Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How do I set up a "blackhole" for specific BGP route(s) on a firewall?

0

0

Article ID: KB13828 KB Last Updated: 28 May 2009Version: 1.0
Summary:
Specific routes learned from BGP need to be sent to a "blackhole" rather than simply denying them, due to security concerns about the traffic from those routes.
Symptoms:
The normal way to keep BGP routes out is to set up an access list and specify a deny for those routes. In this situation, for security reasons, the customer needed to send that traffic to a "blackhole" so it would disappear rather than attempting to find another way in to evade the deny.
Solution:
The solution is to establish a static route on the firewall to an IP address but is set to interface null.
Here is an example:
set neighbor 10.0.0.222 route-map "blackhole" in
set community-list 1 permit 12345                 *****NOTE community string to block
exit
set access-list 1
set access-list 1 permit ip 0.0.0.0/0 1

set route-map name "blackhole" permit 1           *****NOTE you can also use deny here if you would want to deny the routes with the specific community
set match community 1                             *****NOTE this is where the community string is matched
set next-hop 3.3.3.3                              *****NOTE this is where the community is sent to ip 3.3.3.3
exit
set route-map name "blackhole" permit 2           *****NOTE You then configure a second route-map
set match ip 1                                    *****NOTE this is where the IP address is matched if it does not already match the community string
                                                  *****above and is added as normal
exit

unset add-default-route
set route 3.3.3.3/32 interface null               *****NOTE this is the final piece where the route to 3.3.3.3 is set to the null interface
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search