[j-nsp] reinject traffic from DDoS filtering device

"Rolf Hanßen" nsp at rhanssen.de
Fri May 5 03:40:34 EDT 2017


Hello,

does anyone have experience with a non-VRF solutions?
I think about redirecting with an interface filter and a prefix-list to
change the routing based on the incoming interface:

set firewall family inet filter border-filter term scrubbing from
destination-prefix-list redirect-to-scrubbing
set firewall family inet filter border-filter term scrubbing then next-ip
<ip of scrubbing router>
set firewall family inet filter border-filter term rest then accept
set policy-options prefix-list prefixes-redirect-to-scrubbing x.x.x.x/32
set interfaces <insert border interface here> family inet filter input
border-filter

Just tested it and it seams to work (traffic entering that interface is
redirected).
That way sounds far easier to me, does not impact the routing in any kind
and does not fill the FIB with double routes.

Beside the need to let the redirecting tool access/Configure the router
itself and that a "show route" will only show half of the truth, I see no
downsides.

I was wondering if there is maybe even a way to combine that with BGP
advertisement.
I.e. send a route via bgp that is not installed to the fib but referenced
in the filter.
Any idea if that is possible?

kind regards
Rolf


> For traffic scrubbing you either want clean-in-VRF or dirty-in-VRF,
> both have upside and downside, if you are not committed to either
> solution, please reconsider if you are even walking the correct
> solution.
>



More information about the juniper-nsp mailing list