[j-nsp] reinject traffic from DDoS filtering device
Saku Ytti
saku at ytti.fi
Fri May 5 04:55:46 EDT 2017
On 5 May 2017 at 10:40, "Rolf Hanßen" <nsp at rhanssen.de> wrote:
> I was wondering if there is maybe even a way to combine that with BGP
> advertisement.
> I.e. send a route via bgp that is not installed to the fib but referenced
> in the filter.
> Any idea if that is possible?
Flowspec can do this. But do you really have scrubber attached to each
device, or are you willing to do hop-by-hop filtering to get packet
where you want it to go? Or is the next-hop labeled and enters LSP
towards the next-hop? With LSP I could buy-in to the solution.
It seems very NIH solution, when L3 MPLS VPN exists and is very clean
and easy to understand solution. And L3 MPLS VPN will easily allow you
to have multiple scrubbers and route packets to closest one. And as
you add more services, adding new VPNs for each service is very low
effort, as BGP already exists, you just need to add the new instance.
I think you need to have really strong justification to do anything
else but VRF. Your current justification 'sounds far easier to me', is
insufficient.
--
++ytti
More information about the juniper-nsp
mailing list