[j-nsp] FlowSpec rules being installed, but not matching any traffic

Thu, 14 Apr 2022 02:30:03 -0700

--- Begin Message --- 
Hey folks,
We're trying to build a little something where we block malicious traffic after detection via BGP flowspec. This is a super simple network with a pair of QFX5100-24Q-2P acting as our l3 gateways, which then runs a single VLAN. 


Configuration snippets below. The problem we're seeing is that announced 
flowspec rules get installed in the rib, and on the firewall filter -- 
but that filter matches nothing, no counters get incremented. If we try 
to set traffic-rate to 0 via src/dst IPs, that doesn't work either.



What I'm seeing is very similar to 
https://www.reddit.com/r/Juniper/comments/g70f8n/flowspec_rules_not_matching_anything_at_all/


Is this a platform limitation, or am I doing something wrong?

root@member0# run show firewall filter __flowspec_default_inet__

Filter: __flowspec_default_inet__
Counters:

Name                                                Bytes              
Packets
10.1.1.2,*                                        0                    0 
<-- Note the empty counters
224.0.0.2,*                                                  0           
         0



root@member0# run show route table inetflow.0 extensive

inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
10.1.1.2,*/term:1 (1 entry, 1 announced)
TSI:
KRT in dfwd;
Action(s): discard,count
        *BGP    Preference: 170/-101
                Next hop type: Fictitious, Next hop index: 0
                Address: 0xc9e3780
                Next-hop reference count: 2
                Next hop:
                State: <Active Int Ext SendNhToPFE>
                Peer AS: 1234
                Age: 22:02
                Validation State: unverified
                Task: BGP_394727_394727.172.16.1.2
                Announcement bits (1): 0-Flow
                AS path: I
                Communities: traffic-rate:0:0
                Accepted
                Localpref: 100
                Router ID: 172.16.1.2
                Thread: junos-main


Configs

root@member0# show protocols bgp group FLOWSPEC
type internal;
neighbor 172.16.1.2 {
    local-address 172.16.1.1;
    family inet {
        unicast;
        flow {
            no-validate flowspec-import;
        }
    }
}

{master:0}[edit]
root@member0# show routing-options
static {
    route 0.0.0.0/0 next-hop [ 1.2.3.4 ];
}
flow {
    term-order standard;
}
nonstop-routing;

root@member0# show interfaces irb.1181
bandwidth 40g;
family inet {
    address 10.0.0.1/24;
}




--- End Message ---


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp






















					Reply via email to