Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Discard Interfaces

The discardinterface dsc is not a physical interface, but a virtual interface that discards packets.

The following sections explain discard interfaces in detail.

Discard Interfaces Overview

Discard Interfaces

You can configure the inet family protocol on the discard interface, which allows you to apply an output filter to the interface. If you apply an output filter to the interface, the action specified by the filter is executed before the traffic is discarded.

After you configure a discard interface, you must then configure a local policy to forward attacking traffic to the discard interface.

Benefits of Discard Interfaces

  • The discard interface allows you to identify the ingress point of a denial-of-service (DoS) attack. When your network is under attack, the target host IP address is identified, and the local policy forwards attacking packets to the discard interface. When traffic is routed out of the discard interface, the traffic is silently discarded.

Guidelines to Follow When Configuring a Discard Interface

Keep the following guidelines in mind when configuring the discard interface:

  • Only the logical interface unit 0 is supported.

  • The filter and address statements are optional.

  • Although you can configure an input filter and a filter group, these configuration statements have no effect because traffic is not transmitted from the discard interface.

  • The discard interface does not support class of service (CoS).

Configuring Discard Interfaces

The discard (dsc) interface is a virtual interface that silently discards packets as they arrive. It is especially useful if the network is under a denial-of-service (DoS) attack, because you can configure a policy to drop millions of requests from being sent to a given target address, or set of addresses.

In addition, with a discard interface, you can configure filters for counting, logging, and sampling the traffic (which you cannot do with discard static routes).

Note that a discard interface can have only one logical unit (unit 0), but you can configure multiple IP addresses on that unit.

In M and MX series routers, the discard interface is supported for inet, mpls, and vpls traffic families. Starting in Junos release 20.1, for MX Series routers, the discard interface is also supported for the inet6 family.

The following sections explain how to configure a discard interface:

Configuring and Usage of Discard Interface

To configure a discard interface:

  1. In configuration mode, go to the [edit interfaces] hierarchy level.
  2. Configure the discard interface. Note that you must use ’dsc’ to configure discard interface and ensure that there is no discard interface already configured.
  3. Configure the logical interface and the protocol family.
  4. If appropriate, apply an output filter to the discard interface.

    Input filters have no impact in this context.

  5. Commit the configuration and go to the top of the hierarchy level.

Configure an Output Filter with Output policy

You must configure an output policy to set up the community on the routes injected into the network.

To configure an output policy.

  1. In configuration mode, go to the [edit policy-options] hierarchy level.
  2. Configure a routing policy.
  3. Configure a policy term with a name.
  4. Configure the list of prefix-lists of routes to match with a name.
  5. Configure the action that is to be taken when the if and to conditions match with the then statement. In this case, configure the BGP community properties (set, add, and delete) associated with a route.
  6. Commit the configuration and go to the top of the hierarchy level.

See Also

Release History Table
Release
Description
20.1
Starting in Junos release 20.1, for MX Series routers, the discard interface is also supported for the inet6 family.