[j-nsp] reinject traffic from DDoS filtering device
Amos Rosenboim
amos at oasis-tech.net
Fri May 5 04:41:15 EDT 2017
Hi,
We are utilizing FBF/PBR quite extensively mainly for redirecting traffic to value added services platforms (caching, content filtering etc').
One nice feature in Junos is the ability to apply the filter on output interfaces and avoiding loops using interface groups.
Of course it's not a very scalable solution, but in a network with a couple exit routers it works perfectly.
In one of the cases we even have a server that dynamically changed prefix lists based on the load on an external system.
We had it working for years before we realized we are actually implementing an SDN controller, so good to be on top of the hype ;-)
Amos
Sent from my iPhone
On 5 May 2017, at 10:40, Rolf Hanßen <nsp at rhanssen.de<mailto:nsp at rhanssen.de>> wrote:
Hello,
does anyone have experience with a non-VRF solutions?
I think about redirecting with an interface filter and a prefix-list to
change the routing based on the incoming interface:
set firewall family inet filter border-filter term scrubbing from
destination-prefix-list redirect-to-scrubbing
set firewall family inet filter border-filter term scrubbing then next-ip
<ip of scrubbing router>
set firewall family inet filter border-filter term rest then accept
set policy-options prefix-list prefixes-redirect-to-scrubbing x.x.x.x/32
set interfaces <insert border interface here> family inet filter input
border-filter
Just tested it and it seams to work (traffic entering that interface is
redirected).
That way sounds far easier to me, does not impact the routing in any kind
and does not fill the FIB with double routes.
Beside the need to let the redirecting tool access/Configure the router
itself and that a "show route" will only show half of the truth, I see no
downsides.
I was wondering if there is maybe even a way to combine that with BGP
advertisement.
I.e. send a route via bgp that is not installed to the fib but referenced
in the filter.
Any idea if that is possible?
kind regards
Rolf
For traffic scrubbing you either want clean-in-VRF or dirty-in-VRF,
both have upside and downside, if you are not committed to either
solution, please reconsider if you are even walking the correct
solution.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list