Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Flowspec source base filtering by BGP import policy

  • 1.  Flowspec source base filtering by BGP import policy

    Posted 09-28-2021 23:25
    Hi 

    Source prefixes filtering does not work even I have disabled route validation.

    We would like to deny flow route 0.0.0.0/.0(src) to 0.0.0.0/0(dst) flow route announced from exabgp. We have applied safeguard policy to deny the source 0.0.0.0/0 prefix.

    We also applied route-filter but only work for destination IP prefix.

    The question is how can I block 0.0.0.0/0 to 0.0.0.0/0 (*.*) route flow ? Thanks.

    Protocols FLOW BGP
    MX204> show configuration protocols bgp group IBGP4-FLOW
    type internal;
    neighbor 10.6.30.108 {
    local-address 10.6.0.7;
    import FLOWSPEC-DEFAULT;
    family inet {
    flow {
    no-validate ACCEPT-ALL;
    }
    }
    export DENY-ALL;
    peer-as 65533;
    local-as 65533;
    }


    policy-statement
    MX204> show configuration policy-options policy-statement FLOWSPEC-DEFAULT
    term REJECT-ANY-ANY {
    from {
    rib inetflow.0;
    source-address-filter 0.0.0.0/0 exact;
    }
    then reject;
    }


    show route table inetflow.0 extensive   <-- can't block *.*
    MX204> show route table inetflow.0 extensive

    inetflow.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    Limit/Threshold: 30000/27000 destinations

    *,*,dscp=0/term:9 (1 entry, 1 announced)
    TSI:
    KRT in dfwd;
    Action(s): rate-limit 800000kbps,count
    *BGP Preference: 170/-101
    Next hop type: Fictitious, Next hop index: 0
    Address: 0x5070c9c
    Next-hop reference count: 11
    Next hop:
    State: <Active Int Ext SendNhToPFE>
    Local AS: 65533 Peer AS: 65533
    Age: 38
    Validation State: unverified
    Task: BGP_65533_65533.10.6.30.108
    Announcement bits (1): 0-Flow
    AS path: I
    Communities: 65533:19999 traffic-rate:0:100000000
    Accepted
    Localpref: 100
    Router ID: 10.6.30.108
    Thread: junos-main

    ------------------------------
    Benjamin CL
    ------------------------------