[j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

Saku Ytti saku at ytti.fi
Wed Apr 3 02:57:54 EDT 2024


On Wed, 3 Apr 2024 at 09:45, Saku Ytti <saku at ytti.fi> wrote:

> Actually I think I'm confused. I think it will just work. Because even
> as the EgressPE does IP lookup due to table-label, the IP lookup still
> points to egressMAC, instead looping back, because it's doing it in
> the CleanVRF.
> So I think it just works.

> routing-options {
>   interface-routes {
>     rib-groups {
>       cleanVRF {
>         import-rib [ inet.0 cleanVRF.inet.0 ];
>         import-policy cleanVRF:EXPORT;
>  }}}}

This isn't exactly correct. You need to put the cleanVRF in
interfacer-quotes and close it.

Anyhow I'm 90% sure this will just work and pretty sure I've done it.
The confusion I had was about the scrubbing route that on the
clean-side is already host/32. For this, I can't figure out a cleanVRF
solution, but a BGP-LU solution exists even for this problem.


-- 
  ++ytti


More information about the juniper-nsp mailing list