OcNOS-RON : Layer 3 Guide : Layer 3 Unicast Configuration Guide : Static Route Discard Configuration
Static Route Discard Configuration
This chapter show how to configure the static route discard feature.
Overview
If you identify some routers/attackers distributing invalid/bogus routes just to use the resources of the device or to make the device unstable, you can configure route-map rules, discard all routes, and black hole traffic corresponding to those routes.
To so this, you add “discard” route entries for a prefix in a route map with the “set interface null0” command. You then apply that route map to a BGP neighbor.
IPv4 Route Discard
Figure 14-2 shows the configuration required to enable static route discard for IPv4.
Topology
Static route discard topology
Configuration
R1
 
R1#configure terminal
Enter configure mode
R1(config)#interface xe1
Enter interface mode for xe1
R1(config-if)#ip address 2.2.2.2/24
Assign an IP address to the interface
R1(config-if)#commit
Commit the candidate configuration to the running configuration
R1(config-if)#exit
Exit interface mode.
R1(config)#interface xe2
Enter interface mode for xe1
R1(config-if)#ip address 1.1.1.2/24
Assign an IP address to the interface
R1(config-if)#commit
Commit the candidate configuration to the running configuration
R1(config-if)#exit
Exit interface mode
R1(config)#router bgp 2
Enter BGP router mode
R1(config-router)#neighbor 2.2.2.3 remote-as 3
Create static BGP neighbor 2.2.2.3 with remote autonomous system value 3
R1(config-router)#redistribute connected
Advertise the connected network into BGP
R1(config-if)#commit
Commit the candidate configuration to the running configuration
R1(config-router)#end
Exit BGP router mode
R2
 
R2#configure terminal
Enter configure mode
R2(config)#ip prefix-list p1 permit any
Configure IP prefix list
R2(config)#route-map r1
Enter route-map mode
R2(config-route-map)#match ip address prefix-list p1
Configure match ip prefix list p1
R2(config-route-map)#set interface null0
Set the interface to null0
R2(config-if)#commit
Commit the candidate configuration to the running configuration
R2(config-route-map)#exit
Exit route-map mode.
R2(config)#interface xe1
Enter interface mode for xe1
R2(config-if)#ip address 2.2.2.3/24
Assign an IP address to the interface
R2(config-if)#commit
Commit the candidate configuration to the running configuration
R2(config-if)#exit
Exit interface mode.
R2(config)#interface xe2
Enter interface mode for xe2
R2(config-if)#ip address 3.3.3.2/24
Assign an IP address to the interface
R2(config-if)#commit
Commit the candidate configuration to the running configuration
R2(config-if)#exit
Exit interface mode
R2(config)#router bgp 3
Enter into BGP router mode
R2(config-router)#neighbor 2.2.2.2 remote-as 2
Create static BGP neighbor 2.2.2.2 with remote autonomous system value 2
R2(config-router)#neighbor 3.3.3.3 remote-as 4
Create static BGP neighbor 3.3.3.3 with remote autonomous system value 4
R2(config-router)#redistribute connected
Advertise the connected network into BGP
R2(config-router)#neighbor 2.2.2.2 route-map r1 in
Attach the route-map with route discard configured for the neighbor 2.2.2.2 in IN direction
R2(config-if)#commit
Commit the candidate configuration to the running configuration
R2(config-router)#end
Exit BGP router mode
R3
 
R3#configure terminal
Enter configure mode.
R3(config)#interface xe2
Enter interface mode for xe2
R3(config-if)#ip address 3.3.3.3/24
Assign an IP address to the interface
R3(config-if)#commit
Commit the candidate configuration to the running configuration
R3(config-if)#exit
Exit interface mode
R3(config)#interface xe1
Enter interface mode for xe1
R3(config-if)#ip address 4.4.4.2/24
Assign an IP address to the interface
R3(config-if)#commit
Commit the candidate configuration to the running configuration
R3(config-if)#exit
Exit interface mode.
R3(config)#router bgp 4
Enter into BGP router mode
R3(config-router)#neighbor 3.3.3.2 remote-as 3
Create static BGP neighbor 3.3.3.2 with remote autonomous system value 3
R3(config-router)#redistribute connected
Advertise the connected network into BGP
R3(config-if)#commit
Commit the candidate configuration to the running configuration
R3(config-router)#end
Exit BGP router.
Validation
R2#show running-config bgp
!
router bgp 3
redistribute connected
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 route-map r1 in
neighbor 3.3.3.3 remote-as 4
!
 
R2#show ip bgp
BGP table version is 3, local router ID is 2.2.2.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 2.2.2.2 0 100 0 2 ?
*> 2.2.2.0/24 0.0.0.0 0 100 32768 ?
* 2.2.2.2 0 100 0 2 ?
*> 3.3.3.0/24 0.0.0.0 0 100 32768 ?
* 3.3.3.3 0 100 0 4 ?
*> 4.4.4.0/24 3.3.3.3 0 100 0 4 ?
Total number of prefixes 4
 
 
R2#show running-config prefix-list
!
ip prefix-list p1 seq 5 permit any
!
 
R2#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area,
v - vrf leaked
* - candidate default
 
IP Route Table for VRF "default"
B 1.1.1.0/24 [20/0] is a summary, Null, 00:00:01
C 2.2.2.0/24 is directly connected, xe1, 00:09:57
C 3.3.3.0/24 is directly connected, xe2, 00:09:50
B 4.4.4.0/24 [20/0] via 3.3.3.3, xe2, 00:00:03
C 127.0.0.0/8 is directly connected, lo, 01:18:30
 
Gateway of last resort is not set
 
R2#show hsl nh-table
IPv4 FIB 0
0.0.0.0, Null, 00:00:00:00:00:00, Valid ,
1.1.1.0/24, Installed FORWARD
2.2.2.2, xe1, 00:18:23:26:16:45, Valid , lport:0x8000026, Egress object id:1
00004, refcnt 0, rulecnt 0
3.3.3.3, xe2, 00:18:23:cb:fb:b7, Valid , lport:0x800002a, Egress object id:1
00003, refcnt 1, rulecnt 0,
4.4.4.0/24, Installed FORWARD
 
IPv4 FIB 1 10.12.29.1, eth0, 00:00:00:00:00:00, Invalid,
, Not Installed TO_CPU
 
IPv6 FIB 0
 
IPv6 FIB 1
IPv6 Route Discard
Figure 14-2 shows the configuration required to enable static route discard for IPv6.
Configuration
R1
 
R1#configure terminal
Enter configure mode.
R1(config)#interface lo
Enter interface mode for loopback
R1(config-if)#ip address 1.1.1.2/24 secondary
Assign an IPv4 address to the interface
R1(config-if)#commit
Commit the candidate configuration to the running configuration
R1(config-if)#exit
Exit interface mode
R1(config)#interface xe1
Enter interface mode for xe1
R1(config-if)#ipv6 address 2001::2/64
Assign an IPv6 address to the interface
R1(config-if)#commit
Commit the candidate configuration to the running configuration
R1(config-if)#exit
Exit interface mode
R1(config)#interface xe2
Enter interface mode for xe2
R1(config-if)#ipv6 address 1001::2/64
Assign an IPv6 address to the interface
R1(config-if)#commit
Commit the candidate configuration to the running configuration
R1(config-if)#exit
Exit interface mode
R1(config)#router bgp 2
Enter BGP router mode
R1(config-router)#bgp router-id 1.1.1.1
Specify router ID
R1(config-router)#neighbor 2001::3 remote-as 3
Create static BGP neighbor 2001::3 with remote autonomous system value 3
R1(config-router)#address-family ipv6 unicast
Enter address family IPv6 unicast mode
R1(config-router-af)#neighbor 2001::3 activate
Activate neighbor in IPv6 address family
R1(config-router-af)#redistribute connected
Advertise the connected network into BGP
R1(config-if)#commit
Commit the candidate configuration to the running configuration
R1(config-router)#end
Exit BGP router mode
R2
 
R2#configure terminal
Enter configure mode
R2(config)#interface lo
Enter interface mode for loopback
R2(config-if)#ip address 2.2.2.2/24 secondary
Assign an IPV4 address
R2(config-router-af)#commit
Commit the candidate configuration to the running configuration
R2(config-if)#exit
Exit interface mode
R2(config)#ipv6 prefix-list p1 permit any
Configure IPv6 prefix list.
R2(config)#route-map r1
Enter route-map mode.
R2(config-route-map)#match ipv6 address prefix-list p1
Configure match IPv6 prefix list p1
R2(config-route-map)#set interface null0
Set the interface to null0
R2(config-router-af)#commit
Commit the candidate configuration to the running configuration
R2(config-route-map)#exit
Exit route-map mode
R2(config)#interface xe1
Enter interface mode for xe1
R2(config-if)#ipv6 address 2001::3/64
Assign ipv6 address to the interface
R2(config-router-af)#commit
Commit the candidate configuration to the running configuration
R2(config-if)#exit
Exit interface mode
R2(config)#interface xe2
Enter interface mode for xe2
R2(config-if)#ipv6 address 3001::2/64
Assign an IPv6 address to the interface
R2(config-if)#commit
Commit the candidate configuration to the running configuration
R2(config-if)#exit
Exit interface mode
R2(config)#router bgp 3
Enter BGP router mode
R2(config-router)#bgp router-id 2.2.2.2
Specify router ID
R2(config-router)#neighbor 2001::2 remote-as 2
Create static BGP neighbor 2001::2 with remote autonomous system value 2
R2(config-router)#neighbor 3001::3 remote-as 4
Create static BGP neighbor 3001::3 with remote autonomous system value 4
R2(config-router)#address-family ipv6 unicast
Enter address family IPv6 unicast mode
R2(config-router-af)#redistribute connected
Advertise the connected network into BGP
R2(config-router-af)#neighbor 2001::2 activate
Activate the neighbor in IPv6 address family
R2(config-router-af)#neighbor 3001::3 activate
Activate the neighbor in IPv6 address family
R2(config-router-af)#neighbor 2001::2 route-map r1 in
Attach the route-map with route discard configured for the neighbor 2001::2 in IN direction
R2(config-router-af)#commit
Commit the candidate configuration to the running configuration
R2(config-router)#end
Exit BGP router mode
R3
 
