Step 1

Prior to the attack, select an address for the intended black hole next-hop. Configure the forwarding plane of each edge router so that packets forwarded to this next-hop are dropped:

  1. Create a black hole VLAN with an IP address that is in the same subnet as the chosen black hole next-hop.
  2. Add an active port to the black hole VLAN (usually an unused port in the switch).
  3. Create a static FDB entry that maps a well-chosen, unused MAC address to the black hole VLAN and the active port added to that VLAN.
  4. Create a static ARP entry that maps the black hole next-hop to the above MAC address.
  5. Create an filter to deny packets that exit the blackhole VLAN.
    In the following example configuration, is the subnet of the black hole VLAN, “BH_VLAN,” and is the chosen black hole next-hop. The active port 6:9 is added as the egress port for “BH_VLAN.”
    create vlan BH_VLAN
    configure vlan BH_VLAN tag 666
    enable loopback-mode vlan BH_VLAN
    configure vlan BH_VLAN ipaddress
    enable ipforwarding vlan BH_VLAN
    disable igmp snooping vlan BH_VLAN
    disable igmp vlan BH_VLAN
    create fdb 00:02:03:04:05:06 vlan BH_VLAN port 6:9
    configure iparp add vr VR-Default 00:02:03:04:05:06
    configure access-list BH_ACL vlan BH_VLAN egress

    When a packet arrives in the forwarding plane and looks up a route that has the above black hole next-hop as its next-hop, a subsequent ARP and FDB look-up occurs that forwards the packet to exit the switch using the above black hole VLAN, “BH_VLAN,” and port “6:9.” The packet is dropped due to the deny action in the egress ACL filter.

    The following policy file discards any traffic that exits the black hole VLAN, “BH_VLAN.” Note that the match on “source-address” matches any egress packet ensuring that all packets exiting via the black hole VLAN are dropped:

    edit policy BH_ACL
    entry bh-acl {
    if {
    } then {
    deny ;