[j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

Michael Hare michael.hare at wisc.edu
Wed Apr 3 10:03:51 EDT 2024 

Saku, Mark-

Thanks for the responses.  Unless I'm mistaken, short of specifying a selective import policy, I think I'm already doing what Saku suggests, see relevant config snippet below.  Our clean VRF is L3VPN-4205.  But after I saw the lack of mac based next hops I started searching to see if there was a protocol other than direct that I wasn't aware of.  I intend to take a look at Alexandre's workaround to understand/test, just haven't gotten there yet.

I was able to get FBF via dirtyVRF working quickly in the meantime while I figure out how to salvage the longest-prefix approach.

-Michael

==/==

@ # show routing-options | display inheritance no-comments    
...
interface-routes {
    rib-group {
        inet rib-interface-routes-v4;
        inet6 rib-interface-routes-v6;
    }
}
rib-groups {
    rib-interface-routes-v4 {
        import-rib [ inet.0 L3VPN-4205.inet.0 ];
    }
...
    rib-interface-routes-v6 {
        import-rib [ inet6.0 L3VPN-4205.inet6.0 ];
    }
...
}

> -----Original Message-----
> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> On Behalf Of
> Saku Ytti via juniper-nsp
> Sent: Wednesday, April 3, 2024 1:58 AM
> To: Mark Tinka <mark at tinka.africa>
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture
> 
> On Wed, 3 Apr 2024 at 09:45, Saku Ytti <saku at ytti.fi> wrote:
> 
> > Actually I think I'm confused. I think it will just work. Because even
> > as the EgressPE does IP lookup due to table-label, the IP lookup still
> > points to egressMAC, instead looping back, because it's doing it in
> > the CleanVRF.
> > So I think it just works.
> 
> > routing-options {
> >   interface-routes {
> >     rib-groups {
> >       cleanVRF {
> >         import-rib [ inet.0 cleanVRF.inet.0 ];
> >         import-policy cleanVRF:EXPORT;
> >  }}}}
> 
> This isn't exactly correct. You need to put the cleanVRF in
> interfacer-quotes and close it.
> 
> Anyhow I'm 90% sure this will just work and pretty sure I've done it.
> The confusion I had was about the scrubbing route that on the
> clean-side is already host/32. For this, I can't figure out a cleanVRF
> solution, but a BGP-LU solution exists even for this problem.
> 
> 
> --
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/junip
> er-nsp__;!!Mak6IKo!JQJvgDK7yNf4-
> 3MbfcDkWHvNajBUNxt3ZAC3DefzEkRkebYhpy3c7RX5em7pvvTJZrdrNKw79P
> QweWqGaJdIwLpkAng$

More information about the juniper-nsp mailing list