This Python script is designed to manage blackholing on a Huawei NetEngine router. It allows you to add, remove, and list IP prefixes and routes for blackholing purposes. The script communicates with IP transits via BGP communities to blackhole specified IP addresses by signaling these IPs to the Internet carriers' blackholing communities.
- A Huawei NetEngine router
- SSH access with a user that has privileges to modify the configuration
Before using the script, some initial setup on the router is required:
-
Create an IP Community Filter:
ip community-filter 1 index 10 permit 64535:666
-
Create IP Prefix Lists: Ensure these lists are populated with dummy entries to be existing:
ip ip-prefix BLACKHOLE-OUT index 10 permit 111.111.111.157 32 ip ipv6-prefix BLACKHOLE-OUT index 10 permit 2101:4460::666 128
-
Create Static Routes: Create static routes that will never be used. Include
(DO NOT REMOVE)in the description:ip route-static 111.111.111.157 255.255.255.255 NULL0 tag 666 no-advertise (DO NOT REMOVE!) ipv6 route-static 2101:4460::666 128 NULL0 tag 666 no-advertise description DO NOT REMOVE!)
-
Add Route Policies for Transits: Example with Colt (in IPv4 and IPv6):
route-policy AS8220_COLT_BGP_IPv4_OUT permit node 10 description Send IP to blackhole community to Colt if-match community-filter 1 apply community 8220:63999 route-policy AS8220_COLT_BGP_IPv6_OUT permit node 10 description Send IP to blackhole community to Colt if-match community-filter 1 apply community 8220:63999
-
Huawei_Blackholing.py: The main script for managing blackholing operations.
-
Huawei_Blackholing_gencre.py: A script to generate the encrypted credentials file.
-
Huawei_Blackholing.enc: The encrypted credentials file, generated by
Huawei_Blackholing_gencre.py. -
Huawei_Blackholing.key: The encryption key file, generated by
Huawei_Blackholing_gencre.py. -
Huawei_Blackholing.conf: Configuration file containing email settings:
[Main] smtp_server = mysmtpserver.domain.com port = 25 sender = [email protected] recipient = [email protected]
- clean-all: Removes all blackhole routes and IP prefixes.
- list: Lists the current blackhole IP prefixes and routes with tag 666.
- add [IP address]: Adds a new IP address to the blackhole configuration.
- remove [IP address]: Removes an IP address from the blackhole configuration.
- help: Shows the help message.
-
Generate Encrypted Credentials: Use
Huawei_Blackholing_gencre.pyto create the encrypted credentials file:from cryptography.fernet import Fernet import json def generate_key(): key = Fernet.generate_key() with open("Huawei_Blackholing.key", "wb") as key_file: key_file.write(key) def encrypt_credentials(): key = open("Huawei_Blackholing.key", "rb").read() f = Fernet(key) credentials = { "router_ip": "192.168.1.1", "username": "HuaweiBlackhole", "password": "MyPassword123" } encrypted_credentials = f.encrypt(json.dumps(credentials).encode()) with open("Huawei_Blackholing.enc", "wb") as enc_file: enc_file.write(encrypted_credentials) if __name__ == "__main__": generate_key() encrypt_credentials()
-
Edit Configuration File: Edit the
Huawei_Blackholing.conffile to include your email settings:[Main] smtp_server = mysmtpserver.mydomain.com port = 25 sender = [email protected] recipient = [email protected]
-
Run the Script: Use the script with the appropriate options:
python3 Huawei_Blackholing.py [option] [IP address]
-
List Current Blackhole IP Prefixes and Routes:
python3 Huawei_Blackholing.py list
-
Add an IP Address to the Blackhole Configuration:
python3 Huawei_Blackholing.py add 111.111.111.155
-
Remove an IP Address from the Blackhole Configuration:
python3 Huawei_Blackholing.py remove 111.111.111.155
-
Remove All Blackhole IP Prefixes and Routes:
python3 Huawei_Blackholing.py clean-all
-
Show Help Message:
python3 Huawei_Blackholing.py help
This script provides a powerful and flexible way to manage blackholing on a Huawei NetEngine router. By following the setup steps and using the provided options, you can efficiently control the blackhole configuration and ensure that the appropriate notifications are sent via email.
Feel free to customize and extend the script as needed for your specific use case.