[j-nsp] dsc interface on qfx5100
Niall Donaghy
niall.donaghy at geant.org
Fri Oct 12 09:07:06 EDT 2018
Hi Jason,
Yes we (large ISP) tried using dsc interfaces (MX series) to count RTBH
traffic and found, 1) they don't count, and 2) IPv6 is unsupported for dsc.
As with many Junos features, there is not parity between IPv4 and IPv6.
That alone bugged us, but especially as the counters did not work, we
abandoned dsc and just made the IPv4 RTBH sink a discard route:
#
# Adjust to suit for VRFs / redistribute to your VRFs
#
set routing-options static route 192.0.2.101/32 discard
set routing-options static route 192.0.2.101/32 no-readvertise
set routing-options rib inet6.0 static route 0100::/64 discard
set routing-options rib inet6.0 static route 0100::/64 no-readvertise
So at the moment, you've got a dsc.0 which is about as useful as static
discard.
If anyone has gotten dsc counting with IPv4, and/or if things have changed
and IPv6 is supported, I'm curious to know.
Right now we're on 15.1F6-S10.4 targeting 17.4R2.4 for our next upgrade -
retesting dsc functionality is somewhat lower than low priority.
Br,
Niall
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
Jason Healy
Sent: 12 October 2018 02:37
To: juniper-nsp <juniper-nsp at puck.nether.net>
Subject: [j-nsp] dsc interface on qfx5100
I'm more of a layer-2 guy, but I'm trying to tighten up a few things on our
qfx5100 that acts as our l3 core here at our campus. We use RFC1918 space
internally, but I'd like to discard any traffic to these ranges if they
aren't one of our known subnets. I have that working with standard
"discard" routes.
I've seen some best-practice documents where you can set up the discard
(dsc) interface to blackhole traffic, rather than using a direct "discard"
route. I thought it might be nice to use that so I could analyze the stuff
that's getting discarded (count packets, maybe even mirror or analyze the
traffic).
TL;DR: I got dsc working and it is discarding, but the counters aren't
incrementing. I need to know if I'm doing it wrong or if this is a
"feature" of the qfx5100 similar to its inability to count ipv6 packets...
I've created the interface and assigned an IP with a "destination" I can
route to, and a filter to count packets:
dsc {
unit 0 {
family inet {
filter {
output sa-discard-v4;
}
address 10.255.254.2/32 {
destination 10.255.254.1;
}
}
}
}
The filter just counts:
filter sa-discard-v4 {
term default-discard {
then {
count discard-v4-default;
/* Not supported on egress on this platform */
inactive: log;
}
}
}
And I've added some rules to discard the traffic:
[edit routing-options rib inet.0 static]
+ route 10.0.32.64/32 next-hop 10.255.254.1;
That's a live IP on my network, and I've confirmed that traffic is discarded
with that route active. Alas, the counters on the interface don't budge:
qfx> show interfaces dsc
Physical interface: dsc, Enabled, Physical link is Up
Interface index: 5, SNMP ifIndex: 5
Type: Software-Pseudo, MTU: Unlimited
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps
Link flags : None
Last flapped : Never
Input packets : 0
Output packets: 0
Logical interface dsc.0 (Index 548) (SNMP ifIndex 709)
Flags: Down Point-To-Point SNMP-Traps Encapsulation: Unspecified
Protocol inet, MTU: Unlimited
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.255.254.1, Local: 10.255.254.2
Nor do the firewall counters:
qfx> show firewall filter sa-discard-v4 counter discard-v4-default
Filter: sa-discard-v4
Counters:
Name Bytes
Packets
discard-v4-default 0
0
Has anyone set this up with static routing? All the examples use BGP, but I
can't imagine why that would make a difference for the reporting if the
traffic is correctly discarded.
Thanks,
Jason
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list