第一种 sflow-RT(192.168.10.1 )---------juniper VMX
第二种 gobgp(192.168.20.1 -----------juniper VMX
限速(1000Bps),但是juiper是按bps算,juniper会*8
sflow-RT的话,按如下启动
#./start.sh -Dddos_protect.router=192.168.10.254 -Dddos_protect.as=65070 -Dbgp.start=yes -Dbgp.port=179 -Dddos_protect.enable.ipv6=no -Dddos_protect.enable.flowspec=yes -Dddos_protect.flowspec.rate=1000 -Dddos_protect.flowspec.community=65070:1000
注:-Dddos_protect.flowspec.community=65070:1000不起作用,在juniper里始终都是Communities: traffic-rate:0:1000
gobgp的话,按以下发布/32的路由
#gobgp global rib -a ipv4-flowspec add match destination 117.27.230.10/32 then rate-limit 1000.0
以上的1000Bps在junipertraffic-rate团体属性中体现:Communities: traffic-rate:0:1000
若要体现as即Communities: traffic-rate:65060:1000
gobgp global rib -a ipv4-flowspec add match destination 117.27.230.12/32 then rate-limit 1000.0 as 65060
juniepr VMX的配置
root@CE-R> show configuration | display set
set version 20190319.203446_builder.r1013243
set system root-authentication encrypted-password "$6$AeSB/yQX$Xo6uUk1XAQtXLs4nCMxperSKE9f7YavFwv66W8Zpi8nDRh6Cj4wudDEXr7HVgvu.L8eYD97QrdrBhlwBecpT11"
set system services ssh root-login allow
set system services ssh protocol-version v2
set system host-name CE-R
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system processes dhcp-service traceoptions file dhcp_logfile
set system processes dhcp-service traceoptions file size 10m
set system processes dhcp-service traceoptions level all
set system processes dhcp-service traceoptions flag packet
set interfaces ge-0/0/0 unit 0 family inet address 201.10.10.254/24
set interfaces ge-0/0/1 unit 0 family inet address 203.10.10.1/24
set interfaces ge-0/0/2 unit 0 family inet filter group 1
set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.254/24
set interfaces ge-0/0/3 unit 0 family inet address 222.77.177.254/24
set interfaces ge-0/0/4 unit 0 family inet filter group 1
set interfaces ge-0/0/4 unit 0 family inet address 172.20.1.254/24
set interfaces ge-0/0/5 unit 0 family inet filter group 1
set interfaces ge-0/0/5 unit 0 family inet address 192.168.20.254/24
set interfaces dsc unit 0 family inet address 192.0.2.102/32
set interfaces fxp0 unit 0 family inet address 10.5.245.195/24
set policy-options policy-statement TRAFFIC-RATE term 1 from route-filter 119.27.230.0/24 prefix-length-range /32-/32
set policy-options policy-statement TRAFFIC-RATE term 1 then accept
set policy-options policy-statement skip-validation then accept
set routing-options static route 10.5.0.0/16 next-hop 10.5.245.254
set routing-options static route 202.101.10.0/24 next-hop 203.10.10.254
set routing-options static route 119.27.230.0/24 next-hop 201.10.10.1
set routing-options router-id 192.168.10.254
set routing-options autonomous-system 64497
set routing-options flow interface-group 1
set routing-options flow interface-group exclude
set routing-options flow term-order standard
set protocols bgp group CUST-FLOWSPEC family inet flow
set protocols bgp group CUST-FLOWSPEC neighbor 192.168.10.1 family inet flow no-validate TRAFFIC-RATE
set protocols bgp group CUST-FLOWSPEC neighbor 192.168.10.1 peer-as 65070
set protocols bgp group CUST-FLOWSPEC neighbor 192.168.20.1 family inet flow no-validate TRAFFIC-RATE
set protocols bgp group CUST-FLOWSPEC neighbor 192.168.20.1 peer-as 65060
set protocols sflow polling-interval 10
set protocols sflow sample-rate ingress 1000
set protocols sflow source-ip 192.168.10.254
set protocols sflow collector 192.168.10.1
set protocols sflow interfaces ge-0/0/1.0 polling-interval 10
set protocols sflow interfaces ge-0/0/1.0 sample-rate ingress 1000
使用hping3发包:
hping3 --flood --udp --rand-source -k 119.27.230.10 -p 5353
验证:
root@CE-R> show route protocol bgp receive-protocol bgp 192.168.10.1 extensive all
inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
__juniper_private1__.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)
VRF1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
__juniper_private1__.inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
VRF1.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
inetflow.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
* 119.27.230.10,*,proto=17/term:4 (1 entry, 1 announced)
Accepted
Flags: NoNexthop
Localpref: 100
AS path: 65070 I
Communities: traffic-rate:0:1000
* 119.27.230.10,*,proto=17,dstport=5353/term:2 (1 entry, 1 announced)
Accepted
Flags: NoNexthop
Localpref: 100
AS path: 65070 I
Communities: traffic-rate:0:1000
* 119.27.230.10,*,proto=17,srcport=1202/term:3 (1 entry, 1 announced)
Accepted
Flags: NoNexthop
Localpref: 100
AS path: 65070 I
Communities: traffic-rate:0:1000
root@CE-R>
root@CE-R>
root@CE-R> show route table inetflow.0
inetflow.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
119.27.230.10,*,proto=17/term:4
*[BGP/170] 00:00:56, localpref 100, from 192.168.10.1
AS path: 65070 I, validation-state: unverified
Fictitious
119.27.230.10,*,proto=17,dstport=5353/term:2
*[BGP/170] 00:00:56, localpref 100, from 192.168.10.1
AS path: 65070 I, validation-state: unverified
Fictitious
119.27.230.10,*,proto=17,srcport=1202/term:3
*[BGP/170] 00:00:56, localpref 100, from 192.168.10.1
AS path: 65070 I, validation-state: unverified
Fictitious
root@CE-R> show firewall
Filter: __default_bpdu_filter__
Filter: __flowspec_default_inet__
Counters:
Name Bytes Packets
119.27.230.10,*,proto=17 0 0
119.27.230.10,*,proto=17,dstport=5353 44184 1578
119.27.230.10,*,proto=17,srcport=1202 0 0
Policers:
Name Bytes Packets
8K_119.27.230.10,*,proto=17 0 0
8K_119.27.230.10,*,proto=17,dstport=5353 560028 20001
8K_119.27.230.10,*,proto=17,srcport=1202 0 0
网友评论