BGP Blackhole Community Attribute
A blackhole route is used to forward unwanted or undesirable traffic into a black hole. In other words, a special logical interface called a null interface, is used to create the black hole. Static routes are created for destinations that are not desirable, and the static route configuration points to the null interface. Any traffic that has a destination address that has a best match of the black hole static route automatically will be dropped.
| • | 65535:666 is reserved for Blackhole community. |
| • | BGP blackhole community is supported only for unicast address-family. |
Topology
Figure 53. BGP Blackhole Community Attribute topology
Configuration
R1
|
#configure terminal |
Enter Configure mode. |
|
(config)#interface xe5 |
Enter Interface mode |
|
(config-if)# ip address 5.5.5.1/24 |
Assign IP address to interface |
|
(config-if)#exit |
Exit interface mode |
|
(config)#interface xe20 |
Enter Interface mode |
|
(config-if)# ip address 20.1.1.1/24 |
Assign IP address to interface |
|
(config-if)#exit |
Exit interface mode |
|
(config)# router bgp 100 |
Enter Router BGP mode |
|
(config-router)# neighbor 5.5.5.2 remote-as 200 |
Define BGP neighbors. 5.5.5.2 is the IP address of the neighbor (R2) and 200 is the neighbors AS number |
|
(config-router)# address-family ipv4 unicast |
Enter into BGP address family IPv4 |
|
(config-router-af)#neighbor 5.5.5.2 activate |
Activate the neighbor |
|
(config-router-af)#network 20.1.1.0/24 |
Advertise networks with prefix |
|
(config-router-af)# commit |
Commit the configurations |
|
(config-router-af)# end |
Return to privilege mode |
R2
|
#configure terminal |
Enter Configure mode. |
|
(config)#interface xe5 |
Enter Interface mode |
|
(config-if)# ip address 5.5.5.2/24 |
Assign IP address to interface |
|
(config-if)#exit |
Exit interface mode |
|
(config)#interface xe1 |
Enter Interface mode |
|
(config-if)# ip address 1.1.1.2/24 |
Assign IP address to interface |
|
(config-if)#exit |
Exit interface mode |
|
(config)# router bgp 200 |
Enter Router BGP mode |
|
(config-router)# neighbor 5.5.5.1 remote-as 100 |
Define BGP neighbors. 5.5.5.1 is the IP address of the neighbor (R1) and 100 is the neighbors AS number |
|
(config-router)# neighbor 1.1.1.1 remote-as 300 |
Define BGP neighbors. 1.1.1.1 is the IP address of the neighbor (R3) and 100 is the neighbors AS number |
|
(config-router)# address-family ipv4 unicast |
Enter into BGP address family IPv4 |
|
(config-router-af)#neighbor 5.5.5.1 activate |
Activate the neighbor |
|
(config-router-af)#neighbor 1.1.1.1 activate |
Activate the neighbor |
|
(config-router-af)# commit |
Commit the configurations |
|
(config-router-af)# end |
Return to privilege mode |
R3
|
#configure terminal |
Enter Configure mode. |
|
(config)#interface xe1 |
Enter Interface mode |
|
(config-if)# ip address 1.1.1.1/24 |
Assign IP address to interface |
|
(config-if)#exit |
Exit interface mode |
|
(config)#interface xe18 |
Enter Interface mode |
|
(config-if)# ip address 18.1.1.1/24 |
Assign IP address to interface |
|
(config-if)#exit |
Exit interface mode |
|
(config)# router bgp 300 |
Enter Router BGP mode |
|
(config-router)# neighbor 1.1.1.2 remote-as 200 |
Define BGP neighbors. 1.1.1.2 is the IP address of the neighbor (R2) and 200 is the neighbors AS number |
|
(config-router)# address-family ipv4 unicast |
Enter into BGP address family IPv4 |
|
(config-router-af)#neighbor 1.1.1.2 activate |
Activate the neighbor |
|
(config-router-af)#network 18.1.1.0/24 |
Advertise networks with prefix |
|
(config-router-af)# commit |
Commit the configurations |
|
(config-router-af)# end |
Return to privilege mode |
Black Hole configuration on R3
|
#configure terminal |
Enter Configure mode. |
|
(config)#route-map D permit 10 |
Enter Route-map mode to set the match operation |
|
(config-route-map)#set community no-export 65535:666 additive |
Configure Reserved Black hole community in Route-map mode |
|
(config-route-map)#commit |
Commit the configuration |
|
(config-route-map)#exit |
Return to configuration mode |
|
(config)#router bgp 300 |
Enter Router BGP mode |
|
(config-router)#address-family ipv4 unicast |
Enter into BGP address family IPv4 |
|
(config-router-af)#neighbor 1.1.1.2 route-map D out |
Apply Route-map for the neighbor 1.1.1.2 in out direction |
|
(config-router-af)#commit |
Commit the configurations |
|
(config-router-af)#end |
Return to privilege mode |
|
#clear ip bgp * soft out |
Soft reset after applying Route-map |
Validation
R2
The following provides the R2 validation:
# show ip bgp community
BGP table version is 4, local router ID is 5.5.5.2
Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 18.1.1.0/24 1.1.1.1 0 100 0 300 i
Total number of prefixes 1
#show ip bgp 18.1.1.0/24
BGP routing table entry for 18.1.1.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer)
Not advertised to any peer
AS path:300
Nexthop:1.1.1.1 from 1.1.1.1 (Remote Id:1.1.1.1)
Origin IGP, metric 0, localpref 100 valid, external, best, source safi: 1
Community: 65535:666 no-export
Not advertised to any peer
Last update: Tue Apr 16 21:48:01 2019
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
IP Route Table for VRF "default"
C 1.1.1.0/24 is directly connected, xe1, 00:10:22
C 5.5.5.0/24 is directly connected, xe5, 00:10:49
B 18.1.1.0/24 [20/0] is a summary, Null, 00:02:00
B 20.1.1.0/24 [20/0] via 5.5.5.1, xe5, 00:05:46
C 127.0.0.0/8 is directly connected, lo, 00:35:31
Gateway of last resort is not setR1
The following provides the R1 validation:
#sh ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
IP Route Table for VRF "default"
C 5.5.5.0/24 is directly connected, xe5, 00:15:41
C 20.1.1.0/24 is directly connected, xe20, 00:14:06
C 127.0.0.0/8 is directly connected, lo, 00:37:28
Gateway of last resort is not set