[j-nsp] reinject traffic from DDoS filtering device

Alexander Dube nsp at layerwerks.net
Fri May 5 07:45:35 EDT 2017 

Hi,

lets check if I understand it the right way:

# define group id on transit interfaces lets assume its a localloop from vlan 1 through the scubbing device back into vlan 2
set interface xe-0/0/11.0 family inet filter group 1
set interface xe-0/0/22.0 family inet filter group 1
set routing-options flow interface-group 1 


# interfaces where the scrubbing device is connected to 
set interface xe-0/0/0.0 family inet 10.0.0.1/30  # interface inside of SCRUBCENTER vrf for dirty traffic
set interface xe-0/0/1.0 family inet 10.0.0.2/30  # interface inside of master instance inet0  for cleaned traffic


# setup scrub route for 123.123.123.123/32
set routing-options flow route scrub-123.123.123.123 match destination 123.123.123.123/32
set routing-options flow route scrub-123.123.123.123 then routing-instance SCRUBCENTER

# vrf for dirty traffic
set routing-instances SCUBCENTER instance-type vrf
set routing-instances SCUBCENTER interface xe-0/0/0.0 
set routing-instances SCUBCENTER route-distinguisher 1234:5000
set routing-instances SCUBCENTER vrf-target target:1234:5000
set routing-instances SCUBCENTER vrf-table-label
set routing-instances SCUBCENTER routing-options static route 0.0.0.0/0 next-hop 10.0.0.2


This configuration would redirect all traffic on interface xe-0/0/11 and xe-0/0/22 destined to 123.123.123.123/32 into the routing instance SCRUBCENTER. The VRF forward the traffic through the scrubbing device and will get it back cleaned on interface xe-0/0/1 inside of the master instance. 



Regards
Alex





----- Ursprüngliche Mail -----
Von: "Saku Ytti" <saku at ytti.fi>
An: "Rolf Hanßen" <nsp at rhanssen.de>
CC: "juniper-nsp" <juniper-nsp at puck.nether.net>
Gesendet: Freitag, 5. Mai 2017 12:07:59
Betreff: Re: [j-nsp] reinject traffic from DDoS filtering device

On 5 May 2017 at 12:55, "Rolf Hanßen" <nsp at rhanssen.de> wrote:
> How would I do that redirection with flowspec?

Build filter which matches traffic you want to scrub, tell flow-spec
to redirect matching traffic to desired IP.

-- 
  ++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list