[j-nsp] reinject traffic from DDoS filtering device

Saku Ytti saku at ytti.fi
Fri May 5 08:07:18 EDT 2017


Looks roughly right. Of course you'll need BGP AFI/SAFI for the
flowspec and VRF.  And only the scrubber devices need the default
route to scrubber, other edge device VRFs wouldn't have the static
route, nor any interface.
More complete example should separate devices with scrubber and with
customers, as they'll have different config. But if you indeed always
have scrubber in same device, then your PBR idea is justifiable (will
it also stay like this forever?).

I'd personally do DCU not flowspec, but either will work.

On 5 May 2017 at 14:45, Alexander Dube <nsp at layerwerks.net> wrote:
> Hi,
>
> lets check if I understand it the right way:
>
> # define group id on transit interfaces lets assume its a localloop from vlan 1 through the scubbing device back into vlan 2
> set interface xe-0/0/11.0 family inet filter group 1
> set interface xe-0/0/22.0 family inet filter group 1
> set routing-options flow interface-group 1
>
>
> # interfaces where the scrubbing device is connected to
> set interface xe-0/0/0.0 family inet 10.0.0.1/30  # interface inside of SCRUBCENTER vrf for dirty traffic
> set interface xe-0/0/1.0 family inet 10.0.0.2/30  # interface inside of master instance inet0  for cleaned traffic
>
>
> # setup scrub route for 123.123.123.123/32
> set routing-options flow route scrub-123.123.123.123 match destination 123.123.123.123/32
> set routing-options flow route scrub-123.123.123.123 then routing-instance SCRUBCENTER
>
> # vrf for dirty traffic
> set routing-instances SCUBCENTER instance-type vrf
> set routing-instances SCUBCENTER interface xe-0/0/0.0
> set routing-instances SCUBCENTER route-distinguisher 1234:5000
> set routing-instances SCUBCENTER vrf-target target:1234:5000
> set routing-instances SCUBCENTER vrf-table-label
> set routing-instances SCUBCENTER routing-options static route 0.0.0.0/0 next-hop 10.0.0.2
>
>
> This configuration would redirect all traffic on interface xe-0/0/11 and xe-0/0/22 destined to 123.123.123.123/32 into the routing instance SCRUBCENTER. The VRF forward the traffic through the scrubbing device and will get it back cleaned on interface xe-0/0/1 inside of the master instance.
>
>
>
> Regards
> Alex
>
>
>
>
>
> ----- Ursprüngliche Mail -----
> Von: "Saku Ytti" <saku at ytti.fi>
> An: "Rolf Hanßen" <nsp at rhanssen.de>
> CC: "juniper-nsp" <juniper-nsp at puck.nether.net>
> Gesendet: Freitag, 5. Mai 2017 12:07:59
> Betreff: Re: [j-nsp] reinject traffic from DDoS filtering device
>
> On 5 May 2017 at 12:55, "Rolf Hanßen" <nsp at rhanssen.de> wrote:
>> How would I do that redirection with flowspec?
>
> Build filter which matches traffic you want to scrub, tell flow-spec
> to redirect matching traffic to desired IP.
>
> --
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti


More information about the juniper-nsp mailing list