sflow-RT(192.168.10.1)--------juniper VMX(VRF ge-0/0/3)--------->清洗器
清洗器回注:juniper VMX(ge-0/0/4)<---------清洗器
juniepr VMX将流量重定向到清洗器:
set interfaces ge-0/0/3 unit 0 family inet address 222.77.177.254/24
set interfaces ge-0/0/4 unit 0 family inet filter group 1
set interfaces ge-0/0/4 unit 0 family inet address 172.20.1.254/24
set policy-options policy-statement NO-VALIDATE term 1 from community to-fw-ddos
set policy-options policy-statement NO-VALIDATE term 1 to instance VRF1
set policy-options policy-statement NO-VALIDATE term 1 then accept
set policy-options policy-statement NO-VALIDATE term 2 then accept
set policy-options community to-fw-ddos members redirect:65070:100
set routing-instances VRF1 instance-type vrf
set routing-instances VRF1 interface ge-0/0/3.0
set routing-instances VRF1 route-distinguisher 222.77.177.254:1234
set routing-instances VRF1 vrf-target target:65070:100
set routing-instances VRF1 routing-options static route 0.0.0.0/0 next-hop 222.77.177.1
set routing-instances VRF1 routing-options static defaults resolve
set routing-options static route 117.27.230.0/24 next-hop 201.10.10.1
set protocols bgp group CUST-FLOWSPEC neighbor 192.168.10.1 family inet flow no-validate NO-VALIDATE
set routing-options flow interface-group 1
set routing-options flow interface-group exclude
启动sflow-RT
./start.sh -Dddos_protect.router=192.168.10.254 -Dddos_protect.as=65070 -Dbgp.start=yes -Dbgp.port=179 -Dddddos_protect.enable.ipv6=no -Dddos_protect.enable.flowspec=yes -Dddos_pos_protect.enable.ipv6=no -Dddos_protect.enable.flowspec=yes -Dddos_protect.flowspec.community=65070:100 -Dddos_protect.flowspec.redirect.nexthop=222.77.177.1 -Dddos_protect.flowspec.redirect.as=65070:100 -Dddos_protect.flowspec.redirect.method=as
为便于清洗器回注的数据包能转发到后端Server,需将与清洗器相连的接口disable flow-route
set interfaces ge-0/0/4 unit 0 family inet filter group 1
set routing-options flow interface-group 1
set routing-options flow interface-group exclude
使用hping3发包:
hping3 --flood --udp --rand-source -k 117.27.230.10 -p 5353
验证: