Have you thought about using SCU/DCU tagging and having the firewall filter force traffic based on that? BGP could tag routes with SCU/DCU based on community string attribute, once in the router you could apply firewall filter at the PFE level to force traffic based on the SCU/DCU tagging. The process is rather messy but might be doable.
________________________________ From: Stefan Fouant <sfou...@shortestpathfirst.net> To: Justin M. Streiner <strei...@cluebyfour.org>; juniper-nsp@puck.nether.net Sent: Thu, March 24, 2011 10:53:47 PM Subject: Re: [j-nsp] Filter Based Forwarding with bgp import rib > -----Original Message----- > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > boun...@puck.nether.net] On Behalf Of Justin M. Streiner > Sent: Thursday, March 24, 2011 7:35 AM > To: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] Filter Based Forwarding with bgp import rib > > I've been hunting around for a solution to a similar issue - > essentially > a modified approach to RTBH. I'd like to be able to redirect or > optionally port-mirror inbound and outbound traffic to another > interface > on my border router, and the trigger for determining what traffic would > be > affected would be a BGP feed from a route server, and the actions to be > taken (discard, redirect to another interface, port-mirror to another > interface) by the border routers could be dictated by BGP community > tags. > > The issues I've run into with this have been that I couldn't find a way > to > get a Junos firewall filter to see and react to BGP routes and their > associated community tags. Hi Justin, I've done just this very thing for various traffic filtering applications. Ping me offline and I can provide you some sample configs that should work. One thing I'd like to point out however, since you mention RTBH, is that I think you would be better served with BGP FlowSpec in this case, because RTBH only serves to provide automated distribution of destination-based filters throughout an environment. Technically you can do S/RTBH if you couple RTBH w/ uRPF... nonetheless there are some limitations to this approach and one of the primary reasons FlowSpec was created in the first place. You can filter on source-address, destination-address, protocol, source-port, and destination-port, or any combination of these. Much more flexible in my opinion than simply RTBH, plus it gives you the flexibility of FBF w/ automation layered on top. Juniper probably has the best working implementation of FlowSpec out of any of the vendors out there so you're in luck here. I have a presentation on the benefits of FlowSpec on my blog - http://www.shortestpathfirst.net/presentations/ Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB4C956EC _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp