[j-nsp] Using an LSP to transport analysis traffic

Richard A Steenbergen ras at e-gerbil.net
Mon Jul 2 16:22:34 EDT 2007 

On Mon, Jul 02, 2007 at 12:21:32AM -0400, Richard A Steenbergen wrote:
> It actually seems to be working, except for the fact that I am already 
> running LSPs to the central collection site router in question, and the 
> analysis LSPs are a second path to the same destination. The sampling 
> router ends up sending legitimate traffic down the analysis LSP, and 
> setting a lower preference or using a different "to" address with a higher 
> metric cost on the LSP doesn't seem to help it. I see an option 
> "no-install-to-address" which looks vaguely like it was created for what 
> I'm trying to do, but with this configured I can't inject traffic to the 
> LSP using a static "route x.x.x.x/x lsp-next-hop ANALYSISLSP" (which is 
> how I'm collecting the "interesting" packets, with a dedicated 
> routing-instance which I can punt traffic in to from a firewall, and yes 
> I'm importing all my interface/igp routes into it).

Nevermind, no-install-to-address was what I wanted, but then you need to 
manually specify an address to install to inet.3 etc. This works like a 
charm:

label-switched-path LOCAL.ROUTER-ANALYSIS.BOX {
    no-install-to-address;
    to x.x.x.x; /* LSP destination loopback */
    install y.y.y.y/32 active; /* Special reserved next-hop */
    no-decrement-ttl;
}

Then you can just set up a routing-instance with a default route pointing 
to that LSP, and FBF/Flowspec any matching traffic into that instance for 
forwarding to the analysis box.

Of course you can also rewrite nexthop on a specific destination route you 
want to capture to the y.y.y.y address and then anycast that address 
everywhere, which is really the same as just putting a L3 interface on the 
analysis box and routing it there, but at least this way you can tell 
where the traffic came from based on which LSP/subint it came in on (and 
potentially avoid TTL expiring the packet while forwarding it to analysis 
too :P).

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list