Hello, i've a problem reinjecting filtered traffic from a anti ddos device into our network. What we want to achive is, that traffic which comes from our upstreams/peerings is redirected to a filtering device. This is the easy part, as this can be done with a static or bgp routing.
Now the part where I stuck at the moment. The router which the filter is connected to, is the same where upstreams and direct customer networks are connected to. The first try was to create a new vrf and import all direct routers from master instance. This works for ospf routes perfectly, but not for direct routes. For direct routes it is possible to get it working with a workaround, but we need a solution which does not requires configuration on the router on new attacks. This workaround requires a static route for the attacked ip to itself. For example 127.0.0.1 next-hop 127.0.0.1 Configuration: set policy-options policy-statement FILTER-FORWARDING-IMPORT term IMPORT from instance master set policy-options policy-statement FILTER-FORWARDING-IMPORT term IMPORT from protocol direct set policy-options policy-statement FILTER-FORWARDING-IMPORT term IMPORT from protocol ospf set policy-options policy-statement FILTER-FORWARDING-IMPORT term IMPORT then accept set routing-instances MPLS-L3VPN-FILTER-FORWARDING instance-type forwarding set routing-instances MPLS-L3VPN-FILTER-FORWARDING routing-options instance-import FILTER-FORWARDING-IMPORT set routing-instances MPLS-L3VPN-FILTER-VRF instance-type vrf set routing-instances MPLS-L3VPN-FILTER-VRF interface xe-3/0/0.152 set routing-instances MPLS-L3VPN-FILTER-VRF route-distinguisher 123:5001 set routing-instances MPLS-L3VPN-FILTER-VRF vrf-target target:123:5001 set routing-instances MPLS-L3VPN-FILTER-VRF vrf-table-label set routing-instances MPLS-L3VPN-FILTER-VRF routing-options static route 0.0.0.0/0 next-table MPLS-L3VPN-FILTER-FORWARDING.inet.0 Regards Alex _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
