Howto: BGP layer 3 configuration at the IPC protection Print

  • bgp filters, bgp protection
  • 128

The Serverius IP Protection Cloud is capable to filter also your Layer3 BGP IP-transit data-traffic. You are able to enable the filter per IP or per subnet in your client panel and make specific settings per filter.

For enabling the service for your Layer 3 service, multiple configuration steps should be taken:

-------------------------------------------------------
BGP for collocations users what are directly connected to both Serverius Routers:

You need to announce your prefixes through Serverius network by BGP and if you want to protect some of your IPs or a whole subnet you need to go to the control panel and add/remove IPs to/from a configured before safe zone. No any action is required.
Also, you can use the community 50673:777 for putting your prefix to our DDoS scribing device, but you still need to add/remove IPs to/from a safe zone in the control panel at the same time otherwise protection will not working.

Be aware:

Minimal IP subnet for announcing through Serverius network to the Internet is /24 (256 IPs). Keep in mind that after you announce a /24 all data traffic will be transparently forwarded to you without any the DDoS protection. Only after adding an IP with subnet like from /32 to /24 to a Safe Zone it will be protected.
Each IP subnets for announcing should have route object in Ripe DB.

-------------------------------------------------------
BGP for GRE and cross-connect and VLAN users which are not directly connected to Serverius Routers:

After approval of the settings, you should configure GRE tunnel with Serverius router. Then you need to configure the BGP session through this GRE tunnel on your side.

Into this BGP session, you should make announce with your IP ranges which you want to DDoS protected.
After starting to announce to the Serverius, your incoming traffic with a DDoS attack will come to the Serverius network and after cleaning will be sent to you through the GRE tunnel.
Outgoing traffic away from your network should go directly to your customers through your default gateway.

Pay attention please:

Minimal IP subnet for announcing through GRE is /24 (256 IPs). Keep in mind that after you announce a /24 all data traffic will be transparently forwarded to you without any the DDoS protection. Only after adding an IP with subnet like a /32 of the /24 to a Safe Zone it will be protected.
Each IP subnets for announcing should have route object in Ripe DB.
You shouldn't send to us the announce with your GRE external IP.

-------------------------------------------------------


Was this answer helpful?

« Back