[j-nsp] Firewall filter rule based on external reachability of server

Andrew Hoyos hoyosa at gmail.com
Wed Mar 29 16:45:35 EDT 2023


We’ve had similar instances of where we’ve needed to accomplish the same effect.

Creating a "DDOS-Scrub" routing instance, and using your firewall rule to punt that traffic to the routing instance, this will give you more flexibility.
You could could then use RPM to check ping to 0/0 next-hop (your mitigation device), and if that fails, fall back to a lower cost LT interface to main table.


> On Mar 29, 2023, at 2:15 PM, Matthew Crocker via juniper-nsp <juniper-nsp at puck.nether.net> wrote:
> 
> 
> Hello,
> 
> I have a filter setup :
> 
> term DDOS {
>    from {
>        destination-prefix-list {
>            DDOS-Customers;
>        }
>    }
>    then {
>        count DDOS;
>        next-ip 192.168.126.2/32;
>    }
> }
> 
> The 192.168.126.2 IP is the DDOS mitigation device.   Is there a way I can setup the router to ping the 192.168.126.2 address, set a ‘reachable variable’ and then use that variable in the filter.   So if the device goes down the filter term is bypassed and traffic flows to the customer bypassing the DDOS mitigation machine.
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list