[j-nsp] reinject traffic from DDoS filtering device

Dragan Jovicic draganj84 at gmail.com
Fri May 5 08:16:25 EDT 2017 

>
> If the scrubber system fails, redirected traffic will be dropped (we are
> aware of this).
>
> It may sound insufficient to you, but keeping the setup as easy as
> possible is a main goal here, scaling to dozens of routers does not
> matter.
>

The reason why you put traffic in L3VPN is that it gives you lots of
flexibility. So you can redirect traffic locally, but still have option to
failover to remote scrubber. And the design is not any more complicated
compared to what you want. But I respect your opinion.
The power of flowspec is that it gives you lots of flexibility in what you
want to redirect, not just destination address; it's effectively a firewall
filter pushed over BGP from a single device. So question is if you need all
that.

+Dragan


On Fri, May 5, 2017 at 2:07 PM, Saku Ytti <saku at ytti.fi> wrote:

> Looks roughly right. Of course you'll need BGP AFI/SAFI for the
> flowspec and VRF.  And only the scrubber devices need the default
> route to scrubber, other edge device VRFs wouldn't have the static
> route, nor any interface.
> More complete example should separate devices with scrubber and with
> customers, as they'll have different config. But if you indeed always
> have scrubber in same device, then your PBR idea is justifiable (will
> it also stay like this forever?).
>
> I'd personally do DCU not flowspec, but either will work.
>
> On 5 May 2017 at 14:45, Alexander Dube <nsp at layerwerks.net> wrote:
> > Hi,
> >
> > lets check if I understand it the right way:
> >
> > # define group id on transit interfaces lets assume its a localloop from
> vlan 1 through the scubbing device back into vlan 2
> > set interface xe-0/0/11.0 family inet filter group 1
> > set interface xe-0/0/22.0 family inet filter group 1
> > set routing-options flow interface-group 1
> >
> >
> > # interfaces where the scrubbing device is connected to
> > set interface xe-0/0/0.0 family inet 10.0.0.1/30  # interface inside of
> SCRUBCENTER vrf for dirty traffic
> > set interface xe-0/0/1.0 family inet 10.0.0.2/30  # interface inside of
> master instance inet0  for cleaned traffic
> >
> >
> > # setup scrub route for 123.123.123.123/32
> > set routing-options flow route scrub-123.123.123.123 match destination
> 123.123.123.123/32
> > set routing-options flow route scrub-123.123.123.123 then
> routing-instance SCRUBCENTER
> >
> > # vrf for dirty traffic
> > set routing-instances SCUBCENTER instance-type vrf
> > set routing-instances SCUBCENTER interface xe-0/0/0.0
> > set routing-instances SCUBCENTER route-distinguisher 1234:5000
> > set routing-instances SCUBCENTER vrf-target target:1234:5000
> > set routing-instances SCUBCENTER vrf-table-label
> > set routing-instances SCUBCENTER routing-options static route 0.0.0.0/0
> next-hop 10.0.0.2
> >
> >
> > This configuration would redirect all traffic on interface xe-0/0/11 and
> xe-0/0/22 destined to 123.123.123.123/32 into the routing instance
> SCRUBCENTER. The VRF forward the traffic through the scrubbing device and
> will get it back cleaned on interface xe-0/0/1 inside of the master
> instance.
> >
> >
> >
> > Regards
> > Alex
> >
> >
> >
> >
> >
> > ----- Ursprüngliche Mail -----
> > Von: "Saku Ytti" <saku at ytti.fi>
> > An: "Rolf Hanßen" <nsp at rhanssen.de>
> > CC: "juniper-nsp" <juniper-nsp at puck.nether.net>
> > Gesendet: Freitag, 5. Mai 2017 12:07:59
> > Betreff: Re: [j-nsp] reinject traffic from DDoS filtering device
> >
> > On 5 May 2017 at 12:55, "Rolf Hanßen" <nsp at rhanssen.de> wrote:
> >> How would I do that redirection with flowspec?
> >
> > Build filter which matches traffic you want to scrub, tell flow-spec
> > to redirect matching traffic to desired IP.
> >
> > --
> >   ++ytti
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list