Doing IPv4 first: route-map black-hole-trigger permit 10 To do all this, first we create route-maps for IPv4 and for IPv6 to look for this special static route.
As you learned in the presentation, this destination can be anywhere in the Internet (which of course includes the local AS). We will tag that static route in a special way such that our router configuration will redistribute it into and announce it by BGP with a next-hop pointing to the configured discard address. The simple way to apply RTBH to a destination we want to block is to set up a static route to Null for that destination. Remember that the Null interface is a silent discard interface on a hardware router - packets sent here are completely dropped by the interface hardware itself. Destinations we want to drop will have their respective IPv4 and IPv6 next-hops changed to these two addresses, which will cause all traffic to those destinations to be dropped into the Null interface on the router. These two host addresses are the next-hop targets for the RTBH configuration. (The Customer Router doesn’t get this configuration, it’s not part of our AS.) We will set up static routes for the discard route on all 5 routers (we now have a Trigger Router too) in our AS, like this: ip route 192.0.2.1 255.255.255.255 Null0 The equivalent IPv6 address block is 100::/64, defined by IANA as the Discard Prefix (refer to the presentation). The IPv4 address block 192.0.2.0/24 is a TEST network and is commonly used to support RTBH. The next step is to prepare the routers across our AS to support RTBH filtering. Neighbor 2001:DB8:3::5 description iBGP with Trigger Neighbor 2001:DB8:3::5 peer-group ibgpv6-partial Neighbor 100.68.3.5 description iBGP with Trigger Neighbor 100.68.3.5 peer-group ibgp-partial The interface configuration on the Core Router for the connection to the Trigger Router is our standard secure best practice, as we’ve seen before: interface FastEthernet3/0ĭescription P2P Ethernet Link to TriggerXĪnd the extra BGP configuration on the Core Router would look something like this: router bgp 30 Note that you will need to add the Trigger Router to the iBGP on the Core Router too. If you do all that, the configuration should look something like what is documented in Appendix A. Refer back to the Setup Lab to do the basic configuration for the router, the IS-IS Lab to add the router to the AS’s IGP, the Securing Router Lab to secure the router, the IBGP Lab to add the router to the iBGP, and the Communities Lab to include the Community Policy that was set earlier. This will prepare us for the following lab which will demonstrate RTBH filtering between two different groups (mapping on to how one network operator will send a trigger to their upstream provider to help deal with a Distributed Denial of Service Attack).Ĭonfiguration Stages Configuring the Trigger RouterĪs mentioned earlier, this lab introduces a new router, a Trigger Router, which will be used to implement our RTBH lab.
This lab will set up RTBH filtering within each group’s network.
0 kommentar(er)
