[j-nsp] reinject traffic from DDoS filtering device

Dragan Jovicic draganj84 at gmail.com
Thu May 4 17:17:08 EDT 2017


Using flowspec to redirect traffic to routing-instance. Scrubbing device
returns traffic to global table.
Since 16.1 you may exclude interface from installing filter as well, making
it possible to have scrubbing device on same PE running flowspec.

BR,

+Dragan

On Thu, May 4, 2017 at 12:55 PM, Sebastian Wiesinger <sebastian at karotte.org>
wrote:

> * Alexander Dube <nsp at layerwerks.net> [2017-05-04 11:55]:
> > Hello,
> >
> > i've a problem reinjecting filtered traffic from a anti ddos device
> > into our network. What we want to achive is, that traffic which
> > comes from our upstreams/peerings is redirected to a filtering
> > device. This is the easy part, as this can be done with a static or
> > bgp routing.
> >
> > Now the part where I stuck at the moment. The router which the
> > filter is connected to, is the same where upstreams and direct
> > customer networks are connected to.
> >
> > The first try was to create a new vrf and import all direct routers
> > from master instance. This works for ospf routes perfectly, but not
> > for direct routes. For direct routes it is possible to get it
> > working with a workaround, but we need a solution which does not
> > requires configuration on the router on new attacks.
>
> We put all interfaces of customers that want DDoS scrubbing in a vrf
> and leak the direct and static routes to the main table (via
> rib-group). The scrubbing engine attracts dirty traffic by advertising
> /32 (or /128) BGP routes in the main table and puts clean traffic in
> the vrf the customers are in.
>
> The only small drawback is when customers speak BGP with us and want a
> full table. As the vrf does not have a full table these interfaces
> stay in the main table and their BGP routes are put into the "clean"
> vrf by specifying a rib group in the BGP neighbor configuration which
> will leak the customers received BGP routes into the vrf.
>
> Regards
> Sebastian
>
> --
> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
> SCYTHE.
>             -- Terry Pratchett, The Fifth Elephant
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list