Hi,
We're conducting a POC for DDoS Mitigation, we have a peering with a DDoS Trigger Server(INI) and the scrubbing center. The goal is, in the event of a DDoS attack going to x.x.88.0/24, the INI will advertise x.x.88.0/24 with community tag 123456:911 and next-hop ip of the CoreRouter(x.x.x.246) to the BorderRouter1. Once the prefix from the INI is accepted by the BorderRouter1, it must advertise the prefix via community tag to the scrubbing center. Then the advertisements on the other upstreams/ISP will be rejected via the community tag of the prefix. But the advertisement of the INI must only reside only in BorderRouter1 to not confuse the other routers about the path going to x.x.88.0/24.
We're doing manual triggering of the INI first to check if the configurations on the router works. During the manual triggering of the INI, attached image(BorderRouter1 Output during manual triggering.jpg) shows the results we got on BorderRouter1.
We're receiving x.x.88.0/24 from the INI with community tag and next hop ip x.x.x.246 but the preferred next hop interface is gr-4/0/0 which is the tunnel interface facing INI. I'm seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.
How can I prefer the route from the INI on the BorderRouter1? Any tips to solve the 'hidden reason: protocol next hop is not on the interface'?
For reference,
Diagram and output: https://drive.google.com/drive/folders/1ZtXfp9JckmTwtJZW3Hd5uXP9Oud0kjBZ?usp=sharing
Config:
BorderRouter1
COMMUNITY STRING
show configuration policy-options community POC-TEST
members 123456:911;
In BorderRoputer1, to INI
IMPORT
show configuration policy-options policy-statement POC-Import
term Migitgation-Community {
from {
inactive: next-hop x.x.x.251;
inactive: community POC-TEST;
route-filter x.x.x.88.0/24 exact {
inactive: community set POC-TEST;
}
}
then {
local-preference 300;
community add POC-TEST;
next-hop x.x.x.246;
accept;
}
}
term REJECT-Anything-Else {
then reject;
}
EXPORT
show configuration policy-options policy-statement REJECT-EXPORT
term REJECT {
then reject;
}
In BorderRoputer1 to Scrubbing Center
IMPORT
show configuration policy-options policy-statement REJECT-IMPORT
term REJECT {
then reject;
}
EXPORT
show configuration policy-options policy-statement POC-Exportv2
term Migitgation-Community {
from community POC-TEST;
then accept;
}
term REJECT-Anything-Else {
then reject;
}
BorderRouter2
EXPORT
ions policy-statement Peer1-export term POC-TEST <<<PEER 1
from community POC-TEST;
then reject;
----output ommitted----
..policy-statement Peer2-export term POC-TEST <<<PEER 2
from community POC-TEST;
then reject;
----output ommitted----
CoreRouter
None
No comments:
Post a Comment