Re: [j-nsp] BGP route announcements and Blackholes
On Tue, 19 Mar 2024 at 19:44, Lee Starnes via juniper-nsp wrote: > The blackhole peer does receive the /32 announcement, but the aggregate > route also becomes discarded and thus routes to the other peers stop > working. I couldn't follow this, and the output you shared didn't support it. So it is not clear to me what the actual problem is. Of course if you want a blackhole, you want an internal blackhole too, so you internally are going to add some route to discard, then this is the route you'd leak to upstream. How this would impact the next-hop type or readversability of the aggregate is unclear to me, unless you're blackholing the next-hop of some route. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP route announcements and Blackholes
What about no-install https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/no-install-edit-protocols.html ? On Tue, 19 Mar 2024 at 10:44, Lee Starnes via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > Hello Juniper gurus. I am seeing an issue where we have a carrier that does > RTBH via BGP announcement rather than community strings. This is done via > BGP peer to a blackhole BGP router/server. > > My issue here is that our aggregate IP block that is announced to our > backbone providers gets impacted when creating a /32 static discard route > to announce to that blackhole peer. > > The blackhole peer does receive the /32 announcement, but the aggregate > route also becomes discarded and thus routes to the other peers stop > working. > > Been trying to determine just how to accomplish this function without > killing all routes. > > So we have several /30 to /23 routes within our /19 block that are > announced via OSPF from our switches to the routers. The routers aggregate > these to the /19 to announce the entire larger block to the backbone > providers. > > The blackhole peer takes routes down to a /32 for mitigation of an attack. > If we add a static route as "route x.x.22.12/32 discard" we get: > > show route x.x.22.10 > > inet.0: 931025 destinations, 2787972 routes (931025 active, 0 holddown, 0 > hidden) > @ = Routing Use Only, # = Forwarding Use Only > + = Active Route, - = Last Active, * = Both > > x.x.0.0/19 *[OSPF/125] 5d 19:26:19, metric 20, tag 0 > > to 10.20.20.3 via ae0.0 > [Aggregate/130] 5d 20:18:36 >Reject > > > While we see the more specific route as discard: > > show route x.x.22.12 > > inet.0: 931022 destinations, 2787972 routes (931022 active, 0 holddown, 0 > hidden) > @ = Routing Use Only, # = Forwarding Use Only > + = Active Route, - = Last Active, * = Both > x.x.22.12/32*[Static/5] 5d 20:20:07 >Discard > > > > Does anyone have a working config for this type of setup that might be able > to share some tips or the likes on what I need to do or what I'm doing > wrong? > > Best, > > -Lee > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] BGP route announcements and Blackholes
Hello Juniper gurus. I am seeing an issue where we have a carrier that does RTBH via BGP announcement rather than community strings. This is done via BGP peer to a blackhole BGP router/server. My issue here is that our aggregate IP block that is announced to our backbone providers gets impacted when creating a /32 static discard route to announce to that blackhole peer. The blackhole peer does receive the /32 announcement, but the aggregate route also becomes discarded and thus routes to the other peers stop working. Been trying to determine just how to accomplish this function without killing all routes. So we have several /30 to /23 routes within our /19 block that are announced via OSPF from our switches to the routers. The routers aggregate these to the /19 to announce the entire larger block to the backbone providers. The blackhole peer takes routes down to a /32 for mitigation of an attack. If we add a static route as "route x.x.22.12/32 discard" we get: show route x.x.22.10 inet.0: 931025 destinations, 2787972 routes (931025 active, 0 holddown, 0 hidden) @ = Routing Use Only, # = Forwarding Use Only + = Active Route, - = Last Active, * = Both x.x.0.0/19 *[OSPF/125] 5d 19:26:19, metric 20, tag 0 > to 10.20.20.3 via ae0.0 [Aggregate/130] 5d 20:18:36 Reject While we see the more specific route as discard: show route x.x.22.12 inet.0: 931022 destinations, 2787972 routes (931022 active, 0 holddown, 0 hidden) @ = Routing Use Only, # = Forwarding Use Only + = Active Route, - = Last Active, * = Both x.x.22.12/32*[Static/5] 5d 20:20:07 Discard Does anyone have a working config for this type of setup that might be able to share some tips or the likes on what I need to do or what I'm doing wrong? Best, -Lee ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp