Internet → ORC001/002/003 (scrubbers) → Nokia SR (AS52468) → Downstream
Filter 10 (deepfield-parent-v4) ← aplicado em INGRESS de todas as interfaces
└── Filter 1000 (deepfield-mitigation-v4) offset=10 [Deepfield via NETCONF]
└── fSpec-0 (FlowSpec Wanguard) NÃO embedado → não funciona
Filter "MASTER-PARENT-v4" ← substitui filter 10 nas interfaces
├── SYNANCK_REDIRECT offset 10 → entries 11 - 50.000
└── deepfield-parent-v4 offset 50010 → entries 50.011+
ATENÇÃO: Ainda não testado se deepfield-parent-v4 (scope normal) pode ser
embedado em outro filtro. Alternativa: embedar deepfield-mitigation-v4 (scope
embedded, filter-id 1000) diretamente no offset 50010 — efeito idêntico.
| Campo | Valor |
|---|---|
| Host | 10.230.16.77 |
| Usuário | dafranco |
| Senha | pkq@HKN8abd-zat4fzq |
| Plataforma | Nokia 7750 SR-1, TiMOS-B-25.3.R1 |
| AS | 52468 (Ufinet) |
Acesso via op.py:
cd /Users/danielantonio/Developer/especial_op
/opt/homebrew/bin/python3.13 op.py --device NOKIA-SP4-001 run "show filter ip 10"
edit-config exclusive
/configure filter ip-filter "SYNANCK_REDIRECT" default-action accept
/configure filter ip-filter "SYNANCK_REDIRECT" entry 100 match protocol tcp
/configure filter ip-filter "SYNANCK_REDIRECT" entry 100 match dst-ip address 209.14.7.57
/configure filter ip-filter "SYNANCK_REDIRECT" entry 100 match dst-ip mask 255.255.255.255
/configure filter ip-filter "SYNANCK_REDIRECT" entry 100 match tcp-flags ack true
/configure filter ip-filter "SYNANCK_REDIRECT" entry 100 match tcp-flags syn true
/configure filter ip-filter "SYNANCK_REDIRECT" entry 100 action forward next-hop nh-ip address 198.51.100.250
commit
quit-config
edit-config exclusive
/configure filter ip-filter "SYNANCK_REDIRECT" entry <SLOT> match protocol tcp
/configure filter ip-filter "SYNANCK_REDIRECT" entry <SLOT> match dst-ip address <PREFIX>
/configure filter ip-filter "SYNANCK_REDIRECT" entry <SLOT> match dst-ip mask <MASK>
/configure filter ip-filter "SYNANCK_REDIRECT" entry <SLOT> match tcp-flags ack true
/configure filter ip-filter "SYNANCK_REDIRECT" entry <SLOT> match tcp-flags syn true
/configure filter ip-filter "SYNANCK_REDIRECT" entry <SLOT> action forward next-hop nh-ip address <NEXTHOP>
commit
quit-config
edit-config exclusive
delete /configure filter ip-filter "SYNANCK_REDIRECT" entry <SLOT>
commit
quit-config
| Interface | IP | Descrição |
|---|---|---|
| ORC001 | 198.18.201.14/30 | Scrubber ORC001 |
| ORC002 | 198.18.202.14/30 | Scrubber ORC002 |
| ORC003 | 198.18.203.30/30 | Scrubber ORC003 |
| ALGAR | 100.110.115.77/29 | Transit ALGAR |
| CIRION | 8.243.155.226/30 | Transit CIRION |
| COGENT | 199.100.13.163/29 | Transit COGENT |
| SPARKLE | 185.100.112.51/31 | Transit SPARKLE |
| TATA | 216.6.93.78/30 | Transit TATA |
| IX.SP.IPV4 | 187.16.221.95/20 | IX.SP IPv4 |
Verificar lista completa: show filter ip 10 association
embed flowspec offset N é a sintaxe correta (não embed filter "fSpec-0")create_synanck_filter.sh criado e copiado para DEADPOOL /opt/andrisoft/bin/Última atualização: 2026-03-26