[j-nsp] Filter Based Forwarding with bgp import rib
Stefan Fouant
sfouant at shortestpathfirst.net
Thu Mar 24 22:53:47 EDT 2011
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Justin M. Streiner
> Sent: Thursday, March 24, 2011 7:35 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Filter Based Forwarding with bgp import rib
>
> I've been hunting around for a solution to a similar issue -
> essentially
> a modified approach to RTBH. I'd like to be able to redirect or
> optionally port-mirror inbound and outbound traffic to another
> interface
> on my border router, and the trigger for determining what traffic would
> be
> affected would be a BGP feed from a route server, and the actions to be
> taken (discard, redirect to another interface, port-mirror to another
> interface) by the border routers could be dictated by BGP community
> tags.
>
> The issues I've run into with this have been that I couldn't find a way
> to
> get a Junos firewall filter to see and react to BGP routes and their
> associated community tags.
Hi Justin,
I've done just this very thing for various traffic filtering applications.
Ping me offline and I can provide you some sample configs that should work.
One thing I'd like to point out however, since you mention RTBH, is that I
think you would be better served with BGP FlowSpec in this case, because
RTBH only serves to provide automated distribution of destination-based
filters throughout an environment. Technically you can do S/RTBH if you
couple RTBH w/ uRPF... nonetheless there are some limitations to this
approach and one of the primary reasons FlowSpec was created in the first
place. You can filter on source-address, destination-address, protocol,
source-port, and destination-port, or any combination of these. Much more
flexible in my opinion than simply RTBH, plus it gives you the flexibility
of FBF w/ automation layered on top. Juniper probably has the best working
implementation of FlowSpec out of any of the vendors out there so you're in
luck here.
I have a presentation on the benefits of FlowSpec on my blog -
http://www.shortestpathfirst.net/presentations/
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC
More information about the juniper-nsp
mailing list