Cisco Guard Configuration Guide (Software Version 3.08) - Diversion Configuration [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Diversion Configuration

BGP Diversion Method

BGP Configuration Guidelines

Guard BGP Configuration

Guard BGP Configuration Example

Displaying Guard Router Configuration File

Cisco Router BGP Configuration

Cisco Router BGP Configuration Example

Juniper Router BGP configuration Example

Traffic Forwarding Methods

Layer-2-Forwarding (L2F) Method

Overview

Guard L2F Configuration

Router L2F Configuration

Policy-Based Routing Destination (PBR-DST) Traffic Forwarding Method

Overview

PBR-DST Configuration Guidelines

Guard PBR-DST Configuration

Cisco Router PBR-DST Configuration

Juniper Router Filter Based Forwarding (FBF) Configuration Example

VPN Routing Forwarding - Destination (VRF -DST)

Overview

VRF-DST Configuration Guidelines

VRF-DST Configuration

Guard VRF-DST Configuration

Policy Based Routing VLAN (PBR -VLAN)

Overview

PBR-VLAN Configuration

Guard PBR-VLAN Configuration

CISCO Router PBR-VLAN Configuration

VPN Routing Forwarding VLAN (VRF-VLAN)

Overview

VRF-VLAN Configuration

GUARD VRF-VLAN Configuration

Cisco Router VRF-VLAN Configuration

First VRF Table Production

Juniper Routers Routing Instance

Tunnel Diversion

Overview

Tunnel Diversion Configuration

Guard Tunnel Diversion Configuration

Cisco Router Tunnel Diversion Configuration

Long Diversion

Overview

Packet Flow Example

Long Diversion Configuration

Guard Long Diversion Configuration

Cisco Router Long Diversion Configuration

Diversion Configuration

This appendix provides the following information:

•BGP Diversion Method

•Traffic Forwarding Methods

•Long Diversion

Note Information provided in this document regarding Cisco and Juniper router configuration is for informational purposes only. Please refer to the appropriate user guides for detailed information.

Note Traffic diversion configuration is topology independent. The configuration procedures for Layer 2 and Layer 3 topologies are identical.

BGP Diversion Method

Following standard BGP routing definitions, routers will select the routing path with the longest matching prefix (also known as the "most specific"). Therefore, after establishing a BGP session with the router, the Guard sends a routing update where it is listed as the best path for the protected Zone. The network prefix the Guard announces is longer than the one already listed in the router's routing table thereby overriding the router's routing table definition.

The prefix subnet is configured per zone's subnet IP address (see the "Removing a Zone's IP Address" section in Chapter 5, "Zone Configurations," for further details).

BGP is configured similarly in all networks.

To configure Guard Diversion in Layer 2 and Layer 3 network topologies, perform the following:

1. Configure traffic diversion using BGP (see the "Guard BGP Configuration" section in this chapter for further details).

2. Configure the appropriate traffic forwarding method (the "Traffic Forwarding Methods" section in this chapter for further details).

Figure A-1 provides examples of L2 and L3 network topologies. In both network topologies, the Guard diverts the traffic from router R1.

Figure A-1 BGP Configuration

After BGP diversion is established, router's routing tables points to the Guard as the best route to the zone. Therefore, all traffic destined to the zone's IP address forwarded to the Guard.

BGP Configuration Guidelines

This section provides general guidelines for BGP configuration on the Guard and on a divert-from router.

Note The guidelines provided in this section are applicable to BGP configuration on any router from which the Guard diverts the traffic. Sample BGP configuration in this and the following sections is presented using the Cisco syntax.

Note The following examples are provided using common eBGP.

The user should consider the network configuration and determine whether eBGP or iBGP should be implemented. The user should note the differences while configuring.

The Guard and adjacent routers operate using common eBGP (External Border Gateway Protocol). The following guidelines are recommended:

1. Configure the Guard with an easily recognizable Autonomous System number.

The Guard sends routing information only when diverting traffic. Only then, will this route appear in the routers routing tables. Using a recognizable value will allow network operators to easily identify the Guard in the routers routing tables.

2. To ensure that the Guard's routing information is not redistributed to other internal and external BGP neighboring devices, perform the following:

•Configure the Guard not to send routing information and to drop incoming BGP routing information.

•Set the Guard BGP community attribute values to no-export and no-advertise. Since it is not possible to filter the Guard's announcements using either a prefix-list or as-path, use the community attribute value ROUTER-AS:GUARD-AS.

A match in the community attributes will enable to filter the BGP announcements on the router and therefore enforce this policy.

3. It is recommended to issue the soft-reconfiguration inbound command during the setup procedures. This is useful for troubleshooting and allows restoring a routing table without reconnecting to the neighboring device.

See the "Traffic (BGP) Diverting Method" section in Chapter 4, "Zone Traffic Diversion," for further details on BGP.

Guard BGP Configuration

BGP is configured on the Guard using the Zebra application (see http://www.zebra.org for further details on the Zebra application).

It is recommended to configure a zone's diversion when the zone is in standby mode.

To enter diversion configuration on the Guard, perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD-conf# router 
2. Choose ENTER. The following prompt appears, indicating that the system has entered the Zebra application in non-privileged mode:
router> 
Tip At each command level of the Zebra application, press the question mark (?) key to display the list of commands available at this mode.

3. To switch to the privileged mode, type the following:
router> enable 
4. Choose ENTER.

The following prompt appears, indicating that the system has entered the Zebra application privileged mode:
router#
Note To quit the Zebra application, type exit from the router command level.
To exit from a current command group level to a 'higher' group level, type exit.

5. To switch to terminal configuration mode, type the following:
router# config terminal
6. Choose ENTER.

The following prompt appears, indicating the system has entered the Zebra application configuration mode:
router(config)# 
7. Configure the Guard's routing. See guidelines and example below for further details.

The following commands must be configured on the Guard:

Note•Replace terms in italics with Guard and router (a divert-from router) values as indicated

•Replace < > marks with the appropriate parameter values

•Items in bold italic represent names. The user may replace these names.

•Each line below represents a command. Items in bold represent commands.

Note Several methods may be used for filtering outgoing routing information on a router. The following example describes the "distribute-list" method.

Other types of filtering methods may be used as long as the routing information is not sent to the Guard.
router(config)# router bgp <Guard-AS-number>
router(config-router)# bgp router-id <Guard-IP-address>
router(config-router)# redistribute guard
router(config-router)# neighbor <Router-IP-address> remote-as 
<Router-AS-number>
router(config-router)# neighbor <Router-IP-address> description 
<description> 
router(config-router)# neighbor <Router-IP-address> 
soft-reconfiguration inbound
router(config-router)# neighbor <Router-IP-address> 
distribute-list nothing-in in
router(config-router)# neighbor <Router-IP-address> route-map 
Guard-out out
router(config-router)# exit
router(config)# access-list nothing-in deny any
router(config)# route-map Guard-out permit 10
router(config-route-map)# set community <RouterAS:GuardAS> 
no-export no-advertise 
Guard BGP Configuration Example

In the example, the router's AS (Autonomous System Number) is 1680. The Guard's AS is 64555.

To display the Guard router configuration, perform the following:

From the router command level, type the following:
router# show running-config
The following partial example screen is displayed:
router# show running-config
... ... ...
router bgp 64555
bgp router-id 192.168.8.8
redistribute guard
neighbor 192.168.8.1 remote-as 1680
neighbor 192.168.8.1 description divert-from router 
neighbor 192.168.8.1 soft-reconfiguration inbound
neighbor 192.168.8.1 distribute-list nothing-in in
neighbor 192.168.8.1 route-map Guard-out out
!
access-list nothing-in deny any
!
route-map Guard-out permit 10
set community 1680:64555 no-export no-advertise 
... ... ...
Displaying Guard Router Configuration File

The user may display the configuration file of a desired router.

To display a desired router configuration file, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# show running-config router
2. Choose ENTER.

Cisco Router BGP Configuration

This section provides information about router BGP configuration used when configuring the Cisco diversion technology. The syntax below is taken from the BGP configuration on a Cisco router.

Note•Replace terms in italics with Guard and router (a divert-from router) values as indicated

•Replace < > marks with the appropriate parameter values

•Items in bold italics represent names. The user may replace these names.

•Each line below represents a command. Items in bold represent commands.
R7200(config)# router bgp <Router-AS>
R7200(config-router)# bgp log-neighbor-changes
R7200(config-router)# neighbor <Guard-IP-address> remote-as <GuardAS>
R7200(config-router)# neighbor <Guard-IP-address> description 
<description>
R7200(config-router)# neighbor <Guard-IP-address> soft-reconfiguration 
inbound
R7200(config-router)# neighbor <Guard-IP-address> distribute-list 
routesToGuard out
R7200(config-router)# neighbor <Guard-IP-address> route-map Guard-in 
in
R7200(config-router)# no synchronization
R7200(config-router)# exit
R7200(config)# ip bgp-community new-format
R7200(config)# ip community-list expanded <Guard-community-name> 
permit Router-AS:Guard-AS no-export no-advertise
R7200(config)# route-map Guard-in permit 10
R7200(config-route-map)# match community <Guard-community-name> exact 
match
R7200(config-route-map)# exit
R7200(config)# ip access-list standard routestoGuard 
R7200(config-std-nacl)# deny any
The no synchronization command prevents the distribution of the Guard BGP routing updates into IGP.

Cisco Router BGP Configuration Example

In the example, the router's AS (Autonomous System Number) is 1680. The Guard's AS is 64555.

To display the router configuration, perform the following:

From the router global command level, type the following:
R7200# show running-config
The following partial example screen is displayed:
R7200# show running-config
... ... ...
router bgp 1680 
bgp log-neighbor-changes
neighbor 192.168.8.8 remote-as 64555
neighbor 192.168.8.8 description Guard
neighbor 192.168.8.8 soft-reconfiguration inbound
neighbor 192.168.8.8 distribute-list routesToGuard out
neighbor 192.168.8.8 route-map Guard-in in
no synchronization
!
ip bgp-community new-format
ip community-list expanded Guard permit 1680:64555 no-export no- 
advertise
!
route-map Guard-in permit 10
match community Guard exact match
ip access-list standard routesToGuard 
 deny any
... ... ...
Juniper Router BGP configuration Example

In the example, the router's AS (Autonomous System Number) is 1680. The Guard's AS is 64555.

The bgp command defines the basic BGP parameters such as local-AS number, type of BGP used (EBGP), description, remote-AS number and neighbor IP (the AS number and the IP address of the Guard).

The policy command defines that only BGP updates received from the specific community ("riverhead" in the example below) are accepted, all other updates are denied.
   bgp {     
       local-as 1680;
            group test {
            type external;
            description "BGP with the Guard";
     passive;
            import bgp-in;
            peer-as 64555;
            neighbor 192.168.8.8;
        }
    }
}
policy-options {
    policy-statement bgp-in {
        term 10 {
            from {
                protocol bgp;
                community riverhead;
            }
            then accept;
        }
        term 20 {
            then reject;
        }
    }
    community riverhead members [ no-export no-advertise 1680:64555 ];
Traffic Forwarding Methods

This section provides details on traffic forwarding methods. Traffic forwarding methods are used to forward the cleaned traffic from the Guard to the next-hop router. See the "Traffic Forwarding Methods" section in Chapter 4, "Zone Traffic Diversion," for further details.

Layer-2-Forwarding (L2F) Method

Overview

The Layer-2 Forwarding (L2F) method is used in the L2 topology scenario, when all three devices: the Cisco Guard, the divert-from router, and the next-hop router are located in one shared IP network.

In a L2 topology, a divert-from router, and an inject-to router are two separate devices. The next-hop router and the inject-to router are the same device.

The Guard resolves the MAC address of the inject-to/next-hop router and then forwards the traffic. The MAC addresses are resolved by issuing an ARP query. Therefore, no configuration on the routers is required when using the L2F method.

The zone may be connected in one of the following ways:

•The zone is connected directly to a Layer 2 switch. In such a case the zone is connected to the same IP subnet as the Guard. The zone's IP address is configured as the inject-to router and the Guard forwards the traffic directly to the zone.

•The zone is connected using IP forwarding equipment. In such a case, the IP forwarding equipment must be defined as the Guard's next-hop router.

Figure A-2 BGP Configuration

Guard L2F Configuration

Interface Statements

Configure the Guard's Out-of-Band interface (see the "Configuring a Physical Interface" section in Chapter 3, "Guard Configuration," for further details).

In the following example, Out-of-Band interface giga1 is configured:
admin@GUARD-conf# interface giga1
admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0
BGP Statements

Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter.

In the following example, the Guard's AS is 64555. The router's AS is 1680 and the IP address is 192.168.8.1:
router bgp 64555
 redistribute guard
 neighbor 192.168.8.1 remote-as 1680
 neighbor 192.168.8.1 description C7513
 neighbor 192.168.8.1 distribute-list nothing-in in
 neighbor 192.168.8.1 soft-reconfiguration inbound
 neighbor 192.168.8.1 route-map filt-out out
!
route-map filt-out permit 10
 set community no-advertise no-export 1680:64555
!
access-list nothing-in deny any
Injection Configuration

To configure traffic injection from the Guard to the zone, add a static route to the zone or the next-hop router according to the network topology.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the next-hop router 192.168.8.250:
router# configure terminal
router(config)# ip route 192.168.240.0 255.255.255.0 192.168.8.250
Router L2F Configuration

No configuration is required on the router.

Policy-Based Routing Destination (PBR-DST) Traffic Forwarding Method

Overview

Policy-Based Routing is a static forwarding method, deployed in Layer 3 network topologies, where the Guard forwards the filtered traffic to the same router from which the traffic was diverted.

Figure A-3 PBR Forwarding Method

To enable the Guard to divert the zone's traffic from the router, the zone's route is modified in the router's routing table. The Guard is listed as the best path to the zone.

An endless routing loop could occur if the router's routing table is not changed. As the only entry for traffic destined to the zone in the router's routing table is the Guard, filtered traffic from the Guard would be sent back to the Guard.

To overcome routing loops, Policy Based routing (PBR) is configured on the inject-to router. PBR allows creating rules that override those found in the router's routing table and thus avoid such situations of endless routing loops. It enables to add rules that are applied to the filtered traffic. These rules instruct the router to forward the filtered traffic to the zone, regardless of the routing table entries.

To configure the Diversion in this network topology, configure the traffic diversion process using BGP (see the "Guard BGP Configuration" section in this chapter for further details).

PBR-DST Configuration Guidelines

The guidelines provided in this section are applicable to PBR configuration on any inject-to router. The sample PBR configuration in this and the following sections is presented using the Cisco syntax.

To Configure Policy-Based routing on an inject-to router, follow these guidelines:

1. Policy based routing must be applied on the router's interface connected to the Guard. This is important as only traffic coming from the Guard is subject to PBR.

2. Traffic selected by means of Policy-Based Routing must be forwarded to the next-hop router. The next-hop router should have the following characteristics:

•The next-hop router is connected directly to the divert-from router. In Layer 3 topology the next-hop router and the inject-to router are the same device.

•The divert-from router is not part of the next-hop router's route to the zone.

Such a configuration would cause a routing loop between the divert-from and the next-hop routers.

Policy Based routing is applied using the route-map command and the match and set commands to define the conditions for policy routing packets. To enable PBR, the user must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. The user must enable PBR for the configured route map on a particular interface. All packets arriving on the specified interface matching the match clause will be subject to PBR.

PBR configuration consists the following three parts:

•Sequence—Specifies the position a new route map will have in the list of route maps already configured with the same name. Cisco routers process sequence numbers in ascending order.

Define a separate route-map entry and sequence number for traffic that is to be forwarded to the zone and for all other traffic.

The sequence is configured using the route-map command. The route-map command puts the router into route-map configuration mode.

•Matching statement—Specifies the conditions under which policy routing occurs. The user should specify the conditions under which an IP address is matched using the match command. A match will determine whether the next-hop is modified.

•Forwarding statement—Specifies the routing actions to perform if the criteria enforced by the match commands are met. The set ip next-hop route-map configuration command indicates where to send packets that pass a match clause of a route map for policy routing.

Guard PBR-DST Configuration

The configuration in the following example refers to the network in Figure A-3.

BGP Statements

Enter the Guard router BGP configuration as explained in the"Guard BGP Configuration" section in this chapter.

Injection Configuration to the Next-Hop Router

The next-hop router in the example is R2. To configure traffic injection from the Guard to the zone, add a static route to the inject-to router.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24):
router# configure terminal
router(config)# ip route 192.168.240.0 255.255.255.0 192.168.8.1
Cisco Router PBR-DST Configuration

This section provides information about router PBR configuration used when configuring the Cisco diversion technology. The syntax below is taken from the PBR configuration on a Cisco router.
R7200(config)# interface FastEthernet 0/2
R7200(config-if)# description <Interface connected to the Guard>
R7200(config-if)# ip address <Router interface IP address> <Router 
interface IP mask>
R7200(config-if)# no ip directed-broadcast
R7200(config-if)# ip policy route-map <Guard-PBR-name>
R7200(config-if)# exit
R7200(config)# ip access-list extended <Zone-name>
R7200(config-ext-nacl)# permit ip any host <Zone IP address>
R7200(config-ext-nacl)# exit
R7200(config)# route-map <Guard-PBR-name> permit 10
R7200(config-route-map)# match ip address <Zone-name>
R7200(config-route-map)# set ip next-hop <next-hop router IP address>
R7200(config-route-map)# exit
R7200(config)# route-map < Guard-PBR-name > permit 100
R7200(config-route-map)# description let thru all other packets 
without modifying next-hop
PBR Traffic Forwarding Example

This section provides an example of PBR traffic forwarding configuration for the sample network in Figure A-3.

To display the router configuration, perform the following:

From the router global command level, type the following:
R7200# show running-config
The following partial example screen is displayed:
R7200# show running-config
... ... ...
interface FastEthernet0/2
description Interface connected to the Guard
ip address 192.168.8.1 255.255.255.0
no ip directed-broadcast
ip policy route-map GuardPbr
!
ip access-list extended zone-A
permit ip any host 192.168.240.2
!
route-map GuardPbr permit 10
match ip address zone-A
set ip next-hop 192.168.250.2
!
route-map GuardPbr permit 100
description let thru all other packets without modifying next-hop
Juniper Router Filter Based Forwarding (FBF) Configuration Example

The Juniper's equivalent of PBR is FBF (Filter Based Forwarding).

The configuration in the following example refers to the network in Figure A-3.

This section provides information on Filter Based Forwarding (FBF) configuration on a Juniper router.

The router configuration consists the following:

•Filter configuration—The filter specifies the packet filtering criteria. Configure a filter to match all packets with a specified destination IP address.

•Routing instance configuration—The routing instance specifies the routing table(s) to which a packet, that matches the filter, is forwarded, and the destination to which the packet, that matches the filter, is forwarded.

•Interface routes configuration—The interface routes specify how to resolve the routing instances defined routes to directly-connected next hops on that interface.

JUNOS Version

The DST-PBR is supported from 5.1R1.4 JUNOS.

Interface to the Guard

Configure the router interface facing the Guard:
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input DST; 
                }
                address 192.168.8.1/24;
            }
        }
    }
}
Filter Configuration

Firewall filters allow you to filter packets based on their components and to perform an action on packets that match the filter. The filter consists of:

•Match conditions—Values or fields that the packet must contain. In the example below the match condition used is destination-address.

•Action—Specifies the action taken if a packet matches the match conditions. The example below contains two actions. The first action assigns the matching packets with routing instance "next-hop_1". The second action accepts all packets that do not match the match condition.

In the example below, the filter's name is DST.
firewall {
      filter DST {
        term 10 {
            from {
                destination-address {
                    192.168.240.2/32;
                }
            }
            then routing-instance next-hop_1;
        }
        term 20 {
            then accept;
        }
    }
Routing Instance(s) Configuration

Each routing instance consists of a set of routing tables, a set of interfaces that belong to these routing tables, and a set of routing option configurations. Forwarding instances are used to implement filter-based forwarding for Common Access Layer applications. Configure a routing instance for each filter defined in the previous section.

The routing instance, next-hop_1, in the example below directs all the matching packets to the next hop router, R2 (192.168.250.2).
routing-instances {
    next-hop_1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.250.2;                   
            } 
        }
    }
}
Interfaces Routes Configuration

In the example, a static route is added to the next-hop router. Finally, after defining the next-hop_1 routing instance (see the "Routing Instance(s) Configuration" section above), the routing interface must be associated with the connected-interface.

The routing table group is associated with the router's interfaces and the routing table groups interface routes, which are imported into specified using the interface-routes statement.

The routing table groups are created using the rib-groups statement.
routing-options {
    interface-routes {
        rib-group inet dest;
        }		
 rib-groups {
        dest {
            import-rib [ inet.0 next-hop_1.inet.0 ];        
        }
 }
}
VPN Routing Forwarding - Destination (VRF -DST)

Overview

VRF-DST is a static forwarding method, deployed in Layer 3 network topologies, where the Guard forwards the filtered traffic to the same router from which the traffic was diverted.

To enable the Guard to divert the zone's traffic from the router, the zone's route is modified in the router's routing table. The Guard is listed as the best path to the zone.

An endless routing loop could occur if the router's routing table is not changed. As the only entry for traffic destined to the zone in the router's routing table is the Guard, filtered traffic from the Guard would be sent back to the Guard.

VRF-DST allows the creation of another routing and forwarding table (called the VRF table) besides the main routing and forwarding tables. The additional routing table is configured to route traffic that is handled by the router's interface that faces the Guard.

Figure A-4 VRF DST

VRF-DST Configuration Guidelines

To configure VRF-DST on an inject-to router follow these guidelines:

Configure two separate interfaces on the router's physical interface facing the guard:

•NATIVE VLAN interface—This interface is used to divert traffic from the router to the guard. Traffic on this VLAN is forwarded according to the global routing table. The Guard sends BGP announcements to divert the traffic to the Guard on this interface.

•A Second VLAN interface—This interface is used to divert the returned traffic from the Guard to the router. A VRF table is configured on this interface. The VRF table contains a static route to forward all zone traffic to a specified next-hop router.

Note The Juniper's equivalent to VRF is called 'routing instance'. It supports multiple routing and forwarding tables in a router. This feature also facilitates the dynamic diversion. Hence, on Juniper routers we recommend using the routing instance diversion method in place of the VRF-DST diversion method. See the "Juniper Routers Routing Instance" section in this chapter for further details.

Note The VRF-DST method is applicable only when the next-hop router is static per zone

VRF-DST Configuration

The configuration in the following example refers to the network in Figure A-4.

Guard VRF-DST Configuration

Native Interface Statements

Configure the In-Band interface:
admin@GUARD-conf# interface giga1
admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0
Interface VLAN Statements

Configure VLAN 5 on the In-Band interface:
admin@GUARD-conf# interface giga1.5
admin@GUARD-conf-if-giga1.5# ip address 192.168.5.8 255.255.255.0
BGP Statements

Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter.

Injection Configuration

The next-hop router in the example is R2. To configure traffic injection from the Guard to the zone, add a static route to the next-hop router.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.5.1:
ip route 192.168.240.0 255.255.255.0 192.168.5.1
Note VRF is supported from IOS version 12.0(17) S/ST.

Creating a VRF Table

Create a VRF table on the inject-to router:
ip vrf Guard-vrf      
 rd 1680:1
 route-target export 1680:1
 route-target import 1680:1
Interface Native VLAN Statements

Configure the Native VLAN on the divert-from router:
interface fastEthernet1/0.1
 encapsulation dot1Q 1 native
 description << VLAN TO GUARD-DIVERSION >>
 ip address 192.168.8.1 255.255.255.0
 no ip directed-broadcast
Interface VLAN - 5 Statements

Configure the VLAN 5 interface on the inject-to router:
interface fastEthernet 1/0.5
 encapsulation dot1Q 5
 description << VLAN TO GUARD-INJECTION >>
 ip vrf forwarding Guard-vrf     
 ip address 192.168.5.1 255.255.255.0
Interface to Zone Statements

Configure the router interface to the zone:
interface fastEthernet 2/0
 description << LINK TO ZONE >>
 ip address 192.168.250.1 255.255.255.0
BGP Statements

Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter.

Static VRF-DST Statements

Configure Static VRF on the inject-to router. The static VRF specifies the route to the zone. The parameter global indicates that the route to the next-hop is learnt from the global routing table.
ip route vrf Guard-vrf 192.168.240.2 255.255.255.0 192.168.250.2 
global
Policy Based Routing VLAN (PBR -VLAN)

Overview

This method is used when there is more than one possible next-hop router. Multiple VLAN (Virtual LAN, 802.1Q) trunks are configured between the Guard and router R1 (the divert-from and inject-to router). Each VLAN in the trunk is associated with a different next-hop router. In addition, PBR is configured on each of the VLAN logical interfaces to forward the traffic on the VLAN to its corresponding next-hop router. The Guard forwards packets to a particular next-hop router by transmitting the packets over the appropriate VLAN. This allows the Guard to change the next-hop router of a zone by changing the VLAN on which the packets are forwarded.

The native VLAN is used for traffic diversion. On this interface the Guard sends the BGP announcements to the router.

Figure A-5 PBR-VLAN

PBR-VLAN Configuration

The configuration in the following example refers to the network in Figure A-5.

PBR VLAN is applied on R1's interface facing the Guard. Zone traffic on VLAN5 is forwarded to R2. Zone traffic on VLAN6 is forwarded to R3.

Guard PBR-VLAN Configuration

Native Interface Statements

Configure the In-Band interface:
admin@GUARD-conf# interface giga1
admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0
Interface VLAN 5 Statements

Configure VLAN 5 on the In-Band interface:
admin@GUARD-conf# interface giga1.5
admin@GUARD-conf-if-giga1.5# ip address 192.168.5.8 255.255.255.0
Interface VLAN 6 statements

Configure VLAN 6 on the In-Band interface:
admin@GUARD-conf# interface giga1.6
admin@GUARD-conf-if-giga1.5# ip address 192.168.6.8 255.255.255.0
BGP Statements

Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter.

Injection Configuration to R2

To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R2.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.5.1:
ip route 192.168.240.0 255.255.255.0 192.168.5.1
Injection Configuration to R3

To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R3.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.6.1:
ip route 192.168.240.0 255.255.255.0 192.168.6.1
CISCO Router PBR-VLAN Configuration

Interface Native VLAN Statements
interface fastEthernet 1/0
 description << NATIVE VLAN TO GUARD-DIVERSION >>
 ip address 192.168.8.1 255.255.255.0
 no ip directed-broadcast
VLAN-5 Creation

Create VLAN-5 on router R1:
interface fastEthernet 1/0.1
 encapsulation dot1Q 5
 description << VLAN-5 TO GUARD-INJECTION >>
 ip address 192.168.5.1 255.255.255.0
 ip policy route-map next-hop_R2 
 no ip directed-broadcast
VLAN-6 Creation

Create VLAN-5 on router R1:
interface fastEthernet 1/0.2
 encapsulation dot1Q 6
 description << VLAN-6 TO GUARD-INJECTION >>
 ip address 192.168.6.1 255.255.255.0
 ip policy route-map next-hop_R3 
 no ip directed-broadcast   
Next-Hop Interface Configuration

Configure the interfaces to the next-hop routers:
interface fastEthernet 2/0
 ip address 192.168.250.1 255.255.255.0
 Description << LINK TO NEXT-HOP R2 >>
 exit
interface fastEthernet 3/0
 ip address 192.168.230.1 255.255.255.0
 description << LINK TO NEXT-HOP R3 >>
BGP Statements

Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter.

Route-Map Statements (PBR)

Configure PBR for the next-hop routers:
route-map next-hop_R2 permit 10     
 set ip next-hop 192.168.250.2
route-map next-hop_R3 permit 10    
 set ip next-hop 192.168.230.2
VPN Routing Forwarding VLAN (VRF-VLAN)

Overview

This method is similar to PBR-VLAN. A VRF table is associated with each VLAN on the inject-to router rather then a PBR table. Each VRF table directs the traffic on the VLAN to the corresponding next-hop router.

The Guard forwards packets to a particular next-hop router by transmitting the packets over the appropriate VLAN. This allows the Guard to change the next-hop router to the zone by changing the VLAN on which packets are forwarded.

The native VLAN is used for traffic diversion. On this interface the Guard sends the BGP announcements to the router.

Figure A-6 VRF-VLAN

VRF-VLAN Configuration

The configuration in the following example refers to the network in Figure A-6.

VRF-VLAN is applied on R1's interface facing the Guard. Traffic on VLAN5 is forwarded to R2. Traffic on VLAN6 is forwarded to R3.

GUARD VRF-VLAN Configuration

Native Interface Statements

Configure the In-Band interface:
admin@GUARD-conf# interface giga1
admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0
Interface VLAN 5 statements

Configure VLAN 5 on the In-Band interface:
admin@GUARD-conf# interface giga1.5
admin@GUARD-conf-if-giga1.5# ip address 192.168.5.8 255.255.255.0
Interface VLAN 6 statements

Configure VLAN 6 on the In-Band interface:
admin@GUARD-conf# interface giga1.6
admin@GUARD-conf-if-giga1.5# ip address 192.168.6.8 255.255.255.0
BGP Statements

Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter.

Set the neighbor IP address to 192.168.8.1.

Injection Configuration to R2

To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R2.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.5.1:
ip route 192.168.240.0 255.255.255.0 192.168.5.1
Injection Configuration to R3

To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R3.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.6.1:
ip route 192.168.240.0 255.255.255.0 192.168.6.1
Cisco Router VRF-VLAN Configuration

First VRF Table Production

Create the VRF table associated with router R2:
ip vrf next-hop_R2   
 rd 1680:1
 route-target export 1680:1
 route-target import 1680:1
Second VRF Table Production
Create the VRF table associated with router R3:
ip vrf next-hop_R3     
 rd 1680:1
 route-target export 1680:1
 route-target import 1680:1
Native VLAN Production

Configure the Native VLAN on router R1:
interface fastEthernet 1/0
 description <<NATIVE VLAN TO GUARD-DIVERSION>>
 ip address 192.168.8.1 255.255.255.0
 no ip directed-broadcast
VLAN-5 Creation

Create VLAN-5 on router R1:
interface fastEthernet 1/0.1
 encapsulation dot1Q 5
 description << VLAN-5 TO GUARD-INJECTION >>
 ip address 192.168.5.1 255.255.255.0
 ip vrf forwarding next-hop_R2   
 no ip directed-broadcast
VLAN-6 Creation

Create VLAN-6 on router R1 with the second VRF association:
interface fastEthernet 1/0.2
 encapsulation dot1Q 6
 description << VLAN-6 TO GUARD-INJECTION >>
 ip address 192.168.6.1 255.255.255.0
 ip vrf forwarding next-hop_R3   
 no ip directed-broadcast
Next Hop Interfaces

Configure the interfaces to the next-hop routers:
interface fastEthernet 2/0
 ip address 192.168.250.1 255.255.255.0
 Description << LINK TO NEXT-HOP R2 >>
!
interface fastEthernet 3/0
 ip address 192.168.230.1 255.255.255.0
 description << LINK TO NEXT-HOP R3 >>
BGP Statements

Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter.

Static VRF Routes

Configure Static VRF on the inject-to router. The static VRF specifies the route to the zone. The parameter global indicates that the route to the next-hop is learnt from the global routing table.
R7200(config)# ip route vrf  next-hop_R3 192.168.240.2 255.255.255.255 
192.168.230.2 global
R7200(config)# ip route vrf  next-hop_R2 192.168.240.2 255.255.255.255 
192.168.250.2 global
Juniper Routers Routing Instance

The Juniper's equivalent to VRF is called routing instance. It supports multiple routing and forwarding tables in a router. This feature also facilitates the dynamic diversion. Hence, on Juniper routers we recommend using the routing instance diversion method in place of the VRF-DST diversion method.

Figure A-7 Juniper Routers Routing Instance

Juniper Router Routing Instance Configuration

The router configuration of routing instances involves the following steps:

Filter Configuration—The filter specifies the packet filtering criteria. Configure a filter, on the router interface facing the Guard, to match all packets and route them according to the Guard-interface-routing-table.

Routing instance configuration (guard-interface-routing-table)—The Guard-interface-routing-table specifies zone traffic routing. The table is built from global routing table (called inet.0 in Juniper) excluding the BGP announcement sent by the Guard (identified by the Guard community string).

Filter Configuration

To configure the filter, perform the following:

1. Create a filter on the interface to the Guard.

The filter in the following example is called 'guard-filter'.

2. Configure the filter to specify that all the traffic on the interface be routed according to the guard-interface-routing table.

Interface to the Guard

Configure the router interface facing the Guard:
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input guard-filter; 
                }
                address 192.168.8.16/24;
            }
        }
    }
}
Interface to the Next-hop

Configure the router interfacing facing the next-hop router - R2.
interfaces {
   fe-0/0/0 {
      unit 0 {
        family inet {
          address 192.168.250.1/24:
Interface to the Next-hop

Configure the router interfacing facing the next-hop router - R3.
interfaces {
   fe-0/0/1 {
      unit 0 {
        family inet {
          address 192.168.230.1/24:
Configure the Filter

Configure the filter such that packets destined to port 179 are accepted. The rest of the packets, destined to the zones, are handled by the Guard-interface-routing-table:
filter guard-filter {
  term 10 {
            from {
                destination-port 179;
            }
            then accept;
        }
        term 20 {
            then routing-instance guard-interface-routing-table;
    }
}
Routing Instance Configuration (guard-interface-routing-table)

To configure the routing instance, guard-interface-routing-table, perform the following:

Add a subsection named Guard-interface-routing-table to the routing-instances section. The routing-options definition of instance-import, defines how the routing table is populated. The auto-export rule defined implies no export outbound policy is defined for the routing instance. The routing tables to export routes from and import routes to are defined by examining the existing policy configuration.

The policy section without-guard-announcement will be defined in the next section.
routing-instances {
    Guard-interface-routing-table
        instance-type forwarding;
        routing-options {
            instance-import without-guard-announcement;
            auto-export; 
         }
}
Define the policy statement, named without-guard-announcement, so that all routes from the global routing table are populated, apart from global routing table routes, with the BGP riverhead community.

The instance master command specifies the global routing table.
policy-options {
    policy-statement without-guard-announcement {
        term 10 {
            from {
                instance master;
                protocol bgp;
                community riverhead;
            }
            then reject;
        }
        term 20 {
            then accept;
        }
    }
}
Output Example

The example below displays the global routing table, inet.0, and the guard-interface-routing-table.

Note that the BGP announcement from the Guard appears in the global routing table, but not in the guard-interface-routing-table.
qa@ww-jnpr-1> run show route table inet.0
192.168.240.0/24   *[Static/5] 1d 05:28:07
  > to 192.168.250.2 via fe-0/0/0.0
192.168.240.0/25   *[BGP/170] 00:00:05, MED 0, localpref 100
                      AS path: 64555 ?
                    > to 192.168.8.8 via ge-0/0/0.0
192.168.240.128/25 *[BGP/170] 00:00:05, MED 0, localpref 100
                      AS path: 64555 ?
                      to 192.168.8.8 via ge-0/0/0.0
qa@ww-jnpr-1# run show route table guard-interface-routing--table
192.168.240.0/24   *[Static/5] 1d 02:26:37
                     to 192.168.250.2 via fe-0/0/0.0
Tunnel Diversion

Overview

In this method a tunnel (GRE or IPIP) is created between the Guard and each of the next hop routers. The Guard sends the traffic destined to the zone traffic over the tunnel to the appropriate next-hop router. This allows the Guard to change the next-hop router to a specified zone by changing the tunnel that the packets are forwarded on. Since the clean traffic from the Guard to the zone is encapsulated in the tunnel, the inject-to router performs a routing decision on the tunnel interface end point, and not on the zone's address.

Figure A-8 Tunnel Diversion

Tunnel Diversion Configuration

The configuration in the following example refers to the network in Figure A-8.

Guard Tunnel Diversion Configuration

Native Interface Statements

Configure the In-Band interface:
admin@GUARD-conf# interface giga1
admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0
Tunnel Interface statements

Configure the Tunnel.

GRE Tunnel
admin@GUARD-conf#interface gre1
admin@GUARD-conf-if-gre1# ip address 192.168.121.1 255.255.255.0
admin@GUARD-conf-if-gre1# tunnel source 192.168.8.8
admin@GUARD-conf-if-gre1# tunnel destination 192.168.250.2
IPIP Tunnel
admin@GUARD-conf# interface ipip1
admin@GUARD-conf-if-ipip1# ip address 192.168.121.1 255.255.255.0
admin@GUARD-conf-if-ipip1# tunnel source 192.168.8.8
admin@GUARD-conf-if-ipip1# tunnel destination 192.168.250.2
BGP Statements

Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter.

Set the Neighbor IP address to 192.168.8.1.

Injection Configuration

The next-hop router in the example is R2. To configure traffic injection from the Guard to the zone, add a static route to the next-hop router.

The static route should be configured in the Guard's router configuration level.

In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the tunnel interface on R1 192.168.121.2:
router# configure terminal
router(config)# ip route 192.168.240.0 255.255.255.0 192.168.121.2
Cisco Router Tunnel Diversion Configuration

Note that the tunnel forwarding technique requires configuration of the router at the end of the tunnel (R2 in the example above). The diversion process requires configuration of the divert-from router (R1 in the example above).

R1 Diversion Configuration: BGP Statements

Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter.

R2 Forwarding Configuration: Tunnel Interface on R2

Configure the tunnel on router R2:
interface tunnel 1
 description << GRE tunnel to Guard  >>
 ip address 192.168.121.2 255.255.255.252
 load-interval 30
 tunnel source 192.168.250.2
 tunnel destination 192.168.8.8
Long Diversion

Overview

Unlike standard diversion techniques where the Cisco Guard diverts traffic only from an adjacent directly connected router, the "long diversion" method diverts traffic from remotely located peering routers that may reside several hops away from the Guard.

The configuration example used in this section includes the following network elements:

•Peering router (R4)

•Guard's adjacent router (R1)

•zone's edge router (R6)

•Cisco Guard

Figure A-9 Long Diversion Configuration

Packet Flow Example

Traffic flows to the zone's IP addresses (based on the loop back address that holds the LSP).

Once an attack is identified, the network operator activates the Guard to protect the attacked zone. The following steps automatically take place:

1. The Guard informs the peering routers (R2, R3, R4) on a new route to the zone. The next-hop is defined as the Guard's loop back interface.

2. The zone's traffic is routed by the peering routers over the Diversion LSP to the zone.

3. The Guard forwards the clean traffic to R1.

4. R1 performs IP lookup and routes the packets, on the appropriate LSP, to the zone.

Long Diversion Configuration

The configuration in the following example refers to the network in Figure A-9.

Guard Long Diversion Configuration

Guard CLI Loop back Configuration

Add a Loopback interface to the Guard:
admin@GUARD# configure
admin@GUARD-conf# interface lo:2
admin@GUARD-conf-if-lo:2# ip address 1.1.1.1 255.255.255.255
admin@GUARD-conf-if-lo:2# no shutdown
admin@GUARD-conf-if-lo:2# exit
For changes to take effect you need to reload the software.
Type 'yes' to reload now, or any other key to reload manually later
yes
reloading...
Zebra CLI Loopback Configuration

Add a Loopback interface to the routing configuration.

The routing configuration is performed using the Zebra application.
router(config)#  router bgp 1680
router(config-router)#  redistribute Guard
router(config-router)#  bgp router-id 192.168.8.16
router(config-router)#  neighbor 192.168.8.1 remote-as 1680
router(config-router)#  neighbor 192.168.8.1 description << iBGP 
session to peering Router >>
router(config-router)#  neighbor 192.168.8.1 soft-reconfiguration 
inbound
router(config-router)#  neighbor 192.168.8.1 route-map _new_next-hop 
out
router(config-router)# exit
router(config)#  route-map _new_next-hop permit 10 
router(config-route-map)#  set ip next-hop 1.1.1.1
router(config)# ip route 0.0.0.0 0.0.0.0 192.168.7.1  
Cisco Router Long Diversion Configuration

The configuration is relevant to the Peering routers - R2, R3 and R4.

MPLS Global Configuration

Configure MPLS on the peering routers:
mpls ip
ip cef
Interface Loopback 0 Configuration

Configure the Loopback 0 interface.

This interface will be used to build the LSP via IS-IS.
interface Loopback 0
 ip address 3.3.3.3 255.255.255.255 
 no ip directed-broadcast
 load-interval 30
Connectivity Interface Configuration

Configure the network connectivity interfaces:
interface fastEthernet 5/0
 ip address 192.168.11.2 255.255.255.0
 no ip directed-broadcast
 load-interval 30
 tag-switching ip (enable MPLS)
 no cdp enable
IS-IS Configuration

Configure IS-IS:
router isis
 redistribute static ip 
 net 49.0001.0000.0000.0003.00
BGP Configuration

Configure BGP. Configure iBGP to the Guard:
router(config)#  router bgp 1680
R7200(config-router)# no synchronization
R7200(config-router)# bgp log-neighbor-changes
R7200(config-router)# neighbor 192.168.8.16 remote-as 1680
R7200(config-router)# neighbor 192.168.8.16 description << iBGP to the 
Guard >>
R7200(config-router)# neighbor 192.168.8.16 soft-reconfiguration 
inbound
Adjacent Router Configuration (R1)

This section displays only the commands relevant to Long Diversion configuration.

Interface Loopback 0 Configuration

Configure the Loopback 0 interface.

This interface will be used to build the LSP via IS-IS.
interface Loopback 0
 ip address 2.2.2.2 255.255.255.255 
 no ip directed-broadcast
Interface To Network Configuration

Configure the network connectivity interfaces:
interface fastEthernet 5/0
 ip address 192.168.10.2 255.255.255.0
 no ip directed-broadcast
 load-interval 30
 tag-switching ip (enable MPLS)
 no cdp enable
Interface To Guard Configuration

Configure the interface to the Guard.

Note Note that MPLS is not configured on this interface.
interface FastEthernet1/0
 ip address 192.168.7.1 255.255.255.0
 no ip directed-broadcast
Interface To Zone Configuration

Configure the interface to the Guard.

Note Note that MPLS is configured on this interface.
interface fastEthernet 0/1/1
 ip address 192.168.230.1 255.255.255.0
 tag-switching ip (enable MPLS)
 no cdp enable
IS-IS Configuration

Configure IS-IS:
router isis
 redistribute static ip 
 net 49.0001.0000.0000.0002.00
Static Route Configuration

The IP address 1.1.1.1 is the loopback address configured on the Guard.

Configure a static route, on the Egress Proxy-LSR, to the Guard loopback IP address:
ip classless
ip route 1.1.1.1 255.255.255.255 192.168.7.2

	Cisco Guard Configuration Guide (Software Version 3.08)
	Diversion Configuration
Cisco Guard Configuration Guide (Software Version 3.08) Preface Overview Initial Procedures Guard Configuration Zone Traffic Diversion Zone Configurations On-Demand Protection Routine Guard Procedures Guard Diagnostics and Maintenance Advanced Filter Procedures Advanced Policy Procedures Interactive Recommendations Mode Attack Reports Glossary Diversion Configuration Diversion Troubleshooting	Download this chapter Diversion Configuration Download the complete book Cisco Guard User Guide (Software Version 3.0.8), Book-Length PDF (PDF - 4 MB) Table Of Contents Diversion Configuration BGP Diversion Method BGP Configuration Guidelines Guard BGP Configuration Guard BGP Configuration Example Displaying Guard Router Configuration File Cisco Router BGP Configuration Cisco Router BGP Configuration Example Juniper Router BGP configuration Example Traffic Forwarding Methods Layer-2-Forwarding (L2F) Method Overview Guard L2F Configuration Router L2F Configuration Policy-Based Routing Destination (PBR-DST) Traffic Forwarding Method Overview PBR-DST Configuration Guidelines Guard PBR-DST Configuration Cisco Router PBR-DST Configuration Juniper Router Filter Based Forwarding (FBF) Configuration Example VPN Routing Forwarding - Destination (VRF -DST) Overview VRF-DST Configuration Guidelines VRF-DST Configuration Guard VRF-DST Configuration Policy Based Routing VLAN (PBR -VLAN) Overview PBR-VLAN Configuration Guard PBR-VLAN Configuration CISCO Router PBR-VLAN Configuration VPN Routing Forwarding VLAN (VRF-VLAN) Overview VRF-VLAN Configuration GUARD VRF-VLAN Configuration Cisco Router VRF-VLAN Configuration First VRF Table Production Juniper Routers Routing Instance Tunnel Diversion Overview Tunnel Diversion Configuration Guard Tunnel Diversion Configuration Cisco Router Tunnel Diversion Configuration Long Diversion Overview Packet Flow Example Long Diversion Configuration Guard Long Diversion Configuration Cisco Router Long Diversion Configuration Diversion Configuration This appendix provides the following information: •BGP Diversion Method •Traffic Forwarding Methods •Long Diversion Note Information provided in this document regarding Cisco and Juniper router configuration is for informational purposes only. Please refer to the appropriate user guides for detailed information. Note Traffic diversion configuration is topology independent. The configuration procedures for Layer 2 and Layer 3 topologies are identical. BGP Diversion Method Following standard BGP routing definitions, routers will select the routing path with the longest matching prefix (also known as the "most specific"). Therefore, after establishing a BGP session with the router, the Guard sends a routing update where it is listed as the best path for the protected Zone. The network prefix the Guard announces is longer than the one already listed in the router's routing table thereby overriding the router's routing table definition. The prefix subnet is configured per zone's subnet IP address (see the "Removing a Zone's IP Address" section in Chapter 5, "Zone Configurations," for further details). BGP is configured similarly in all networks. To configure Guard Diversion in Layer 2 and Layer 3 network topologies, perform the following: 1. Configure traffic diversion using BGP (see the "Guard BGP Configuration" section in this chapter for further details). 2. Configure the appropriate traffic forwarding method (the "Traffic Forwarding Methods" section in this chapter for further details). Figure A-1 provides examples of L2 and L3 network topologies. In both network topologies, the Guard diverts the traffic from router R1. Figure A-1 BGP Configuration After BGP diversion is established, router's routing tables points to the Guard as the best route to the zone. Therefore, all traffic destined to the zone's IP address forwarded to the Guard. BGP Configuration Guidelines This section provides general guidelines for BGP configuration on the Guard and on a divert-from router. Note The guidelines provided in this section are applicable to BGP configuration on any router from which the Guard diverts the traffic. Sample BGP configuration in this and the following sections is presented using the Cisco syntax. Note The following examples are provided using common eBGP. The user should consider the network configuration and determine whether eBGP or iBGP should be implemented. The user should note the differences while configuring. The Guard and adjacent routers operate using common eBGP (External Border Gateway Protocol). The following guidelines are recommended: 1. Configure the Guard with an easily recognizable Autonomous System number. The Guard sends routing information only when diverting traffic. Only then, will this route appear in the routers routing tables. Using a recognizable value will allow network operators to easily identify the Guard in the routers routing tables. 2. To ensure that the Guard's routing information is not redistributed to other internal and external BGP neighboring devices, perform the following: •Configure the Guard not to send routing information and to drop incoming BGP routing information. •Set the Guard BGP community attribute values to no-export and no-advertise. Since it is not possible to filter the Guard's announcements using either a prefix-list or as-path, use the community attribute value ROUTER-AS:GUARD-AS. A match in the community attributes will enable to filter the BGP announcements on the router and therefore enforce this policy. 3. It is recommended to issue the soft-reconfiguration inbound command during the setup procedures. This is useful for troubleshooting and allows restoring a routing table without reconnecting to the neighboring device. See the "Traffic (BGP) Diverting Method" section in Chapter 4, "Zone Traffic Diversion," for further details on BGP. Guard BGP Configuration BGP is configured on the Guard using the Zebra application (see http://www.zebra.org for further details on the Zebra application). It is recommended to configure a zone's diversion when the zone is in standby mode. To enter diversion configuration on the Guard, perform the following: 1. From the Configuration command group level, type the following: admin@GUARD-conf# router 2. Choose ENTER. The following prompt appears, indicating that the system has entered the Zebra application in non-privileged mode: router> Tip At each command level of the Zebra application, press the question mark (?) key to display the list of commands available at this mode. 3. To switch to the privileged mode, type the following: router> enable 4. Choose ENTER. The following prompt appears, indicating that the system has entered the Zebra application privileged mode: router# Note To quit the Zebra application, type exit from the router command level. To exit from a current command group level to a 'higher' group level, type exit. 5. To switch to terminal configuration mode, type the following: router# config terminal 6. Choose ENTER. The following prompt appears, indicating the system has entered the Zebra application configuration mode: router(config)# 7. Configure the Guard's routing. See guidelines and example below for further details. The following commands must be configured on the Guard: Note•Replace terms in italics with Guard and router (a divert-from router) values as indicated •Replace < > marks with the appropriate parameter values •Items in bold italic represent names. The user may replace these names. •Each line below represents a command. Items in bold represent commands. Note Several methods may be used for filtering outgoing routing information on a router. The following example describes the "distribute-list" method. Other types of filtering methods may be used as long as the routing information is not sent to the Guard. router(config)# router bgp <Guard-AS-number> router(config-router)# bgp router-id <Guard-IP-address> router(config-router)# redistribute guard router(config-router)# neighbor <Router-IP-address> remote-as <Router-AS-number> router(config-router)# neighbor <Router-IP-address> description <description> router(config-router)# neighbor <Router-IP-address> soft-reconfiguration inbound router(config-router)# neighbor <Router-IP-address> distribute-list nothing-in in router(config-router)# neighbor <Router-IP-address> route-map Guard-out out router(config-router)# exit router(config)# access-list nothing-in deny any router(config)# route-map Guard-out permit 10 router(config-route-map)# set community <RouterAS:GuardAS> no-export no-advertise Guard BGP Configuration Example In the example, the router's AS (Autonomous System Number) is 1680. The Guard's AS is 64555. To display the Guard router configuration, perform the following: From the router command level, type the following: router# show running-config The following partial example screen is displayed: router# show running-config ... ... ... router bgp 64555 bgp router-id 192.168.8.8 redistribute guard neighbor 192.168.8.1 remote-as 1680 neighbor 192.168.8.1 description divert-from router neighbor 192.168.8.1 soft-reconfiguration inbound neighbor 192.168.8.1 distribute-list nothing-in in neighbor 192.168.8.1 route-map Guard-out out ! access-list nothing-in deny any ! route-map Guard-out permit 10 set community 1680:64555 no-export no-advertise ... ... ... Displaying Guard Router Configuration File The user may display the configuration file of a desired router. To display a desired router configuration file, perform the following: 1. From the Global command group level, type the following: admin@GUARD# show running-config router 2. Choose ENTER. Cisco Router BGP Configuration This section provides information about router BGP configuration used when configuring the Cisco diversion technology. The syntax below is taken from the BGP configuration on a Cisco router. Note•Replace terms in italics with Guard and router (a divert-from router) values as indicated •Replace < > marks with the appropriate parameter values •Items in bold italics represent names. The user may replace these names. •Each line below represents a command. Items in bold represent commands. R7200(config)# router bgp <Router-AS> R7200(config-router)# bgp log-neighbor-changes R7200(config-router)# neighbor <Guard-IP-address> remote-as <GuardAS> R7200(config-router)# neighbor <Guard-IP-address> description <description> R7200(config-router)# neighbor <Guard-IP-address> soft-reconfiguration inbound R7200(config-router)# neighbor <Guard-IP-address> distribute-list routesToGuard out R7200(config-router)# neighbor <Guard-IP-address> route-map Guard-in in R7200(config-router)# no synchronization R7200(config-router)# exit R7200(config)# ip bgp-community new-format R7200(config)# ip community-list expanded <Guard-community-name> permit Router-AS:Guard-AS no-export no-advertise R7200(config)# route-map Guard-in permit 10 R7200(config-route-map)# match community <Guard-community-name> exact match R7200(config-route-map)# exit R7200(config)# ip access-list standard routestoGuard R7200(config-std-nacl)# deny any The no synchronization command prevents the distribution of the Guard BGP routing updates into IGP. Cisco Router BGP Configuration Example In the example, the router's AS (Autonomous System Number) is 1680. The Guard's AS is 64555. To display the router configuration, perform the following: From the router global command level, type the following: R7200# show running-config The following partial example screen is displayed: R7200# show running-config ... ... ... router bgp 1680 bgp log-neighbor-changes neighbor 192.168.8.8 remote-as 64555 neighbor 192.168.8.8 description Guard neighbor 192.168.8.8 soft-reconfiguration inbound neighbor 192.168.8.8 distribute-list routesToGuard out neighbor 192.168.8.8 route-map Guard-in in no synchronization ! ip bgp-community new-format ip community-list expanded Guard permit 1680:64555 no-export no- advertise ! route-map Guard-in permit 10 match community Guard exact match ip access-list standard routesToGuard deny any ... ... ... Juniper Router BGP configuration Example In the example, the router's AS (Autonomous System Number) is 1680. The Guard's AS is 64555. The bgp command defines the basic BGP parameters such as local-AS number, type of BGP used (EBGP), description, remote-AS number and neighbor IP (the AS number and the IP address of the Guard). The policy command defines that only BGP updates received from the specific community ("riverhead" in the example below) are accepted, all other updates are denied. bgp { local-as 1680; group test { type external; description "BGP with the Guard"; passive; import bgp-in; peer-as 64555; neighbor 192.168.8.8; } } } policy-options { policy-statement bgp-in { term 10 { from { protocol bgp; community riverhead; } then accept; } term 20 { then reject; } } community riverhead members [ no-export no-advertise 1680:64555 ]; Traffic Forwarding Methods This section provides details on traffic forwarding methods. Traffic forwarding methods are used to forward the cleaned traffic from the Guard to the next-hop router. See the "Traffic Forwarding Methods" section in Chapter 4, "Zone Traffic Diversion," for further details. Layer-2-Forwarding (L2F) Method Overview The Layer-2 Forwarding (L2F) method is used in the L2 topology scenario, when all three devices: the Cisco Guard, the divert-from router, and the next-hop router are located in one shared IP network. In a L2 topology, a divert-from router, and an inject-to router are two separate devices. The next-hop router and the inject-to router are the same device. The Guard resolves the MAC address of the inject-to/next-hop router and then forwards the traffic. The MAC addresses are resolved by issuing an ARP query. Therefore, no configuration on the routers is required when using the L2F method. The zone may be connected in one of the following ways: •The zone is connected directly to a Layer 2 switch. In such a case the zone is connected to the same IP subnet as the Guard. The zone's IP address is configured as the inject-to router and the Guard forwards the traffic directly to the zone. •The zone is connected using IP forwarding equipment. In such a case, the IP forwarding equipment must be defined as the Guard's next-hop router. Figure A-2 BGP Configuration Guard L2F Configuration Interface Statements Configure the Guard's Out-of-Band interface (see the "Configuring a Physical Interface" section in Chapter 3, "Guard Configuration," for further details). In the following example, Out-of-Band interface giga1 is configured: admin@GUARD-conf# interface giga1 admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0 BGP Statements Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter. In the following example, the Guard's AS is 64555. The router's AS is 1680 and the IP address is 192.168.8.1: router bgp 64555 redistribute guard neighbor 192.168.8.1 remote-as 1680 neighbor 192.168.8.1 description C7513 neighbor 192.168.8.1 distribute-list nothing-in in neighbor 192.168.8.1 soft-reconfiguration inbound neighbor 192.168.8.1 route-map filt-out out ! route-map filt-out permit 10 set community no-advertise no-export 1680:64555 ! access-list nothing-in deny any Injection Configuration To configure traffic injection from the Guard to the zone, add a static route to the zone or the next-hop router according to the network topology. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the next-hop router 192.168.8.250: router# configure terminal router(config)# ip route 192.168.240.0 255.255.255.0 192.168.8.250 Router L2F Configuration No configuration is required on the router. Policy-Based Routing Destination (PBR-DST) Traffic Forwarding Method Overview Policy-Based Routing is a static forwarding method, deployed in Layer 3 network topologies, where the Guard forwards the filtered traffic to the same router from which the traffic was diverted. Figure A-3 PBR Forwarding Method To enable the Guard to divert the zone's traffic from the router, the zone's route is modified in the router's routing table. The Guard is listed as the best path to the zone. An endless routing loop could occur if the router's routing table is not changed. As the only entry for traffic destined to the zone in the router's routing table is the Guard, filtered traffic from the Guard would be sent back to the Guard. To overcome routing loops, Policy Based routing (PBR) is configured on the inject-to router. PBR allows creating rules that override those found in the router's routing table and thus avoid such situations of endless routing loops. It enables to add rules that are applied to the filtered traffic. These rules instruct the router to forward the filtered traffic to the zone, regardless of the routing table entries. To configure the Diversion in this network topology, configure the traffic diversion process using BGP (see the "Guard BGP Configuration" section in this chapter for further details). PBR-DST Configuration Guidelines The guidelines provided in this section are applicable to PBR configuration on any inject-to router. The sample PBR configuration in this and the following sections is presented using the Cisco syntax. To Configure Policy-Based routing on an inject-to router, follow these guidelines: 1. Policy based routing must be applied on the router's interface connected to the Guard. This is important as only traffic coming from the Guard is subject to PBR. 2. Traffic selected by means of Policy-Based Routing must be forwarded to the next-hop router. The next-hop router should have the following characteristics: •The next-hop router is connected directly to the divert-from router. In Layer 3 topology the next-hop router and the inject-to router are the same device. •The divert-from router is not part of the next-hop router's route to the zone. Such a configuration would cause a routing loop between the divert-from and the next-hop routers. Policy Based routing is applied using the route-map command and the match and set commands to define the conditions for policy routing packets. To enable PBR, the user must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. The user must enable PBR for the configured route map on a particular interface. All packets arriving on the specified interface matching the match clause will be subject to PBR. PBR configuration consists the following three parts: •Sequence—Specifies the position a new route map will have in the list of route maps already configured with the same name. Cisco routers process sequence numbers in ascending order. Define a separate route-map entry and sequence number for traffic that is to be forwarded to the zone and for all other traffic. The sequence is configured using the route-map command. The route-map command puts the router into route-map configuration mode. •Matching statement—Specifies the conditions under which policy routing occurs. The user should specify the conditions under which an IP address is matched using the match command. A match will determine whether the next-hop is modified. •Forwarding statement—Specifies the routing actions to perform if the criteria enforced by the match commands are met. The set ip next-hop route-map configuration command indicates where to send packets that pass a match clause of a route map for policy routing. Guard PBR-DST Configuration The configuration in the following example refers to the network in Figure A-3. BGP Statements Enter the Guard router BGP configuration as explained in the"Guard BGP Configuration" section in this chapter. Injection Configuration to the Next-Hop Router The next-hop router in the example is R2. To configure traffic injection from the Guard to the zone, add a static route to the inject-to router. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24): router# configure terminal router(config)# ip route 192.168.240.0 255.255.255.0 192.168.8.1 Cisco Router PBR-DST Configuration This section provides information about router PBR configuration used when configuring the Cisco diversion technology. The syntax below is taken from the PBR configuration on a Cisco router. R7200(config)# interface FastEthernet 0/2 R7200(config-if)# description <Interface connected to the Guard> R7200(config-if)# ip address <Router interface IP address> <Router interface IP mask> R7200(config-if)# no ip directed-broadcast R7200(config-if)# ip policy route-map <Guard-PBR-name> R7200(config-if)# exit R7200(config)# ip access-list extended <Zone-name> R7200(config-ext-nacl)# permit ip any host <Zone IP address> R7200(config-ext-nacl)# exit R7200(config)# route-map <Guard-PBR-name> permit 10 R7200(config-route-map)# match ip address <Zone-name> R7200(config-route-map)# set ip next-hop <next-hop router IP address> R7200(config-route-map)# exit R7200(config)# route-map < Guard-PBR-name > permit 100 R7200(config-route-map)# description let thru all other packets without modifying next-hop PBR Traffic Forwarding Example This section provides an example of PBR traffic forwarding configuration for the sample network in Figure A-3. To display the router configuration, perform the following: From the router global command level, type the following: R7200# show running-config The following partial example screen is displayed: R7200# show running-config ... ... ... interface FastEthernet0/2 description Interface connected to the Guard ip address 192.168.8.1 255.255.255.0 no ip directed-broadcast ip policy route-map GuardPbr ! ip access-list extended zone-A permit ip any host 192.168.240.2 ! route-map GuardPbr permit 10 match ip address zone-A set ip next-hop 192.168.250.2 ! route-map GuardPbr permit 100 description let thru all other packets without modifying next-hop Juniper Router Filter Based Forwarding (FBF) Configuration Example The Juniper's equivalent of PBR is FBF (Filter Based Forwarding). The configuration in the following example refers to the network in Figure A-3. This section provides information on Filter Based Forwarding (FBF) configuration on a Juniper router. The router configuration consists the following: •Filter configuration—The filter specifies the packet filtering criteria. Configure a filter to match all packets with a specified destination IP address. •Routing instance configuration—The routing instance specifies the routing table(s) to which a packet, that matches the filter, is forwarded, and the destination to which the packet, that matches the filter, is forwarded. •Interface routes configuration—The interface routes specify how to resolve the routing instances defined routes to directly-connected next hops on that interface. JUNOS Version The DST-PBR is supported from 5.1R1.4 JUNOS. Interface to the Guard Configure the router interface facing the Guard: interfaces { ge-0/0/0 { unit 0 { family inet { filter { input DST; } address 192.168.8.1/24; } } } } Filter Configuration Firewall filters allow you to filter packets based on their components and to perform an action on packets that match the filter. The filter consists of: •Match conditions—Values or fields that the packet must contain. In the example below the match condition used is destination-address. •Action—Specifies the action taken if a packet matches the match conditions. The example below contains two actions. The first action assigns the matching packets with routing instance "next-hop_1". The second action accepts all packets that do not match the match condition. In the example below, the filter's name is DST. firewall { filter DST { term 10 { from { destination-address { 192.168.240.2/32; } } then routing-instance next-hop_1; } term 20 { then accept; } } Routing Instance(s) Configuration Each routing instance consists of a set of routing tables, a set of interfaces that belong to these routing tables, and a set of routing option configurations. Forwarding instances are used to implement filter-based forwarding for Common Access Layer applications. Configure a routing instance for each filter defined in the previous section. The routing instance, next-hop_1, in the example below directs all the matching packets to the next hop router, R2 (192.168.250.2). routing-instances { next-hop_1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 192.168.250.2; } } } } Interfaces Routes Configuration In the example, a static route is added to the next-hop router. Finally, after defining the next-hop_1 routing instance (see the "Routing Instance(s) Configuration" section above), the routing interface must be associated with the connected-interface. The routing table group is associated with the router's interfaces and the routing table groups interface routes, which are imported into specified using the interface-routes statement. The routing table groups are created using the rib-groups statement. routing-options { interface-routes { rib-group inet dest; } rib-groups { dest { import-rib [ inet.0 next-hop_1.inet.0 ]; } } } VPN Routing Forwarding - Destination (VRF -DST) Overview VRF-DST is a static forwarding method, deployed in Layer 3 network topologies, where the Guard forwards the filtered traffic to the same router from which the traffic was diverted. To enable the Guard to divert the zone's traffic from the router, the zone's route is modified in the router's routing table. The Guard is listed as the best path to the zone. An endless routing loop could occur if the router's routing table is not changed. As the only entry for traffic destined to the zone in the router's routing table is the Guard, filtered traffic from the Guard would be sent back to the Guard. VRF-DST allows the creation of another routing and forwarding table (called the VRF table) besides the main routing and forwarding tables. The additional routing table is configured to route traffic that is handled by the router's interface that faces the Guard. Figure A-4 VRF DST VRF-DST Configuration Guidelines To configure VRF-DST on an inject-to router follow these guidelines: Configure two separate interfaces on the router's physical interface facing the guard: •NATIVE VLAN interface—This interface is used to divert traffic from the router to the guard. Traffic on this VLAN is forwarded according to the global routing table. The Guard sends BGP announcements to divert the traffic to the Guard on this interface. •A Second VLAN interface—This interface is used to divert the returned traffic from the Guard to the router. A VRF table is configured on this interface. The VRF table contains a static route to forward all zone traffic to a specified next-hop router. Note The Juniper's equivalent to VRF is called 'routing instance'. It supports multiple routing and forwarding tables in a router. This feature also facilitates the dynamic diversion. Hence, on Juniper routers we recommend using the routing instance diversion method in place of the VRF-DST diversion method. See the "Juniper Routers Routing Instance" section in this chapter for further details. Note The VRF-DST method is applicable only when the next-hop router is static per zone VRF-DST Configuration The configuration in the following example refers to the network in Figure A-4. Guard VRF-DST Configuration Native Interface Statements Configure the In-Band interface: admin@GUARD-conf# interface giga1 admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0 Interface VLAN Statements Configure VLAN 5 on the In-Band interface: admin@GUARD-conf# interface giga1.5 admin@GUARD-conf-if-giga1.5# ip address 192.168.5.8 255.255.255.0 BGP Statements Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter. Injection Configuration The next-hop router in the example is R2. To configure traffic injection from the Guard to the zone, add a static route to the next-hop router. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.5.1: ip route 192.168.240.0 255.255.255.0 192.168.5.1 Note VRF is supported from IOS version 12.0(17) S/ST. Creating a VRF Table Create a VRF table on the inject-to router: ip vrf Guard-vrf rd 1680:1 route-target export 1680:1 route-target import 1680:1 Interface Native VLAN Statements Configure the Native VLAN on the divert-from router: interface fastEthernet1/0.1 encapsulation dot1Q 1 native description << VLAN TO GUARD-DIVERSION >> ip address 192.168.8.1 255.255.255.0 no ip directed-broadcast Interface VLAN - 5 Statements Configure the VLAN 5 interface on the inject-to router: interface fastEthernet 1/0.5 encapsulation dot1Q 5 description << VLAN TO GUARD-INJECTION >> ip vrf forwarding Guard-vrf ip address 192.168.5.1 255.255.255.0 Interface to Zone Statements Configure the router interface to the zone: interface fastEthernet 2/0 description << LINK TO ZONE >> ip address 192.168.250.1 255.255.255.0 BGP Statements Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter. Static VRF-DST Statements Configure Static VRF on the inject-to router. The static VRF specifies the route to the zone. The parameter global indicates that the route to the next-hop is learnt from the global routing table. ip route vrf Guard-vrf 192.168.240.2 255.255.255.0 192.168.250.2 global Policy Based Routing VLAN (PBR -VLAN) Overview This method is used when there is more than one possible next-hop router. Multiple VLAN (Virtual LAN, 802.1Q) trunks are configured between the Guard and router R1 (the divert-from and inject-to router). Each VLAN in the trunk is associated with a different next-hop router. In addition, PBR is configured on each of the VLAN logical interfaces to forward the traffic on the VLAN to its corresponding next-hop router. The Guard forwards packets to a particular next-hop router by transmitting the packets over the appropriate VLAN. This allows the Guard to change the next-hop router of a zone by changing the VLAN on which the packets are forwarded. The native VLAN is used for traffic diversion. On this interface the Guard sends the BGP announcements to the router. Figure A-5 PBR-VLAN PBR-VLAN Configuration The configuration in the following example refers to the network in Figure A-5. PBR VLAN is applied on R1's interface facing the Guard. Zone traffic on VLAN5 is forwarded to R2. Zone traffic on VLAN6 is forwarded to R3. Guard PBR-VLAN Configuration Native Interface Statements Configure the In-Band interface: admin@GUARD-conf# interface giga1 admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0 Interface VLAN 5 Statements Configure VLAN 5 on the In-Band interface: admin@GUARD-conf# interface giga1.5 admin@GUARD-conf-if-giga1.5# ip address 192.168.5.8 255.255.255.0 Interface VLAN 6 statements Configure VLAN 6 on the In-Band interface: admin@GUARD-conf# interface giga1.6 admin@GUARD-conf-if-giga1.5# ip address 192.168.6.8 255.255.255.0 BGP Statements Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter. Injection Configuration to R2 To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R2. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.5.1: ip route 192.168.240.0 255.255.255.0 192.168.5.1 Injection Configuration to R3 To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R3. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.6.1: ip route 192.168.240.0 255.255.255.0 192.168.6.1 CISCO Router PBR-VLAN Configuration Interface Native VLAN Statements interface fastEthernet 1/0 description << NATIVE VLAN TO GUARD-DIVERSION >> ip address 192.168.8.1 255.255.255.0 no ip directed-broadcast VLAN-5 Creation Create VLAN-5 on router R1: interface fastEthernet 1/0.1 encapsulation dot1Q 5 description << VLAN-5 TO GUARD-INJECTION >> ip address 192.168.5.1 255.255.255.0 ip policy route-map next-hop_R2 no ip directed-broadcast VLAN-6 Creation Create VLAN-5 on router R1: interface fastEthernet 1/0.2 encapsulation dot1Q 6 description << VLAN-6 TO GUARD-INJECTION >> ip address 192.168.6.1 255.255.255.0 ip policy route-map next-hop_R3 no ip directed-broadcast Next-Hop Interface Configuration Configure the interfaces to the next-hop routers: interface fastEthernet 2/0 ip address 192.168.250.1 255.255.255.0 Description << LINK TO NEXT-HOP R2 >> exit interface fastEthernet 3/0 ip address 192.168.230.1 255.255.255.0 description << LINK TO NEXT-HOP R3 >> BGP Statements Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter. Route-Map Statements (PBR) Configure PBR for the next-hop routers: route-map next-hop_R2 permit 10 set ip next-hop 192.168.250.2 route-map next-hop_R3 permit 10 set ip next-hop 192.168.230.2 VPN Routing Forwarding VLAN (VRF-VLAN) Overview This method is similar to PBR-VLAN. A VRF table is associated with each VLAN on the inject-to router rather then a PBR table. Each VRF table directs the traffic on the VLAN to the corresponding next-hop router. The Guard forwards packets to a particular next-hop router by transmitting the packets over the appropriate VLAN. This allows the Guard to change the next-hop router to the zone by changing the VLAN on which packets are forwarded. The native VLAN is used for traffic diversion. On this interface the Guard sends the BGP announcements to the router. Figure A-6 VRF-VLAN VRF-VLAN Configuration The configuration in the following example refers to the network in Figure A-6. VRF-VLAN is applied on R1's interface facing the Guard. Traffic on VLAN5 is forwarded to R2. Traffic on VLAN6 is forwarded to R3. GUARD VRF-VLAN Configuration Native Interface Statements Configure the In-Band interface: admin@GUARD-conf# interface giga1 admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0 Interface VLAN 5 statements Configure VLAN 5 on the In-Band interface: admin@GUARD-conf# interface giga1.5 admin@GUARD-conf-if-giga1.5# ip address 192.168.5.8 255.255.255.0 Interface VLAN 6 statements Configure VLAN 6 on the In-Band interface: admin@GUARD-conf# interface giga1.6 admin@GUARD-conf-if-giga1.5# ip address 192.168.6.8 255.255.255.0 BGP Statements Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter. Set the neighbor IP address to 192.168.8.1. Injection Configuration to R2 To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R2. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.5.1: ip route 192.168.240.0 255.255.255.0 192.168.5.1 Injection Configuration to R3 To configure traffic injection from the Guard to the zone, add a static route to the next-hop router R3. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the VLAN interface on R1 192.168.6.1: ip route 192.168.240.0 255.255.255.0 192.168.6.1 Cisco Router VRF-VLAN Configuration First VRF Table Production Create the VRF table associated with router R2: ip vrf next-hop_R2 rd 1680:1 route-target export 1680:1 route-target import 1680:1 Second VRF Table Production Create the VRF table associated with router R3: ip vrf next-hop_R3 rd 1680:1 route-target export 1680:1 route-target import 1680:1 Native VLAN Production Configure the Native VLAN on router R1: interface fastEthernet 1/0 description <<NATIVE VLAN TO GUARD-DIVERSION>> ip address 192.168.8.1 255.255.255.0 no ip directed-broadcast VLAN-5 Creation Create VLAN-5 on router R1: interface fastEthernet 1/0.1 encapsulation dot1Q 5 description << VLAN-5 TO GUARD-INJECTION >> ip address 192.168.5.1 255.255.255.0 ip vrf forwarding next-hop_R2 no ip directed-broadcast VLAN-6 Creation Create VLAN-6 on router R1 with the second VRF association: interface fastEthernet 1/0.2 encapsulation dot1Q 6 description << VLAN-6 TO GUARD-INJECTION >> ip address 192.168.6.1 255.255.255.0 ip vrf forwarding next-hop_R3 no ip directed-broadcast Next Hop Interfaces Configure the interfaces to the next-hop routers: interface fastEthernet 2/0 ip address 192.168.250.1 255.255.255.0 Description << LINK TO NEXT-HOP R2 >> ! interface fastEthernet 3/0 ip address 192.168.230.1 255.255.255.0 description << LINK TO NEXT-HOP R3 >> BGP Statements Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter. Static VRF Routes Configure Static VRF on the inject-to router. The static VRF specifies the route to the zone. The parameter global indicates that the route to the next-hop is learnt from the global routing table. R7200(config)# ip route vrf next-hop_R3 192.168.240.2 255.255.255.255 192.168.230.2 global R7200(config)# ip route vrf next-hop_R2 192.168.240.2 255.255.255.255 192.168.250.2 global Juniper Routers Routing Instance The Juniper's equivalent to VRF is called routing instance. It supports multiple routing and forwarding tables in a router. This feature also facilitates the dynamic diversion. Hence, on Juniper routers we recommend using the routing instance diversion method in place of the VRF-DST diversion method. Figure A-7 Juniper Routers Routing Instance Juniper Router Routing Instance Configuration The router configuration of routing instances involves the following steps: Filter Configuration—The filter specifies the packet filtering criteria. Configure a filter, on the router interface facing the Guard, to match all packets and route them according to the Guard-interface-routing-table. Routing instance configuration (guard-interface-routing-table)—The Guard-interface-routing-table specifies zone traffic routing. The table is built from global routing table (called inet.0 in Juniper) excluding the BGP announcement sent by the Guard (identified by the Guard community string). Filter Configuration To configure the filter, perform the following: 1. Create a filter on the interface to the Guard. The filter in the following example is called 'guard-filter'. 2. Configure the filter to specify that all the traffic on the interface be routed according to the guard-interface-routing table. Interface to the Guard Configure the router interface facing the Guard: interfaces { ge-0/0/0 { unit 0 { family inet { filter { input guard-filter; } address 192.168.8.16/24; } } } } Interface to the Next-hop Configure the router interfacing facing the next-hop router - R2. interfaces { fe-0/0/0 { unit 0 { family inet { address 192.168.250.1/24: Interface to the Next-hop Configure the router interfacing facing the next-hop router - R3. interfaces { fe-0/0/1 { unit 0 { family inet { address 192.168.230.1/24: Configure the Filter Configure the filter such that packets destined to port 179 are accepted. The rest of the packets, destined to the zones, are handled by the Guard-interface-routing-table: filter guard-filter { term 10 { from { destination-port 179; } then accept; } term 20 { then routing-instance guard-interface-routing-table; } } Routing Instance Configuration (guard-interface-routing-table) To configure the routing instance, guard-interface-routing-table, perform the following: Add a subsection named Guard-interface-routing-table to the routing-instances section. The routing-options definition of instance-import, defines how the routing table is populated. The auto-export rule defined implies no export outbound policy is defined for the routing instance. The routing tables to export routes from and import routes to are defined by examining the existing policy configuration. The policy section without-guard-announcement will be defined in the next section. routing-instances { Guard-interface-routing-table instance-type forwarding; routing-options { instance-import without-guard-announcement; auto-export; } } Define the policy statement, named without-guard-announcement, so that all routes from the global routing table are populated, apart from global routing table routes, with the BGP riverhead community. The instance master command specifies the global routing table. policy-options { policy-statement without-guard-announcement { term 10 { from { instance master; protocol bgp; community riverhead; } then reject; } term 20 { then accept; } } } Output Example The example below displays the global routing table, inet.0, and the guard-interface-routing-table. Note that the BGP announcement from the Guard appears in the global routing table, but not in the guard-interface-routing-table. qa@ww-jnpr-1> run show route table inet.0 192.168.240.0/24 [Static/5] 1d 05:28:07 > to 192.168.250.2 via fe-0/0/0.0 192.168.240.0/25 [BGP/170] 00:00:05, MED 0, localpref 100 AS path: 64555 ? > to 192.168.8.8 via ge-0/0/0.0 192.168.240.128/25 [BGP/170] 00:00:05, MED 0, localpref 100 AS path: 64555 ? to 192.168.8.8 via ge-0/0/0.0 qa@ww-jnpr-1# run show route table guard-interface-routing--table 192.168.240.0/24 [Static/5] 1d 02:26:37 to 192.168.250.2 via fe-0/0/0.0 Tunnel Diversion Overview In this method a tunnel (GRE or IPIP) is created between the Guard and each of the next hop routers. The Guard sends the traffic destined to the zone traffic over the tunnel to the appropriate next-hop router. This allows the Guard to change the next-hop router to a specified zone by changing the tunnel that the packets are forwarded on. Since the clean traffic from the Guard to the zone is encapsulated in the tunnel, the inject-to router performs a routing decision on the tunnel interface end point, and not on the zone's address. Figure A-8 Tunnel Diversion Tunnel Diversion Configuration The configuration in the following example refers to the network in Figure A-8. Guard Tunnel Diversion Configuration Native Interface Statements Configure the In-Band interface: admin@GUARD-conf# interface giga1 admin@GUARD-conf-if-giga1# ip address 192.168.8.8 255.255.255.0 Tunnel Interface statements Configure the Tunnel. GRE Tunnel admin@GUARD-conf#interface gre1 admin@GUARD-conf-if-gre1# ip address 192.168.121.1 255.255.255.0 admin@GUARD-conf-if-gre1# tunnel source 192.168.8.8 admin@GUARD-conf-if-gre1# tunnel destination 192.168.250.2 IPIP Tunnel admin@GUARD-conf# interface ipip1 admin@GUARD-conf-if-ipip1# ip address 192.168.121.1 255.255.255.0 admin@GUARD-conf-if-ipip1# tunnel source 192.168.8.8 admin@GUARD-conf-if-ipip1# tunnel destination 192.168.250.2 BGP Statements Enter the Guard router BGP configuration as explained in the "Guard BGP Configuration" section in this chapter. Set the Neighbor IP address to 192.168.8.1. Injection Configuration The next-hop router in the example is R2. To configure traffic injection from the Guard to the zone, add a static route to the next-hop router. The static route should be configured in the Guard's router configuration level. In the following example, a static route is entered for the zone's network (192.168.240.0/24) via the tunnel interface on R1 192.168.121.2: router# configure terminal router(config)# ip route 192.168.240.0 255.255.255.0 192.168.121.2 Cisco Router Tunnel Diversion Configuration Note that the tunnel forwarding technique requires configuration of the router at the end of the tunnel (R2 in the example above). The diversion process requires configuration of the divert-from router (R1 in the example above). R1 Diversion Configuration: BGP Statements Enter the router, R1, BGP configuration as explained in the "Cisco Router BGP Configuration" section in this chapter. R2 Forwarding Configuration: Tunnel Interface on R2 Configure the tunnel on router R2: interface tunnel 1 description << GRE tunnel to Guard >> ip address 192.168.121.2 255.255.255.252 load-interval 30 tunnel source 192.168.250.2 tunnel destination 192.168.8.8 Long Diversion Overview Unlike standard diversion techniques where the Cisco Guard diverts traffic only from an adjacent directly connected router, the "long diversion" method diverts traffic from remotely located peering routers that may reside several hops away from the Guard. The configuration example used in this section includes the following network elements: •Peering router (R4) •Guard's adjacent router (R1) •zone's edge router (R6) •Cisco Guard Figure A-9 Long Diversion Configuration Packet Flow Example Traffic flows to the zone's IP addresses (based on the loop back address that holds the LSP). Once an attack is identified, the network operator activates the Guard to protect the attacked zone. The following steps automatically take place: 1. The Guard informs the peering routers (R2, R3, R4) on a new route to the zone. The next-hop is defined as the Guard's loop back interface. 2. The zone's traffic is routed by the peering routers over the Diversion LSP to the zone. 3. The Guard forwards the clean traffic to R1. 4. R1 performs IP lookup and routes the packets, on the appropriate LSP, to the zone. Long Diversion Configuration The configuration in the following example refers to the network in Figure A-9. Guard Long Diversion Configuration Guard CLI Loop back Configuration Add a Loopback interface to the Guard: admin@GUARD# configure admin@GUARD-conf# interface lo:2 admin@GUARD-conf-if-lo:2# ip address 1.1.1.1 255.255.255.255 admin@GUARD-conf-if-lo:2# no shutdown admin@GUARD-conf-if-lo:2# exit For changes to take effect you need to reload the software. Type 'yes' to reload now, or any other key to reload manually later yes reloading... Zebra CLI Loopback Configuration Add a Loopback interface to the routing configuration. The routing configuration is performed using the Zebra application. router(config)# router bgp 1680 router(config-router)# redistribute Guard router(config-router)# bgp router-id 192.168.8.16 router(config-router)# neighbor 192.168.8.1 remote-as 1680 router(config-router)# neighbor 192.168.8.1 description << iBGP session to peering Router >> router(config-router)# neighbor 192.168.8.1 soft-reconfiguration inbound router(config-router)# neighbor 192.168.8.1 route-map _new_next-hop out router(config-router)# exit router(config)# route-map _new_next-hop permit 10 router(config-route-map)# set ip next-hop 1.1.1.1 router(config)# ip route 0.0.0.0 0.0.0.0 192.168.7.1 Cisco Router Long Diversion Configuration The configuration is relevant to the Peering routers - R2, R3 and R4. MPLS Global Configuration Configure MPLS on the peering routers: mpls ip ip cef Interface Loopback 0 Configuration Configure the Loopback 0 interface. This interface will be used to build the LSP via IS-IS. interface Loopback 0 ip address 3.3.3.3 255.255.255.255 no ip directed-broadcast load-interval 30 Connectivity Interface Configuration Configure the network connectivity interfaces: interface fastEthernet 5/0 ip address 192.168.11.2 255.255.255.0 no ip directed-broadcast load-interval 30 tag-switching ip (enable MPLS) no cdp enable IS-IS Configuration Configure IS-IS: router isis redistribute static ip net 49.0001.0000.0000.0003.00 BGP Configuration Configure BGP. Configure iBGP to the Guard: router(config)# router bgp 1680 R7200(config-router)# no synchronization R7200(config-router)# bgp log-neighbor-changes R7200(config-router)# neighbor 192.168.8.16 remote-as 1680 R7200(config-router)# neighbor 192.168.8.16 description << iBGP to the Guard >> R7200(config-router)# neighbor 192.168.8.16 soft-reconfiguration inbound Adjacent Router Configuration (R1) This section displays only the commands relevant to Long Diversion configuration. Interface Loopback 0 Configuration Configure the Loopback 0 interface. This interface will be used to build the LSP via IS-IS. interface Loopback 0 ip address 2.2.2.2 255.255.255.255 no ip directed-broadcast Interface To Network Configuration Configure the network connectivity interfaces: interface fastEthernet 5/0 ip address 192.168.10.2 255.255.255.0 no ip directed-broadcast load-interval 30 tag-switching ip (enable MPLS) no cdp enable Interface To Guard Configuration Configure the interface to the Guard. Note Note that MPLS is not configured on this interface. interface FastEthernet1/0 ip address 192.168.7.1 255.255.255.0 no ip directed-broadcast Interface To Zone Configuration Configure the interface to the Guard. Note Note that MPLS is configured on this interface. interface fastEthernet 0/1/1 ip address 192.168.230.1 255.255.255.0 tag-switching ip (enable MPLS) no cdp enable IS-IS Configuration Configure IS-IS: router isis redistribute static ip net 49.0001.0000.0000.0002.00 Static Route Configuration The IP address 1.1.1.1 is the loopback address configured on the Guard. Configure a static route, on the Egress Proxy-LSR, to the Guard loopback IP address: ip classless ip route 1.1.1.1 255.255.255.255 192.168.7.2
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.