[j-nsp] Policy to allow customers to null-route traffic at edge
Avram Dorfman
avram at juniper.net
Tue Sep 2 23:26:22 EDT 2003
Hey Ben,
This should work fine with multi-hop as was previously stated.
Starting with 5.6, you can actually configure a discard interface:
http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-
interfaces/html/interfaces-discard-config.html#1014275
dsc {
unit 0 {
family inet {
address 10.10.10.1/32 {
destination 10.10.10.2;
}
}
}
}
dsc's are point-to-point, so then use an identical policy, but set the
next-hop to the p2p destination of the dsc interface.
policy-statement DoS_Policy {
term 1 {
from {
protocol bgp; community DoS_Comm;
}
then {
next-hop 10.10.10.2; accept;
}
}
}
It's the same thing, but now you can actually still count statistics on
the traffic you are discarding, with a firewall filter, by applying it
as an output filter on the dsc.
HTH,
Avram
On Thursday, August 28, 2003, at 07:22 PM, bbird at epik.net wrote:
> All,
>
> Can someone point out the flaw in my configuration/concept (or both)
> please?
> Some specifics have been changed or obfuscated.
>
> I have a policy set up allowing customer-peers to tag a specific bgp
> community-id (19962:911) to a route, thus causing me to black-hole the
> traffic at my edge. This is obviously an attempt to keep the DOS
> traffic
> off of the customers link, without need for my involvement.
>
> My edge router isn't accepting the route due to an 'Unusable' next
> hop. I'm
> attempting to do this in a recursive manner, as Juniper policy doesn't
> allow
> me to change the next-hop to discard. Because the next-hop is
> 'Unusable',
> the route remains inactive, and therefore the traffic still transits
> to the
> customer, because of the less-specific the customer is also exporting
> to me.
>
> Obviously, the policy-statement "<$customer-as>-routes" is applied as
> an
> import policy facing the customer. Configuration from my edge-router,
> connected to customer-peer:
>
>
> static {
> route 192.168.255.254/32 {
> discard;
> install;
> }
>
> policy-statement <$customer-as>-routes {
> term prefix-list-blackhole {
> from {
> protocol bgp;
> community customer-blackhole;
> route-filter <customer-route>/19 upto /32;
> }
> then {
> community add no-export;
> next-hop 192.168.255.254;
> next policy;
> accept;
> }
> }
> }
>
> community customer-blackhole members "^19962:911$";
>
>
> -------------------
>
> user at router> show route community 19962:911 hidden extensive
>
> inet.0: 123327 destinations, 123343 routes (123318 active, 2 holddown,
> 8
> hidden)
> <customer-route/24> (1 entry, 0 announced)
> BGP /-501
> Next hop type: Unusable
> State: <Hidden Ext>
> Local AS: 65001 Peer AS: <$customer-as>
> Age: 1:42:56 Metric: 0
> Task: BGP_<$customer-as>.<$customer-peer-ip>+1255
> AS path: <$customer-as> <$customer-as> ?
> Communities: 19962:911 19962:1004 19962:65001 no-export
> Localpref: 500
> Router ID: <$customer-rtr-id>
> Merit (last update/now): 787/274
> damping-parameters: damp-long
> Last update: 00:45:37 First update:
> 01:46:51
> Flaps: 3
> History entry. Expires in: 00:13:40
> <snip>
>
> Sincerely,
> -Ben Bird
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list