Re: [j-nsp] need HELP black holing a /32 via BGP community.

2016-09-18 Thread Chuck Anderson 
You can also directly set the communities on the static route, making
the BGP policy unnecessary:

set routing-options static route A.B.C.D/32 discard community [ 7922:666 
1239:66 ]

On Thu, Sep 15, 2016 at 05:12:34PM +, Matthew Crocker wrote:
> 
> 
> 
> Static /32 is in and  Sprint (AS1239) uses 1239:66 as the blackhole 
> community.   Some use 666, some have 911
> 
> I think it is working, just need to dig into some looking glasses to see what 
> the world sees.
> 
> Thanks again.
> 
> From: Dave Bell <m...@geordish.org>
> Date: Thursday, September 15, 2016 at 1:02 PM
> To: Matthew Crocker <matt...@corp.crocker.com>
> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
> Subject: Re: [j-nsp] need HELP black holing a /32 via BGP community.
> 
> Looks good. You may just want to add a /32 route so you have one to send.
> 
> set routing-options static route A.B.C.D/32 discard
> 
> Looks like you may be missing a 6 from a community too?
> 
> Regards,
> Dave
> 
> On 15 September 2016 at 17:53, Matthew Crocker 
> <matt...@corp.crocker.com<mailto:matt...@corp.crocker.com>> wrote:
> 
> 
> Hello,
> 
> I have a /32 that I need to add a community to so get my upstreams to 
> blackhole the traffic.
> 
> Can anyone send me any points on how to do that?
> 
> I have:
> 
> policy-statement pl-blackhole {
> term match-route {
> from {
> prefix-list blackhole-prefixes;
> }
> }
> then {
> community add blackhole;
> accept;
> }
> }
> 
> 
> prefix-list blackhole-prefixes {
> A.B.C.D/32;
> }
> 
> community blackhole members [ 7922:666 1239:66 ];
> 
> 
> 
> I’ve added pl-blockhole to my upstream BGP group export statement.
> 
> Am I on the right track?  What am I missing?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] need HELP black holing a /32 via BGP community.

2016-09-15 Thread Michael Loftis 
On Thu, Sep 15, 2016 at 10:10 AM, Matthew Crocker
 wrote:
>
>
> Route table inet.0  has
>
>
> A.B.C.D/32 *[Static/5] 00:27:29
>   Discard
>
>
> run show route advertising-protocol bgphas
> • A.B.C.D/32  SelfI
>
>
>
> How can I check the community on the outgoing announcements?
>
>
>
> I think it is working, just need to verify and add all my other upstreams
>
> Thanks

sh ro adv bgp  detail  (also see extensive etc)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] need HELP black holing a /32 via BGP community.

2016-09-15 Thread Matthew Crocker 



Static /32 is in and  Sprint (AS1239) uses 1239:66 as the blackhole community.  
 Some use 666, some have 911

I think it is working, just need to dig into some looking glasses to see what 
the world sees.

Thanks again.

From: Dave Bell <m...@geordish.org>
Date: Thursday, September 15, 2016 at 1:02 PM
To: Matthew Crocker <matt...@corp.crocker.com>
Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
Subject: Re: [j-nsp] need HELP black holing a /32 via BGP community.

Looks good. You may just want to add a /32 route so you have one to send.

set routing-options static route A.B.C.D/32 discard

Looks like you may be missing a 6 from a community too?

Regards,
Dave

On 15 September 2016 at 17:53, Matthew Crocker 
<matt...@corp.crocker.com<mailto:matt...@corp.crocker.com>> wrote:


Hello,

I have a /32 that I need to add a community to so get my upstreams to blackhole 
the traffic.

Can anyone send me any points on how to do that?

I have:

policy-statement pl-blackhole {
term match-route {
from {
prefix-list blackhole-prefixes;
}
}
then {
community add blackhole;
accept;
}
}


prefix-list blackhole-prefixes {
A.B.C.D/32;
}

community blackhole members [ 7922:666 1239:66 ];



I’ve added pl-blockhole to my upstream BGP group export statement.

Am I on the right track?  What am I missing?



--
Matthew Crocker
President – Crocker Communications
matt...@corp.crocker.com<mailto:matt...@corp.crocker.com><mailto:matt...@corp.crocker.com<mailto:matt...@corp.crocker.com>>

___
juniper-nsp mailing list 
juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] need HELP black holing a /32 via BGP community.

2016-09-15 Thread Matthew Crocker 


Route table inet.0  has


A.B.C.D/32 *[Static/5] 00:27:29
  Discard


run show route advertising-protocol bgphas
• A.B.C.D/32  SelfI



How can I check the community on the outgoing announcements?



I think it is working, just need to verify and add all my other upstreams

Thanks




On 9/15/16, 12:55 PM, "Jared Mauch"  wrote:


> On Sep 15, 2016, at 12:53 PM, Matthew Crocker  
wrote:
> 
> Am I on the right track?  What am I missing?

Are you generating the route as a /32 as well?

- jared

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] need HELP black holing a /32 via BGP community.

2016-09-15 Thread Michael Loftis 
On Thu, Sep 15, 2016 at 9:55 AM, Jared Mauch  wrote:
>
>> On Sep 15, 2016, at 12:53 PM, Matthew Crocker  
>> wrote:
>>
>> Am I on the right track?  What am I missing?
>
> Are you generating the route as a /32 as well?

Jared's exactly right, you'll need a static, or IGP or other route in
the RIB so that BGP sees that and tags it, but you're on the exact
right path IMO which is to say that's exactly how I do it.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] need HELP black holing a /32 via BGP community.

2016-09-15 Thread Dave Bell 
Looks good. You may just want to add a /32 route so you have one to send.

set routing-options static route A.B.C.D/32 discard

Looks like you may be missing a 6 from a community too?

Regards,
Dave

On 15 September 2016 at 17:53, Matthew Crocker 
wrote:

>
>
> Hello,
>
> I have a /32 that I need to add a community to so get my upstreams to
> blackhole the traffic.
>
> Can anyone send me any points on how to do that?
>
> I have:
>
> policy-statement pl-blackhole {
> term match-route {
> from {
> prefix-list blackhole-prefixes;
> }
> }
> then {
> community add blackhole;
> accept;
> }
> }
>
>
> prefix-list blackhole-prefixes {
> A.B.C.D/32;
> }
>
> community blackhole members [ 7922:666 1239:66 ];
>
>
>
> I’ve added pl-blockhole to my upstream BGP group export statement.
>
> Am I on the right track?  What am I missing?
>
>
>
> --
> Matthew Crocker
> President – Crocker Communications
> matt...@corp.crocker.com
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] need HELP black holing a /32 via BGP community.

2016-09-15 Thread Jared Mauch 

> On Sep 15, 2016, at 12:53 PM, Matthew Crocker  
> wrote:
> 
> Am I on the right track?  What am I missing?

Are you generating the route as a /32 as well?

- jared
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] need HELP black holing a /32 via BGP community.

2016-09-15 Thread Matthew Crocker 


Hello,

I have a /32 that I need to add a community to so get my upstreams to blackhole 
the traffic.

Can anyone send me any points on how to do that?

I have:

policy-statement pl-blackhole {
term match-route {
from {
prefix-list blackhole-prefixes;
}
}
then {
community add blackhole;
accept;
}
}


prefix-list blackhole-prefixes {
A.B.C.D/32;
}

community blackhole members [ 7922:666 1239:66 ];



I’ve added pl-blockhole to my upstream BGP group export statement.

Am I on the right track?  What am I missing?



--
Matthew Crocker
President – Crocker Communications
matt...@corp.crocker.com

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp