[j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

Saku Ytti saku at ytti.fi
Wed Apr 3 02:45:54 EDT 2024


On Wed, 3 Apr 2024 at 09:37, Mark Tinka via juniper-nsp
<juniper-nsp at puck.nether.net> wrote:

> At old job, we managed to do this with a virtual-router VRF that carried
> traffic between the scrubbing PE and the egress PE via MPLS, to avoid
> the IP loop.

Actually I think I'm confused. I think it will just work. Because even
as the EgressPE does IP lookup due to table-label, the IP lookup still
points to egressMAC, instead looping back, because it's doing it in
the CleanVRF.
So I think it just works.

So OP just needs to copy the direct route as-is, not as host/32 into
cleanVRF, with something like this:

routing-options {
  interface-routes {
    rib-groups {
      cleanVRF {
        import-rib [ inet.0 cleanVRF.inet.0 ];
        import-policy cleanVRF:EXPORT;
 }}}}

Now cleanVRF.inet.0 has the connected TableLabel, and as lookup is
done in the cleanVRF, without the Scrubber/32 route, it'll be sent to
the correct egress CE, despite doing egress IP lookup.
-- 
  ++ytti


More information about the juniper-nsp mailing list