R3#configure terminal
Enter configure mode
R3(config)#interface lo
Enter interface mode for loopback
R3(config-if)#ip address 3.3.3.2/24 secondary
Assign an IPV4 address to the interface
R3(config-if)#commit
Commit the candidate configuration to the running configuration
R3(config-if)#exit
Exit interface mode
R3(config)#interface xe1
Enter interface mode for xe1
R3(config-if)#ipv6 address 4001::2/64
Assign an IPv6 address to the interface
R3(config-if)#commit
Commit the candidate configuration to the running configuration
R3(config-if)#exit
Exit interface mode
R3(config)#interface xe2
Enter interface mode for xe2
R3(config-if)#ipv6 address 3001::3/64
Assign an IPv6 address to the interface
R3(config-if)#exit
Exit interface mode
R3(config)#router bgp 4
Enter into BGP router mode
R3(config-router)#bgp router-id 3.3.3.3
Specify router ID
R3(config-router)#neighbor 3001::2 remote-as 3
Create static BGP neighbor 3001::2 with remote autonomous system value 3
R3(config-router)#address-family ipv6 unicast
Enter address family IPv6 unicast mode
R3(config-router-af)#neighbor 3001::2 activate
Activate neighbor in IPv6 address family
R3(config-router-af)#redistribute connected
Advertise the connected network into BGP
R3(config-router-af)#commit
Commit the candidate configuration to the running configuration
R3(config-router)#end
Exit BGP router mode.
Validation
R2#show running-config bgp
!
router bgp 3
bgp router-id 2.2.2.2
neighbor 2001::2 remote-as 2
neighbor 3001::3 remote-as 4
!
address-family ipv6 unicast
redistribute connected
neighbor 2001::2 activate
neighbor 2001::2 route-map r1 in
neighbor 3001::3 activate
exit-address-family
!
R2#show bgp ipv6
BGP table version is 3, local router ID is 2.2.2.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
 
Network Next Hop Metric LocPrf Weight Path
*> 1001::/64 2001::2(fe80::218:23ff:fede:eecf)
0 100 0 2?
*> 2001::/64 :: 0 100 32768 ?
* 2001::2(fe80::218:23ff:fede:eecf)
0 100 0 2?
*> 3001::/64 :: 0 100 32768 ?
* 3001::3(fe80::eef4:bbff:fe84:781b) 0 100 0 4? *> 4001::/64 3001::3(fe80::eef4:bbff:fe84:781b) 0 100 0 4?
 
Total number of prefixes 4
 
 
R2#show running-config ipv6 prefix-list
!
ipv6 prefix-list p1 seq 5 permit any
!
 
R2#
 
R2#show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, I - IS-IS, B - BGP
Timers: Uptime
 
IP Route Table for VRF "default"
C ::1/128 via ::, lo, 00:56:44
B 1001::/64 [20/0] via ::, Null, 00:00:04
C 2001::/64 via ::, xe1, 00:13:03
C 3001::/64 via ::, xe2, 00:12:56
B 4001::/64 [20/0] via fe80::eef4:bbff:fe84:781b, xe50, 00:00:02
C fe80::/64 via ::, xe50, 00:46:14
 
 
R2#show hsl nh-table
IPv4 FIB 0
 
IPv4 FIB 1
10.12.29.1, eth0, 00:00:00:00:00:00, Invalid,
, Not Installed TO_CPU
 
IPv6 FIB 0
, Null, 00:00:00:00:00:00, Valid ,
1001::/64, Installed FORWARD
2001::2, xe1, 00:18:23:de:ee:cf, Valid , lport:0x8000034, Egress object id:100003, refcnt 0, rulecnt 0
3001::3, xe2, ec:f4:bb:84:78:1b, Valid , lport:0x8000032, Egress object id:100004, refcnt 0, rulecnt 0
fe80::218:23ff:fede:eecf, xe52, 00:18:23:de:ee:cf, Valid , lport:0x8000034, Egress object id:100003, refcn
t 0, rulecnt 0
fe80::eef4:bbff:fe84:781b, xe50, ec:f4:bb:84:78:1b, Valid , lport:0x8000032, Egress object id:100004, refc
nt 1, rulecnt 0,
4001::/64, Installed FORWARD
 
IPv6 FIB 1