[j-nsp] L3VPNs and on-prem DDoS scrubbing architecture
Saku Ytti
saku at ytti.fi
Wed Apr 3 02:45:54 EDT 2024
On Wed, 3 Apr 2024 at 09:37, Mark Tinka via juniper-nsp
<juniper-nsp at puck.nether.net> wrote:
> At old job, we managed to do this with a virtual-router VRF that carried
> traffic between the scrubbing PE and the egress PE via MPLS, to avoid
> the IP loop.
Actually I think I'm confused. I think it will just work. Because even
as the EgressPE does IP lookup due to table-label, the IP lookup still
points to egressMAC, instead looping back, because it's doing it in
the CleanVRF.
So I think it just works.
So OP just needs to copy the direct route as-is, not as host/32 into
cleanVRF, with something like this:
routing-options {
interface-routes {
rib-groups {
cleanVRF {
import-rib [ inet.0 cleanVRF.inet.0 ];
import-policy cleanVRF:EXPORT;
}}}}
Now cleanVRF.inet.0 has the connected TableLabel, and as lookup is
done in the cleanVRF, without the Scrubber/32 route, it'll be sent to
the correct egress CE, despite doing egress IP lookup.
--
++ytti
More information about the juniper-nsp
mailing list