Technical Documentation

Forwarding Packets to the Discard Interface

The discard interface allows you to protect a network from denial-of-service (DoS) attacks by identifying the target IP address that is being attacked and configuring a policy to forward all packets to a discard interface. All packets forwarded to the discard interface are dropped.

To configure the discard interface, include the dsc statement:

dsc {unit 0 {family inet {filter {input filter-name;output filter-name;}}}}

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name]
  • [edit logical-systems logical-system-name interfaces interface-name]

The dsc interface name denotes the discard interface. The discard interface supports only unit 0. For more information about configuring interfaces, see the Junos Network Interfaces Configuration Guide.

The following two configurations are required to configure a policy to forward all packets to the discard interface.

Configure an input policy to associate a community with the discard interface:

[edit]policy-options {community community-name members [ community-id ];policy-statement statement-name {term term-name {from community community-name;then {next-hop address; # Remote end of the point-to-point interfaceaccept;}}}}

Configure an output policy to set up the community on the routes injected into the network:

[edit]policy-options {policy-statement statement-name {term term-name {from prefix-list name;then community (set | add | delete) community-name;}}}

Related Topics

Published: 2010-07-16

Help
|
My Account
|
Log Out