[j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

[Mark Tinka]

On 4/3/24 08:07, Saku Ytti via juniper-nsp wrote:

> If I understand you correctly, the problem is not that you can't copy
> direct into CleanVRF, the problem is that ScrubberPE that does clean
> lookup in in CleanVRF, has label stack of [EgressPE TableLabel],
> instead of [EgressPE EgressCE], this causes the EgressPE to do IP
> lookup, which will then see the Direct/32 advertised by the scrubber,
> causing loop. While what you want is end-to-end MPLS lookup, so that
> egressPE MPLS lookup has egressMAC.
>
> I believe in BGP-LU you could fix this, without actually paying for
> duplicate RIB/FIB and without opportunistically copying routes to
> CleanVRF, every prefix would be scrubbable by default. You'd have
> per-ce for rest, but per-prefix for connected routes, I believe then
> you would have [EgressPE EgressMAC_CE] label for connected routes, so
> each host route would have their own label, allowing mac rewrite
> without additional local IP lookup.
>
> I'm not sure if this is the only way, I'm not sure if there would be a
> way in CleanVRF to force each direct/32 to have a label as well,
> avoiding the egress IP lookup loops. One doesn't immediately spring to
> mind, but technically implementation could certainly allow such mode.

At old job, we managed to do this with a virtual-router VRF that carried 
traffic between the scrubbing PE and the egress PE via MPLS, to avoid 
the IP loop.

It was quite an involved configuration, but it actually worked. It sort 
of mimicked the ability of the scrubbing device being able to 
participate in your IGP (which is something I wanted but the scrubbing 
vendor was not keen to support).

Mark.