Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Import route from RIB inet to a VRF filtering it from table inet

    Posted 05-15-2021 09:29
    Hi,

    I trying to solve a issue with topology below.


    DDOS detection software bgp session on table / rib inet.0  > MX ROUTER >  vrf ddos cloud with a bgp session inside with the remote scrubbing center.

    The DDOS detection software detects the target host IP , convert it to a /24 with the correct AS PATH and advertise it currently to rib inet.0.

    The problem is when the scrubbing center send back the clean traffic, the next hop of the route is the ddos software.

    I figure it out a solution that is to  DDOS detection software advertise the route direct to vrf and with a firewall filter  when the traffic gets back cleaned , 
    force to find the route on table inet.  but to acomplish that I need that table inet dindn´t get this route.

    I tried with bgp protocol family inet unicast rib-group to-vrf but the received route from the system is installed on both tables.

    Is there a solution that doesn´t involve filtering at FIB ( routing options  forwarding table filter to filter the the  ddos detection routes don´t  get installed at the FIB?)

    Regards.

    ------------------------------
    Gustavo Santos
    ------------------------------


  • 2.  RE: Import route from RIB inet to a VRF filtering it from table inet

    Posted 05-16-2021 05:57
    please correct me, if I missed understand it. I supposed you crate a new routing-instance. then copy some BGP routes into the new routing-instance table, right?  and you to make a filter out some copy BGP routes, not install in the new routing-instance routing table?

    you can follow this KB guide to achieve it.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16133&actp=METADATA

    ------------------------------
    JNCIE-SP,JNCIE-DC,JNCIE-ENT
    ------------------------------



  • 3.  RE: Import route from RIB inet to a VRF filtering it from table inet

    Posted 05-16-2021 05:57
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16133&actp=METADATA

    you can follow this guide to achieve it.


  • 4.  RE: Import route from RIB inet to a VRF filtering it from table inet

    Posted 05-16-2021 06:21
    The typical solution to this offramp > scrubbing > onramp process is to egress the traffic to the scrubbing center from a different virtual instance than where the return traffic comes as ingress.

    There are examples of DDoS implementations in the free Day one Juniper Ambassadors Cookbook 2017.  This diagram is from recipe 10 showing the off/on ramp process using Arbor Networks but any vendor is similar from a routing perspective. 

    https://www.juniper.net/documentation/en_US/day-one-books/DO_Ambassador2017.zip

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------