Login
- Table of Contents
-
- 07-Layer 3 - IP Routing Configuration Guide
- 00-Preface
- 01-IP Routing Basics
- 02-Static Routing Configuration
- 03-RIP Configuration
- 04-OSPF Configuration
- 05-IS-IS Configuration
- 06-BGP Configuration
- 07-Policy-Based Routing Configuration
- 08-Guard Route Configuration
- 09-IPv6 Static Routing Configuration
- 10-RIPng Configuration
- 11-OSPFv3 Configuration
- 12-IPv6 IS-IS Configuration
- 13-IPv6 BGP Configuration
- 14-IPv6 Policy-Based Routing Configuration
- 15-Routing Policy Configuration
- 16-Tunnel End Packets Policy Routing Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-Guard Route Configuration | 148.43 KB |
Overview
A Guard device is used to filter abnormal traffic.
To achieve this, Guard routes are configured on the Guard device to divert abnormal traffic to the Guard device. A Guard route can be manually configured. In most cases, however, a Guard route is automatically configured upon receipt of a notification.
Guard routes use Null 0 as the outbound interface and work together with BGP. They are neither installed into the FIB nor used to forward IP packets. You can enable BGP to redistribute Guard routes to advertise them to a BGP peer. In this way, traffic that is received by the BGP peer and destined for destinations of Guard routes is diverted to the Guard device, which then filters and cleans the traffic.
Figure 1 Typical Guard route application
In the figure above, the Guard device is configured with a Guard route and the Detector device detects network anomalies.
· Router A communicates with the Web server, name server, and E-commerce application server through Router B.
· Router B and the Guard device run BGP and have formed a peer relationship. The import-route guard command is used in BGP view on the Guard device to enable Guard route redistribution into BGP.
· Router B is configured to mirror the traffic (from Router A) destined for the Web server, name server, and E-commerce application server to Detector.
· If Detector detects no anomalies, Router B will forward the traffic.
· Upon detecting any abnormal traffic destined for an address, Detector notifies it to the Guard device, which then generates a Guard route (or the administrator configures a Guard route accordingly). The configured Guard route has the same destination address as that of the abnormal traffic and the Guard device advertises the Guard route to its BGP peer Router B.
· After learning the Guard route, Router B forwards the non-confirming traffic to the Guard device.
· The Guard device drops malicious packets, and conforming packets are sent back to their destinations through policy-based routing configured on Router B and the Guard device.
Configuring a Guard route
To configure a Guard route:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a Guard route. |
ip route-guard ip-address mask |
By default, no Guard route is configured. |
|
|
NOTE: Guard routes are neither installed into the FIB nor used to forward IP packets. They work together with BGP. You can enable BGP to redistribute Guard routes. For the configuration of Guard route redistribution into BGP, see the chapter “Configuring BGP.” |
Displaying and maintaining Guard routes
|
Task |
Command |
Remarks |
|
Display Guard route information. |
display ip routing-table protocol guard [ inactive | verbose ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Guard route configuration example
Network requirements
Switch B communicates with the Web server, name server, and E-commerce application server through Switch A.
Configure Switch A to mirror the traffic (from Switch A) destined for the Web server, name server, and E-commerce application server to Detector.
The traffic destined for 1.1.1.1 has been found abnormal through Detector. Configure the Guard device and Switch A to divert the traffic destined for 1.1.1.1 to the Guard device.
Figure 2 Network diagram
Configuration procedure
1. Configure IP addresses for the interfaces. (Details not shown)
2. Configure port mirroring on Switch A:
# Create a local port mirroring group.
<SwitchA> system-view
[SwitchA] mirroring-group 1 local
[SwitchA] mirroring-group 1 mirroring-port GigabitEthernet 3/0/2 inbound
[SwitchA] mirroring-group 1 monitor-port GigabitEthernet 3/0/1
3. Configure BGP and a routing policy on Switch A:
# Create ACL 2000 that denies all routes.
[SwitchA] acl number 2000
[SwitchA-acl-basic-2000] rule 0 deny
[SwitchA-acl-basic-2000] quit
# Configure community list 1 so that the received routes matching community 1:1 are not advertised to any BGP peer or out of the AS.
[SwitchA] ip community-list 1 permit 1:1 no-export no-advertise
# Configure routing policy guard-in, matching community list 1.
[SwitchA] route-policy guard-in permit node 0
[SwitchA-route-policy] if-match community 1
[SwitchA-route-policy] quit
# Enable BGP and establish a neighbor relationship with the Guard device.
[SwitchA] bgp 100
[SwitchA-bgp] peer 5.5.5.6 as-number 200
# Apply ACL 2000 to filter routes advertised to peer 5.5.5.6, namely, to deny all those routes.
[SwitchA-bgp] peer 5.5.5.6 filter-policy 2000 export
# Apply routing policy guard-in to filter routes received from peer 5.5.5.6 so that the received routes matching community 1:1 are not advertised to any BGP peer or outside of the AS.
[SwitchA-bgp] peer 5.5.5.6 route-policy guard-in import
[SwitchA-bgp] quit
4. On the Guard device, enable BGP, configure a routing policy, and configure BGP to redistribute Guard routes:
# Create ACL 2000 that denies all routes.
<Guard> system-view
[Guard] acl number 2000
[Guard-acl-basic-2000] rule 0 deny
[Guard-acl-basic-2000] quit
# Configure routing policy guard-out so that the received routes matching community 1:1 are not advertised to any peer or outside of the AS.
[Guard] route-policy guard-out permit node 0
[Guard-route-policy] apply community 1:1 no-export no-advertise
[Guard-route-policy] quit
# Enable BGP, establish a neighbor relationship with Switch A, and redistribute Guard routes.
[Guard] bgp 200
[Guard-bgp] peer 5.5.5.5 as-number 100
[Guard-bgp] import-route guard
# Apply ACL 2000 to filter the routes received from peer 5.5.5.5, namely, to deny all those routes.
[Guard-bgp] peer 5.5.5.5 filter-policy 2000 import
# Apply routing policy guard-out to filter the routes advertised to peer 5.5.5.5 and advertise the community attribute.
[Guard-bgp] peer 5.5.5.5 route-policy guard-out export
[Guard-bgp] peer 5.5.5.5 advertise-community
[Guard-bgp] quit
|
|
NOTE: The Guard device is used mainly for filtering out abnormal traffic but not for routing packets. Therefore, a routing policy needs to be configured on the Guard device so that it handles only Guard routes to reduce resource consumption. For routing policy configuration, see the chapter “Configuring routing policy.” |
5. Configure a Guard route on the Guard device:
The packets destined for 1.1.1.1 has been found abnormal through Detector.
# Configure a Guard route.
[Guard] ip route-guard 1.1.1.1 255.255.255.255
6. Verify the configuration:
# Display the Guard route configured on the Guard device.
[Guard] display ip routing-table protocol guard
Public Routing Table : Guard
Summary Count : 1
Guard Routing table Status : < Active>
Summary Count : 1
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Guard 40 0 0.0.0.0 NULL0
Guard Routing table Status : < Inactive>
Summary Count : 0
# On Switch A, display the Guard route learned by BGP.
[SwitchA] display ip routing-table 1.1.1.1
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 BGP 255 0 5.5.5.6 Vlan100
