[j-nsp] reinject traffic from DDoS filtering device

Sebastian Wiesinger sebastian at karotte.org
Thu May 4 06:55:54 EDT 2017

* Alexander Dube <nsp at layerwerks.net> [2017-05-04 11:55]:
> Hello, 
> i've a problem reinjecting filtered traffic from a anti ddos device
> into our network. What we want to achive is, that traffic which
> comes from our upstreams/peerings is redirected to a filtering
> device. This is the easy part, as this can be done with a static or
> bgp routing. 
> Now the part where I stuck at the moment. The router which the
> filter is connected to, is the same where upstreams and direct
> customer networks are connected to. 
> The first try was to create a new vrf and import all direct routers
> from master instance. This works for ospf routes perfectly, but not
> for direct routes. For direct routes it is possible to get it
> working with a workaround, but we need a solution which does not
> requires configuration on the router on new attacks. 

We put all interfaces of customers that want DDoS scrubbing in a vrf
and leak the direct and static routes to the main table (via
rib-group). The scrubbing engine attracts dirty traffic by advertising
/32 (or /128) BGP routes in the main table and puts clean traffic in
the vrf the customers are in.

The only small drawback is when customers speak BGP with us and want a
full table. As the vrf does not have a full table these interfaces
stay in the main table and their BGP routes are put into the "clean"
vrf by specifying a rib group in the BGP neighbor configuration which
will leak the customers received BGP routes into the vrf.


GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
            -- Terry Pratchett, The Fifth Elephant

More information about the juniper-nsp mailing list