Prior to the attack, select an address for the intended black hole next-hop. Configure the forwarding plane of each edge router so that packets forwarded to this next-hop are dropped:
create vlan BH_VLAN configure vlan BH_VLAN tag 666 enable loopback-mode vlan BH_VLAN configure vlan BH_VLAN ipaddress 192.168.2.1 255.255.255.0 enable ipforwarding vlan BH_VLAN disable igmp snooping vlan BH_VLAN disable igmp vlan BH_VLAN create fdb 00:02:03:04:05:06 vlan BH_VLAN port 6:9 configure iparp add 192.168.2.66 vr VR-Default 00:02:03:04:05:06 configure access-list BH_ACL vlan BH_VLAN egress
When a packet arrives in the forwarding plane and looks up a route that has the above black hole next-hop as its next-hop, a subsequent ARP and FDB (forwarding database) look-up occurs that forwards the packet to exit the switch using the above black hole VLAN, “BH_VLAN,” and port “6:9.” The packet is dropped due to the deny action in the egress ACL filter.
The following policy file discards any traffic that exits the black hole VLAN, “BH_VLAN.” Note that the match on “source-address 0.0.0.0/0” matches any egress packet ensuring that all packets exiting via the black hole VLAN are dropped:
Print
this page
Email this topic
Feedback
View PDF
Download EPUBedit policy BH_ACL
entry bh-acl {
if {
source-address 0.0.0.0/0;
} then {
deny ;
}
}