.1 255.255.255.255 Null0 tag 12345
!
For the ISP side of the bgp peer the following needs to be done on a Cisco
!
! Filter the customer's session, you already do this, eh?
!
router bgp XXX
!
! Route-map to massage their route announcements
!
neighbor < customer-ip > route-map in-customer in
!
! Presumably you are prefix filtering your customer, you may have to
! allow your customer to send /32 prefixes to you also...
!
neighbor < customer-ip > prefix-list < listnumber > in
!
! This is required to manipulate the next-hop correctly.
! without the ebgp multi-hop the edge device will announce then withdraw
! the announcment repeatedly. This is bad news.
!
neighbor < customer-ip > ebgp multi-hop 2
!
! Add in the special handling for the in-customer route-map
!
route-map in-customer permit 5
match ip community XXX:12345
set ip next-hop < blackhole ip>
set community additive no-export
!
#
# Filter on the customer bgp session
#
set protocols bgp groupimport in-customer
#
No comments:
Post a Comment