Currently hosting over 20,000 clients.

Howto: BGP layer 3 configuration for the DDoS filter Print

  • 106

The DDoS filter is capable to filter also Layer 3 BGP traffic. And the principle is the same, you are able to enable the filter per ip or per subnet in your client panel and make specific settings per filter.

For enabling the service for your Layer 3 service, multiple configuration steps should be taken:


BGP for colocations users what are directly connected to both Serverius Routers:
After agreeing on the settings you need to configure BGP second session in a separate vlan. (or via the separate port if your hardware not supports setting vlan on uplink port)

In the end we should have two BGP sessions on each router with similar announcements from the client.

Then you can add and remove DDoS protection for individual IP from your ranges.
You can do this by using DDoS filter settings in your client panel.
After add separate IP to DDoS filter in your client pannel you will receive cleared incoming traffic for this IP through second BGP session, all outgoing traffic will away from you directly to your customers through your main BGP session.


BGP for GRE and cross-connect and VLAN users what are not directly connected to Serverius Routers:
After approval of the settings you should configure GRE tunnel with the router. Then you need to configure the BGP session through this GRE tunnel on your side.

In to this BGP session you should make announce with your IP ranges that need to DDoS protection.
After starting announce in Serverius your incoming traffic with DDoS attack comes in the network and after cleaning out to you through the GRE tunnel.
Outgoing traffic away from you directly to your customers through your default gateway.

FYI: Minimal IP subnet for announcing through GRE is /24 (256 IPs) and each IP subnets for announcing should have route object in Ripe DB.


Was this answer helpful?

« Back

Powered by WHMCompleteSolution

Have a question? Need help?