I’ve Cisco fundamental EVPN material configuration in DC with two backbone and couple of leafs utilizing OSFP+iBGP for underlay material. My border leaf linked to my ISP utilizing Vrf CUST. I wish to configure RTBH for DDoS safety. I’ve RTBH group from my ISP however by some means its not working could also be its Vrf difficulty.
My border-leaf utilizing Cisco 93180YC-EX working nxos 9.3.10 model.
route-map RTBH allow 10
match tag 666
set group 1299:666
In BGP configuration I’ve set redistribute static for RTBH
router bgp 65001
router-id 10.254.1.2
log-neighbor-changes
template peer VXLAN_SPINE
remote-as 65001
update-source loopback0
address-family ipv4 unicast
address-family l2vpn evpn
send-community
send-community prolonged
neighbor 10.254.0.1
inherit peer VXLAN_SPINE
description ** iBGP Peer to Backbone-1 **
no shutdown
neighbor 10.254.0.2
inherit peer VXLAN_SPINE
description ** iBGP Peer to Backbone-2 **
no shutdown
vrf CUST1
log-neighbor-changes
address-family ipv4 unicast
redistribute static route-map RTBH
aggregate-address 81.231.91.0/23 summary-only
neighbor 213.XX.XX.4
remote-as 1299
local-as 31028
description *** eBGP hyperlink to ISP ***
address-family ipv4 unicast
send-community
send-community prolonged
Now if I add static route to check null route utilizing tag 666 it does not do something. Seems like my static route is not getting set up in vrf CUST1. instance like following.
ip route 81.231.91.128 255.255.255.255 Null0 tag 666
I haven’t got command like ip route vrf CUST ...blah..
to put in route in CUST1
In that case how do I check my BGP RTBH working or not?
As you may see I haven’t got possibility vrf
in route command.
(config)# ip route ?
A.B.C.D IP prefix in format i.i.i.i
A.B.C.D/LEN IP prefix and community masks size in format x.x.x.x/m
vrf context CUST1
description ** VRF-CUST1 **
vni 10555
rd auto
address-family ipv4 unicast
route-target each auto
route-target each auto evpn