Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BGP on community match "set ip next-hop 127.0.0.1" and blackhole nasty networks

    Scheduled Pinned Locked Moved
    FRR
    2
    4
    543
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nzkiwi68N
      nzkiwi68
      last edited by

      Spamhaus have a BGP feed of nasty networks and IP addresses. I thought I'd have a go at setting it up.
      It's a paid datafeed.

      See their document here;
      https://www.deteque.com/app/uploads/2018/08/Deteque_Technical_BGP_Manual_082018.pdf

      The bit I'm struggling with is how to get a route-map, or, a community match to set ip next-hop to the IP of my choice and thereby blackhole the networks received over the ASN.

      Here's a snip from their BGP setup instructions (for Cisco, obviously not tailored for FRR and pfSense)

      route-map Spamhaus-BGPf permit 1000
description DROP
match community SH-DROP
set local-preference 40000
set ip next-hop 192.0.2.1
set community no-export additive route-map Spamhaus-BGPf permit 2000 description EDROP
match community SH-EDROP
set local-preference 40000
set ip next-hop 192.0.2.1
set community no-export additive route-map Spamhaus-BGPf permit 3000 description BGPCC
match community SH-BGPCC
set local-preference 40000set ip next-hop 192.0.2.1
set community no-export additive
      1 Reply Last reply Reply Quote 0
      • Z
        Zawi
        last edited by

        What are you trying to do? blocking networks that advertised from neighbors ?

        nzkiwi68N 1 Reply Last reply Reply Quote 0
        • nzkiwi68N
          nzkiwi68 @Zawi
          last edited by

          @Zawi said in BGP on community match "set ip next-hop 127.0.0.1" and blackhole nasty networks:

          What are you trying to do? blocking networks that advertised from neighbors ?

          Sort of.

          Spamhaus via a paid subscription BGP feed provide BGP routes of nasty networks that I would like to blackhole, that is ensure that routing to those networks goes nowhere.

          I want to learn these routes, put them in my routing table, routing to nowhere.

          1 Reply Last reply Reply Quote 0
          • Z
            Zawi
            last edited by

            Use Prefix Lists :
            FRR Global Settings/Zebra > Prefix Lists
            then apply on neighbors:
            Services>FRR>BGP>Edit>Neighbors >> Peer Filtering>Prefix List Filter(Inbound )

            Configuration:

            Prefix Lists

            ip prefix-list testd seq 10 permit 10.10.10.0/24
            ip prefix-list testd description

            Before prefix list
            *>i10.10.10.0/24 172.21.11.105 1 100 0 ?
            *>i20.20.20.0/24 172.21.11.105 1 100 0 ?
            *>xxxxxxxxxx/19 172.21.11.105 1 100 0 ?
            *>i70.xxxxxxx/30 172.21.11.105 1 100 0 ?
            *>i100.100.100.0/24 172.21.11.105 1 100 0 ?
            *>i172.21.xx.xx/24 172.21.11.105 0 100 0 i
            *>i172.21.xx.xx/27 172.21.11.105 1 100 0 ?
            *>i172.21.1x.xx/29 172.21.11.105 1 100 0 ?

            after applying
            Network Next Hop Metric LocPrf Weight Path
            *>i10.10.10.0/24 172.21.11.105 1 100 0 ?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post