Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

Flowspec source base filtering by BGP import policy

  • 1.  Flowspec source base filtering by BGP import policy

    Posted 09-28-2021 23:25
    Hi 

    Source prefixes filtering does not work even I have disabled route validation.

    We would like to deny flow route 0.0.0.0/.0(src) to 0.0.0.0/0(dst) flow route announced from exabgp. We have applied safeguard policy to deny the source 0.0.0.0/0 prefix.

    We also applied route-filter but only work for destination IP prefix.

    The question is how can I block 0.0.0.0/0 to 0.0.0.0/0 (*.*) route flow ? Thanks.

    Protocols FLOW BGP
    MX204> show configuration protocols bgp group IBGP4-FLOW
    type internal;
    neighbor 10.6.30.108 {
    local-address 10.6.0.7;
    import FLOWSPEC-DEFAULT;
    family inet {
    flow {
    no-validate ACCEPT-ALL;
    }
    }
    export DENY-ALL;
    peer-as 65533;
    local-as 65533;
    }


    policy-statement
    MX204> show configuration policy-options policy-statement FLOWSPEC-DEFAULT
    term REJECT-ANY-ANY {
    from {
    rib inetflow.0;
    source-address-filter 0.0.0.0/0 exact;
    }
    then reject;
    }


    show route table inetflow.0 extensive   <-- can't block *.*
    MX204> show route table inetflow.0 extensive

    inetflow.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    Limit/Threshold: 30000/27000 destinations

    *,*,dscp=0/term:9 (1 entry, 1 announced)
    TSI:
    KRT in dfwd;
    Action(s): rate-limit 800000kbps,count
    *BGP Preference: 170/-101
    Next hop type: Fictitious, Next hop index: 0
    Address: 0x5070c9c
    Next-hop reference count: 11
    Next hop:
    State: <Active Int Ext SendNhToPFE>
    Local AS: 65533 Peer AS: 65533
    Age: 38
    Validation State: unverified
    Task: BGP_65533_65533.10.6.30.108
    Announcement bits (1): 0-Flow
    AS path: I
    Communities: 65533:19999 traffic-rate:0:100000000
    Accepted
    Localpref: 100
    Router ID: 10.6.30.108
    Thread: junos-main

    ------------------------------
    Benjamin CL
    ------------------------------