01-02-2012 09:24 AM
I have an MLX set up (currently running V5.1.0cT163). The scenario is that there is a DDoS mitigation appliance directly connected to the MLX. If a downstream host is under attack, the appliance injects a /32 route via BGP to divert the traffic to itself, cleans it, and then reinjects the clean traffic to continue to the end host.
In a typical deployment, the clean traffic is reinjected somewhere downstream to prevent the BGP diversion route from causing a routing loop. But in this case we only have the single MLX so we are sending the clean traffic back into the MLX and using a VRF to prevent a routing loop.
The VRF config is pretty simple, and looks like this: