We’ve had similar instances of where we’ve needed to accomplish the same effect.
Creating a "DDOS-Scrub" routing instance, and using your firewall rule to punt that traffic to the routing instance, this will give you more flexibility. You could could then use RPM to check ping to 0/0 next-hop (your mitigation device), and if that fails, fall back to a lower cost LT interface to main table. > On Mar 29, 2023, at 2:15 PM, Matthew Crocker via juniper-nsp > <juniper-nsp@puck.nether.net> wrote: > > > Hello, > > I have a filter setup : > > term DDOS { > from { > destination-prefix-list { > DDOS-Customers; > } > } > then { > count DDOS; > next-ip 192.168.126.2/32; > } > } > > The 192.168.126.2 IP is the DDOS mitigation device. Is there a way I can > setup the router to ping the 192.168.126.2 address, set a ‘reachable > variable’ and then use that variable in the filter. So if the device goes > down the filter term is bypassed and traffic flows to the customer bypassing > the DDOS mitigation machine. > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp