Two things: BGP Communities to two upstreams, netflow top-talkers

[netspork]

Some recent events have helped me gain a rapid education in DDoS mitigation stuff.  This basically comes down to "pick an upstream with a good NOC" and "being able to call up and request ACLs/rate limiting costs money".

Level3's "SOC" is a joke, don't give those people money for security services.

That said, RTBH is something that I should have had setup long ago it seems.  I got a basic BGP community setup for one upstream and tested it and it's awesome.  Setup a null route and a network statement and traffic to the IP halts at the provider's edge.  Love it.

Looking at the config though, communities are global - they apply to all peers.  I need to set this up with my other upstream and I'm at a loss as to how to send one provider one community and the other provider another community.

Here's my (very basic) config that works for a single provider:

Code Select Expand


!
route-map u1-blackhole permit 10
set community 12345:666
!
router bgp 5432
network 1.2.3.4 mask 255.255.255.255 route-map u1-blackhole
address-family ipv4
  neighbor a.b.c.d send-community



Could I just change this to something like this and be safe?

Code Select Expand


!
route-map u1-blackhole permit 10
set community 12345:666
!
! add:
route-map u2-blackhole permit 10
set community 54321:1666
!
router bgp 5432
network 1.2.3.4 mask 255.255.255.255 route-map u1-blackhole
! add:
  network 1.2.3.4 mask 255.255.255.255 route-map u2-blackhole
address-family ipv4
  neighbor a.b.c.d send-community
! add:
  neighbor d.c.b.a send-community


And the old CLI command I remember to show top talkers does not seem to be available on IOS-XE (03.10.02.S).  I can use nfsen to grab stats and see what IP is being hit, but that takes time.  Is there any way to see this directly on the router without upgrading to a new IOS?

Thanks all...

[netspork]

And following up to myself, tested with both providers setup as above and it works.

Still curious about a "top talkers" or other command-line stuff to show traffic real-time without waiting for my netflow collector to catch up.

[wintermute000]

Ios has top talkers built in but it expires with cache

[netspork]

Are you sure on XE?  Some feature matrix I saw suggested I'd have to go more bleeding edge to get that.  The closest I've come is some giant list of current flows:

l3-1002x# sh flow monitor ?
  broker      Show the flow monitor broker
  inbound-1   User defined
  name        Name a specific Flow Monitor
  outbound-1  User defined
  type        Type of the Flow Monitor
  |           Output modifiers
  <cr>

l3-1002x# sh flow monitor in
l3-1002x# sh flow monitor inbound-1 ?
  cache       Flow monitor cache contents
  statistics  Flow monitor statistics
  |           Output modifiers
  <cr>

The "statistics" option is just an overview of the caches and such.  "cache" is a dump of the whole cache.

[wintermute000]

This is traditional ios but you could manually set up a top talkers section


http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/12-4t/nf-12-4t-book/cfg-nflow-top-talk.html