On Mon, Jul 02, 2007 at 12:21:32AM -0400, Richard A Steenbergen wrote: > It actually seems to be working, except for the fact that I am already > running LSPs to the central collection site router in question, and the > analysis LSPs are a second path to the same destination. The sampling > router ends up sending legitimate traffic down the analysis LSP, and > setting a lower preference or using a different "to" address with a higher > metric cost on the LSP doesn't seem to help it. I see an option > "no-install-to-address" which looks vaguely like it was created for what > I'm trying to do, but with this configured I can't inject traffic to the > LSP using a static "route x.x.x.x/x lsp-next-hop ANALYSISLSP" (which is > how I'm collecting the "interesting" packets, with a dedicated > routing-instance which I can punt traffic in to from a firewall, and yes > I'm importing all my interface/igp routes into it).
Nevermind, no-install-to-address was what I wanted, but then you need to manually specify an address to install to inet.3 etc. This works like a charm: label-switched-path LOCAL.ROUTER-ANALYSIS.BOX { no-install-to-address; to x.x.x.x; /* LSP destination loopback */ install y.y.y.y/32 active; /* Special reserved next-hop */ no-decrement-ttl; } Then you can just set up a routing-instance with a default route pointing to that LSP, and FBF/Flowspec any matching traffic into that instance for forwarding to the analysis box. Of course you can also rewrite nexthop on a specific destination route you want to capture to the y.y.y.y address and then anycast that address everywhere, which is really the same as just putting a L3 interface on the analysis box and routing it there, but at least this way you can tell where the traffic came from based on which LSP/subint it came in on (and potentially avoid TTL expiring the packet while forwarding it to analysis too :P). -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp