bgp flowspec的redirect到清洗器

sflow-RT(192.168.10.1)--------juniper VMX(VRF ge-0/0/3)--------->清洗器
清洗器回注:juniper VMX(ge-0/0/4)<---------清洗器

juniepr VMX將流量重定向到清洗器:

set interfaces ge-0/0/3 unit 0 family inet address 222.77.177.254/24

set interfaces ge-0/0/4 unit 0 family inet filter group 1

set interfaces ge-0/0/4 unit 0 family inet address 172.20.1.254/24

set policy-options policy-statement NO-VALIDATE term 1 from community to-fw-ddos

set policy-options policy-statement NO-VALIDATE term 1 to instance VRF1

set policy-options policy-statement NO-VALIDATE term 1 then accept

set policy-options policy-statement NO-VALIDATE term 2 then accept

set policy-options community to-fw-ddos members redirect:65070:100

set routing-instances VRF1 instance-type vrf

set routing-instances VRF1 interface ge-0/0/3.0

set routing-instances VRF1 route-distinguisher 222.77.177.254:1234

set routing-instances VRF1 vrf-target target:65070:100

set routing-instances VRF1 routing-options static route 0.0.0.0/0 next-hop 222.77.177.1

set routing-instances VRF1 routing-options static defaults resolve
set routing-options static route 117.27.230.0/24 next-hop 201.10.10.1

set protocols bgp group CUST-FLOWSPEC neighbor 192.168.10.1 family inet flow no-validate NO-VALIDATE

set routing-options flow interface-group 1

set routing-options flow interface-group exclude

啟動sflow-RT

./start.sh -Dddos_protect.router=192.168.10.254? -Dddos_protect.as=65070? -Dbgp.start=yes -Dbgp.port=179 -Dddddos_protect.enable.ipv6=no -Dddos_protect.enable.flowspec=yes -Dddos_pos_protect.enable.ipv6=no -Dddos_protect.enable.flowspec=yes -Dddos_protect.flowspec.community=65070:100 -Dddos_protect.flowspec.redirect.nexthop=222.77.177.1 -Dddos_protect.flowspec.redirect.as=65070:100 -Dddos_protect.flowspec.redirect.method=as


為便于清洗器回注的數(shù)據(jù)包能轉(zhuǎn)發(fā)到后端Server,需將與清洗器相連的接口disable flow-route

set interfaces ge-0/0/4 unit 0 family inet filter group 1

set routing-options flow interface-group 1

set routing-options flow interface-group exclude

使用hping3發(fā)包:

hping3 --flood --udp --rand-source -k 117.27.230.10 -p 5353

驗(yàn)證:


?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

友情鏈接更多精彩內(nèi)容