Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Import route from RIB inet to a VRF filtering it from table inet

  • 1.  Import route from RIB inet to a VRF filtering it from table inet

    Posted 05-15-2021 09:29
    Hi,

    I trying to solve a issue with topology below.


    DDOS detection software bgp session on table / rib inet.0  > MX ROUTER >  vrf ddos cloud with a bgp session inside with the remote scrubbing center.

    The DDOS detection software detects the target host IP , convert it to a /24 with the correct AS PATH and advertise it currently to rib inet.0.

    The problem is when the scrubbing center send back the clean traffic, the next hop of the route is the ddos software.

    I figure it out a solution that is to  DDOS detection software advertise the route direct to vrf and with a firewall filter  when the traffic gets back cleaned , 
    force to find the route on table inet.  but to acomplish that I need that table inet dindn´t get this route.

    I tried with bgp protocol family inet unicast rib-group to-vrf but the received route from the system is installed on both tables.

    Is there a solution that doesn´t involve filtering at FIB ( routing options  forwarding table filter to filter the the  ddos detection routes don´t  get installed at the FIB?)

    Regards.

    ------------------------------
    Gustavo Santos
    ------------------------------


  • 2.  RE: Import route from RIB inet to a VRF filtering it from table inet

    Posted 05-16-2021 05:57
    please correct me, if I missed understand it. I supposed you crate a new routing-instance. then copy some BGP routes into the new routing-instance table, right?  and you to make a filter out some copy BGP routes, not install in the new routing-instance routing table?

    you can follow this KB guide to achieve it.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16133&actp=METADATA

    ------------------------------
    JNCIE-SP,JNCIE-DC,JNCIE-ENT
    ------------------------------



  • 3.  RE: Import route from RIB inet to a VRF filtering it from table inet

    Posted 05-16-2021 05:57
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16133&actp=METADATA

    you can follow this guide to achieve it.


  • 4.  RE: Import route from RIB inet to a VRF filtering it from table inet

     
    Posted 05-16-2021 06:21
    The typical solution to this offramp > scrubbing > onramp process is to egress the traffic to the scrubbing center from a different virtual instance than where the return traffic comes as ingress.

    There are examples of DDoS implementations in the free Day one Juniper Ambassadors Cookbook 2017.  This diagram is from recipe 10 showing the off/on ramp process using Arbor Networks but any vendor is similar from a routing perspective. 

    https://www.juniper.net/documentation/en_US/day-one-books/DO_Ambassador2017.zip

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------