BGP Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

Remotely triggered blackhole filtering

Updated: February 28, 2026

Want to summarize with AI?

On this page

Overview

Benefits of remotely triggered blackhole filtering
How remotely triggered blackhole filtering works
Configure remotely triggered blackhole filtering

Overview

Describes a technique that drops undesirable traffic at the network edge by forwarding it to a null interface, mitigating attacks and enforcing blocklist filtering.

Remotely triggered blackhole (RTBH) filtering is a technique that

drops undesirable traffic before it enters a protected network
quickly drops traffic at the edge of the network, and
operates based on either source or destination addresses by forwarding traffic to a null0 interface.

These are the types of RTBH filtering:

Destination-based RTBH filtering: RTBH filtering based on a destination address
Source-based RTBH filtering: RTBH filtering based on a source address

Benefits of remotely triggered blackhole filtering

This technique enhances network security by

effectively mitigating Distributed Denial of Service (DDoS) and worm attacks
quarantining all traffic destined for a target under attack, and
enforcing blocklist filtering.

How remotely triggered blackhole filtering works

Summary

The key components involved in the process are:

Remotely Triggered Blackhole (RTBH) filtering: A technique to drop undesirable traffic.
Route Policy Language (RPL): Defines the rules for discarding traffic.
set next-hop discard command: Configures the next-hop of the target prefix to a null interface.
Routing Information Base (RIB): Stores routing information, updated by the next-hop discard configuration.
Triggering device: A separate device, typically in a Network Operations Center (NOC), that sends iBGP updates.
Edge routers: Access and aggregation points that receive iBGP updates from the trigger device.
Null0 interface: A virtual interface where discarded traffic is sent.

RTBH filtering drops undesirable traffic by rerouting it to a null0 interface, based on route policies and BGP updates from a trigger device.

Workflow

Figure 1. Topology to implement RTBH filtering

Consider this topology, where a rogue router is sending traffic to a border router.

These stages describe how RTBH filtering works.

Policy definition: You implement RTBH by defining a route policy (RPL) that uses the set next-hop discard command to discard undesirable traffic at the next-hop.
Next-hop configuration: RTBH filtering sets the next-hop of the target prefix to the null interface. Traffic destined for the target is then dropped at the ingress.
Inbound policy application: You use the set next-hop discard configuration in the neighbor inbound policy. When applied to a path, the RIB updates with the next-hop set to Null0, even if the primary next-hop is unreachable.
Best path selection: The RTBH path is considered reachable and becomes a candidate in the best path selection process.
Readvertisement: The system readvertises the RTBH path to other peers with either the received next-hop or nexthop-self, based on normal BGP advertisement rules.
Deployment scenario: In a typical deployment, an internal Border Gateway Protocol (iBGP) runs at the access and aggregation points. A separate device in the Network Operations Center (NOC) acts as a trigger.
Traffic dropping: The triggering device sends iBGP updates to the edge routers, which cause undesirable traffic to be forwarded to a null0 interface and dropped.

Result

The network effectively drops undesirable traffic at the edge, preventing it from entering the protected network.

Configure remotely triggered blackhole filtering

Follow these steps to configure destination-based RTBH filtering:

Configure the trigger router to initiate RTBH filtering.

The trigger router defines a static route redistribution policy that sets a community on static routes marked with a special tag. It also configures a static route with this tag for the source prefix to be discarded.
Configure the border router to apply RTBH filtering based on community matches.

The border router defines a route policy that matches the community set on the trigger router and configures the next-hop to discard. This policy is then applied to iBGP peers.

Procedure

	1.	Configure the trigger router with a static route redistribution policy that sets a community on static routes marked with a special tag, and apply it in BGP. Example: Router(config)# route-policy RTBH-trigger Router(config-rpl)# if tag is 777 then Router(config-rpl-if)# set community (1234:4321, no-export) additive Router(config-rpl-if)# pass Router(config-rpl-if)# else Router(config-rpl-else)# pass Router(config-rpl-else)# endif Router(config-rpl)# end-policy Router(config)# router bgp 65001 Router(config-bgp)# address-family ipv4 unicast Router(config-bgp-af)# redistribute static route-policy RTBH-trigger Router(config-bgp-af)# exit Router(config-bgp)# neighbor 192.168.102.1 Router(config-bgp-nbr)# remote-as 65001 Router(config-bgp-nbr)# address-family ipv4 unicast Router(config-bgp-nbr-af)# route-policy bgp_all in Router(config-bgp-nbr-af)# route-policy bgp_all out Router(config-bgp-nbr-af)# exit Router(config-bgp-nbr)# exit Router(config-bgp)# exit Router(config)# commit
	2.	Configure a static route on the trigger router, tagging the source prefix that must be discarded. Example: `Router(config)# router static Router(config-static)# address-family ipv4 unicast Router(config-static-afi)# 10.7.7.7/32 Null0 tag 777 Router(config-static-afi)# exit Router(config-static)# exit Router(config)# commit`
	3.	Configure a route policy in the border router that matches the community set on the trigger router and set the next-hop to discard. Example: `Router(config)# route-policy RTBH Router(config-rpl)# if community matches-any (1234:4321) then Router(config-rpl-if)# set next-hop discard Router(config-rpl-if)# else Router(config-rpl-else)# pass Router(config-rpl-else)# endif Router(config-rpl)# end-policy Router(config)# commit`
	4.	Apply the route policy on the iBGP peers. Example: `Router(config)# router bgp 65001 Router(config-bgp)# address-family ipv4 unicast Router(config-bgp-af)# exit Router(config-bgp)# neighbor 192.168.102.2 Router(config-bgp-nbr)# remote-as 65001 Router(config-bgp-nbr)# address-family ipv4 unicast Router(config-bgp-nbr-af)# route-policy RTBH in Router(config-bgp-nbr-af)# route-policy bgp_all out Router(config-bgp-nbr-af)# exit Router(config-bgp-nbr)# exit Router(config-bgp)# exit Router(config)# commit` The border router is configured to discard undesirable traffic based on RTBH communities

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Remotely triggered blackhole filtering

Overview

Benefits of remotely triggered blackhole filtering

How remotely triggered blackhole filtering works

Summary

Workflow

Result

Configure remotely triggered blackhole filtering

Procedure

Example:

Example:

Example:

Example:

Need help?