Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

On Wed, 3 Apr 2024 at 09:45, Saku Ytti wrote: > Actually I think I'm confused. I think it will just work. Because even > as the EgressPE does IP lookup due to table-label, the IP lookup still > points to egressMAC, instead looping back, because it's doing it in > the CleanVRF. > So I think it jus

Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

On 4/3/24 08:45, Saku Ytti wrote: Actually I think I'm confused. I think it will just work. Because even as the EgressPE does IP lookup due to table-label, the IP lookup still points to egressMAC, instead looping back, because it's doing it in the CleanVRF. So I think it just works. So OP ju

Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

On Wed, 3 Apr 2024 at 09:37, Mark Tinka via juniper-nsp wrote: > At old job, we managed to do this with a virtual-router VRF that carried > traffic between the scrubbing PE and the egress PE via MPLS, to avoid > the IP loop. Actually I think I'm confused. I think it will just work. Because even

Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

On 4/3/24 08:07, Saku Ytti via juniper-nsp wrote: If I understand you correctly, the problem is not that you can't copy direct into CleanVRF, the problem is that ScrubberPE that does clean lookup in in CleanVRF, has label stack of [EgressPE TableLabel], instead of [EgressPE EgressCE], this ca

Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

On Tue, 2 Apr 2024 at 18:25, Michael Hare via juniper-nsp wrote: > We're a US research and education ISP and we've been tasked for coming up > with an architecture to allow on premise DDoS scrubbing with an appliance. > As a first pass I've created an cleanL3VPN routing-instance to function a

Re: [j-nsp] (No subject)

Barry, Thanks for the link. I had to laugh at this: 'you are tired of arguing with your network architecture team (“we are here to transport packets” vs “the Internet firewall” ;-)'. 20 years later, that still rings awfully true for me. This diagram accurately displays how I've built a dirty

Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

On Tue, Apr 02, 2024 at 07:43:01PM +0300, Alexandre Snarskii via juniper-nsp wrote: > On Tue, Apr 02, 2024 at 03:25:21PM +, Michael Hare via juniper-nsp wrote: > > Hi! > > Workaround that we're using (not elegant, but working): setup a > "self-pointing" routes to directly connected destinat

Re: [j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

On Tue, Apr 02, 2024 at 03:25:21PM +, Michael Hare via juniper-nsp wrote: Hi! Workaround that we're using (not elegant, but working): setup a "self-pointing" routes to directly connected destinations: set routing-options static route A.B.C.D/32 next-hop A.B.C.D and export these to cleanL3V

[j-nsp] L3VPNs and on-prem DDoS scrubbing architecture

Hi there, We're a US research and education ISP and we've been tasked for coming up with an architecture to allow on premise DDoS scrubbing with an appliance. As a first pass I've created an cleanL3VPN routing-instance to function as a clean VRF that uses rib-groups to mirror the relevant par