[j-nsp] Policy to allow customers to null-route traffic at edge

Avram Dorfman avram at juniper.net
Tue Sep 2 23:26:22 EDT 2003


Hey Ben,

This should work fine with multi-hop as was previously stated.

Starting with 5.6, you can actually configure a discard interface:

	http://www.juniper.net/techpubs/software/junos/junos56/swconfig56- 
interfaces/html/interfaces-discard-config.html#1014275

dsc {
     unit 0 {
         family inet {
             address 10.10.10.1/32 {
                 destination 10.10.10.2;
             }
         }
     }
}

dsc's are point-to-point, so then use an identical policy, but set the  
next-hop to the p2p destination of the dsc interface.

policy-statement DoS_Policy {
     term 1 {
        from {
           protocol bgp; community DoS_Comm;
        }
        then {
            next-hop 10.10.10.2; accept;
        }
     }
}

It's the same thing, but now you can actually still count statistics on  
the traffic you are discarding, with a firewall filter, by applying it  
as an output filter on the dsc.

HTH,
Avram



On Thursday, August 28, 2003, at 07:22  PM, bbird at epik.net wrote:

> All,
>
> Can someone point out the flaw in my configuration/concept (or both)  
> please?
> Some specifics have been changed or obfuscated.
>
> I have a policy set up allowing customer-peers to tag a specific bgp
> community-id (19962:911) to a route, thus causing me to black-hole the
> traffic at my edge.  This is obviously an attempt to keep the DOS  
> traffic
> off of the customers link, without need for my involvement.
>
> My edge router isn't accepting the route due to an 'Unusable' next  
> hop.  I'm
> attempting to do this in a recursive manner, as Juniper policy doesn't  
> allow
> me to change the next-hop to discard.  Because the next-hop is  
> 'Unusable',
> the route remains inactive, and therefore the traffic still transits  
> to the
> customer, because of the less-specific the customer is also exporting  
> to me.
>
> Obviously, the policy-statement "<$customer-as>-routes" is applied as  
> an
> import policy facing the customer.  Configuration from my edge-router,
> connected to customer-peer:
>
>
> static {
>     route 192.168.255.254/32 {
>         discard;
>         install;
>     }
>
> policy-statement <$customer-as>-routes {
>     term prefix-list-blackhole {
>         from {
>             protocol bgp;
>             community customer-blackhole;
>             route-filter <customer-route>/19 upto /32;
>         }
>         then {
>             community add no-export;
>             next-hop 192.168.255.254;
>             next policy;
>             accept;
>         }
>     }
> }
>
> community customer-blackhole members "^19962:911$";
>
>
> -------------------
>
> user at router> show route community 19962:911 hidden extensive
>
> inet.0: 123327 destinations, 123343 routes (123318 active, 2 holddown,  
> 8
> hidden)
> <customer-route/24> (1 entry, 0 announced)
>          BGP                 /-501
>                 Next hop type: Unusable
>                 State: <Hidden Ext>
>                 Local AS: 65001 Peer AS: <$customer-as>
>                 Age: 1:42:56    Metric: 0
>                 Task: BGP_<$customer-as>.<$customer-peer-ip>+1255
>                 AS path: <$customer-as> <$customer-as> ?
>                 Communities: 19962:911 19962:1004 19962:65001 no-export
>                 Localpref: 500
>                 Router ID: <$customer-rtr-id>
>                 Merit (last update/now): 787/274
>                 damping-parameters: damp-long
>                 Last update:       00:45:37 First update:        
> 01:46:51
>                 Flaps: 3
>                 History entry.  Expires in:       00:13:40
> <snip>
>
> Sincerely,
> -Ben Bird
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list