you still need to have a way to leak between 2 routing domains. Let alone the problems that you will have with flowspec...
On 4 May 2017 at 22:17, Dragan Jovicic <dragan...@gmail.com> wrote: > Using flowspec to redirect traffic to routing-instance. Scrubbing device > returns traffic to global table. > Since 16.1 you may exclude interface from installing filter as well, making > it possible to have scrubbing device on same PE running flowspec. > > BR, > > +Dragan > > On Thu, May 4, 2017 at 12:55 PM, Sebastian Wiesinger <sebast...@karotte.org> > wrote: > >> * Alexander Dube <n...@layerwerks.net> [2017-05-04 11:55]: >> > Hello, >> > >> > i've a problem reinjecting filtered traffic from a anti ddos device >> > into our network. What we want to achive is, that traffic which >> > comes from our upstreams/peerings is redirected to a filtering >> > device. This is the easy part, as this can be done with a static or >> > bgp routing. >> > >> > Now the part where I stuck at the moment. The router which the >> > filter is connected to, is the same where upstreams and direct >> > customer networks are connected to. >> > >> > The first try was to create a new vrf and import all direct routers >> > from master instance. This works for ospf routes perfectly, but not >> > for direct routes. For direct routes it is possible to get it >> > working with a workaround, but we need a solution which does not >> > requires configuration on the router on new attacks. >> >> We put all interfaces of customers that want DDoS scrubbing in a vrf >> and leak the direct and static routes to the main table (via >> rib-group). The scrubbing engine attracts dirty traffic by advertising >> /32 (or /128) BGP routes in the main table and puts clean traffic in >> the vrf the customers are in. >> >> The only small drawback is when customers speak BGP with us and want a >> full table. As the vrf does not have a full table these interfaces >> stay in the main table and their BGP routes are put into the "clean" >> vrf by specifying a rib group in the BGP neighbor configuration which >> will leak the customers received BGP routes into the vrf. >> >> Regards >> Sebastian >> >> -- >> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) >> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE >> SCYTHE. >> -- Terry Pratchett, The Fifth Elephant >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp