2014-04-22 17:54 GMT+02:00 Laurent CARON <lca...@unix-scripts.info>:
> On 22/04/2014 17:41, Tristan PILAT wrote:
>
>> Yes but how to do that without hard coded the network of the customer like
>> in this rule;
>> allow from group "customers" community 64514:888 prefix
>> 192.0.33.0/24prefixlen = 32 set nexthope blackhole
>>
>
> Don't you already filter your customers announcements ?
>
That's just a template to show how to use RTBH so the configuration is very
simple.
#BGP1
AS 64514
router-id 172.0.0.2
listen on 172.0.0.2
network 192.0.32.0/24
group "customers" {
remote-as 64515
neighbor 172.0.0.3 {
descr "AS 64515"
announce all
}
}
deny from any
allow from group "customers" community 64514:888 inet prefix
192.0.33.0/24prefixlen = 32 set nexthope blackhole
#allow from group "customers" community 64514:999 prefixlen = 32 set
pftable dos
allow from any inet prefixlen 8 - 24
#BGP2
AS 64515
router-id 172.0.0.3
listen on 172.0.0.3
network 192.0.33.0/24
group "providers" {
remote-as 64514
neighbor 172.0.0.2 {
descr "AS 64514"
announce all
}
}
deny from any
allow from any inet prefixlen 8 - 24
