Re: [j-nsp] reinject traffic from DDoS filtering device

Fri, 05 May 2017 04:46:36 -0700 

Hi,

lets check if I understand it the right way:

# define group id on transit interfaces lets assume its a localloop from vlan 1 
through the scubbing device back into vlan 2
set interface xe-0/0/11.0 family inet filter group 1
set interface xe-0/0/22.0 family inet filter group 1
set routing-options flow interface-group 1 


# interfaces where the scrubbing device is connected to 
set interface xe-0/0/0.0 family inet 10.0.0.1/30  # interface inside of 
SCRUBCENTER vrf for dirty traffic
set interface xe-0/0/1.0 family inet 10.0.0.2/30  # interface inside of master 
instance inet0  for cleaned traffic


# setup scrub route for 123.123.123.123/32
set routing-options flow route scrub-123.123.123.123 match destination 
123.123.123.123/32
set routing-options flow route scrub-123.123.123.123 then routing-instance 
SCRUBCENTER

# vrf for dirty traffic
set routing-instances SCUBCENTER instance-type vrf
set routing-instances SCUBCENTER interface xe-0/0/0.0 
set routing-instances SCUBCENTER route-distinguisher 1234:5000
set routing-instances SCUBCENTER vrf-target target:1234:5000
set routing-instances SCUBCENTER vrf-table-label
set routing-instances SCUBCENTER routing-options static route 0.0.0.0/0 
next-hop 10.0.0.2


This configuration would redirect all traffic on interface xe-0/0/11 and 
xe-0/0/22 destined to 123.123.123.123/32 into the routing instance SCRUBCENTER. 
The VRF forward the traffic through the scrubbing device and will get it back 
cleaned on interface xe-0/0/1 inside of the master instance. 



Regards
Alex





----- Ursprüngliche Mail -----
Von: "Saku Ytti" <s...@ytti.fi>
An: "Rolf Hanßen" <n...@rhanssen.de>
CC: "juniper-nsp" <juniper-nsp@puck.nether.net>
Gesendet: Freitag, 5. Mai 2017 12:07:59
Betreff: Re: [j-nsp] reinject traffic from DDoS filtering device

On 5 May 2017 at 12:55, "Rolf Hanßen" <n...@rhanssen.de> wrote:
> How would I do that redirection with flowspec?

Build filter which matches traffic you want to scrub, tell flow-spec
to redirect matching traffic to desired IP.

-- 
  ++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to