Cisco Guard Configuration Guide (Software Version 3.08) - Diversion Troubleshooting [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Diversion Troubleshooting

GRM and Divert-from Router Configuration Verification

The GRM BGP Configuration

The Cisco Divert-from Router Configuration

The Juniper Divert-from Router Configuration

GRM to Divert-from Router BGP Session Configuration Verification

GRM Routing Table Records and Advertising Verification

Divert-from Router Records Verification

Diversion Troubleshooting

This appendix describes troubleshooting procedures designed to overcome diversion problems related to the Guard divert-from routers (Cisco and Juniper). These procedures consists of the following:

Note This appendix relates to the Guard diverting daemons and routing-related mechanisms as the Guard routing Module (GRM).

•GRM and Divert-from Router Configuration Verification

•GRM to Divert-from Router BGP Session Configuration Verification

•Divert-from Router Records Verification

GRM and Divert-from Router Configuration Verification

The following demonstrates the way the user should configure the GRM BGP (Border Gateway Protocol):

The GRM BGP Configuration

From the Global command group level, type the following:
router(config)# router bgp 7000
router(config-router)# redistribute guard
router(config-router)# bgp router-id 192.168.3.12
router(config-router)# neighbor 192.168.3.1 remote-as 5000
router(config-router)# neighbor 192.168.3.1 description C2948
router(config-router)# neighbor 192.168.3.1 soft-reconfiguration 
inbound
router(config-router)# neighbor 192.168.3.1 route-map filter-out out
router(config-router)# exit
router(config)# route-map filter-out permit 10
router(config-route-map)# set community no-advertise no-export
The Cisco Divert-from Router Configuration

From the Cisco divert-from router prompt line, type the following:
hostname 7513
router bgp 5000
 bgp log-neighbor-changes
 neighbor 192.168.3.12 remote-as 7000
 neighbor 192.168.3.12 description "Guard R2"
 neighbor 192.168.3.12 soft-reconfiguration inbound
 neighbor 192.168.3.12 route-map Riverhead-in in
!
ip classless
ip route 192.168.4.0 255.255.255.0 192.168.3.2
ip bgp-community new-format
ip community-list 10 permit no-export no-advertise
route-map Riverhead-in permit 10
 match community 10 exact-match
The Juniper Divert-from Router Configuration

From the Juniper divert-from router, type the following:
protocols {
  bgp {
        log-updown;
        local-as 5000;
  group BGP-Diversion {
            type external;
            description ### Diversion ###;
            passive;
            import bgp-in;
            peer-as 7000;
            neighbor 192.168.3.12;
     }
  }
}
policy-options {
    policy-statement bgp-in {
        term 10 {
            from {
                protocol bgp;
                community 5000:7000;
            }
        }
    }            
            from {
                protocol bgp;
                community 5000:7000;
GRM to Divert-from Router BGP Session Configuration Verification

This procedure is aimed at checking the status of the BGP session as established between its two end nodes: the Guard and its neighboring router (the divert-from router). In this procedure the user scans, via the show ip bgp summary command, for unusual problem indications messages and checks that the BGP connection is alive.

To check the Guard to divert-from router BGP session status, perform the following:

1. From the Configuration command group levels, type the following:
admin@GUARD-conf# router 
2. Choose ENTER. The system enters the Zebra application.

3. The router> prompt appears indicating that the system is in the Zebra non- privileged mode.

At each command level of the Zebra application, press the question mark (?) key to display the list of commands available at this mode.

4. Type enable and choose ENTER to switch to privileged mode. The router# prompt appears.

5. Type the following to switch to terminal configuration mode:
router# config terminal
6. Choose ENTER. The router(config)# prompt appears.

7. Type the following:
router(config)# router bgp <AS number>
8. Choose ENTER. The following prompt appears:
router(config)# show ip bgp summary
9. Choose ENTER. The following sample screen appears:
router> show ip bgp summary
BGP router identifier 192.168.3.12, local AS number 7000
0 BGP AS-PATH entries
0 BGP community entries
Neighbor

V

AS

MsgRcvd

MsgSent

TblVer

InQ

OutQ

Up/Down

State/PfxRcd

192.168.3.1

4

5000

9

12

0

0

0

00:05:32

0
Total number of neighbors 1
router>
The sample screen indicates that there is a digit signifying the State/PfxRcd column. This points out that no problem is indicated at the Guard to Router path.

Note A non-digit signifier (i.e. idle, active, connect) at the State/PfxRcd column indicates a BGP session problem.

To check the BGP session on the Cisco Router-to-Guard path, perform the following:

10. From the Cisco divert-from router prompt line, type the following:
7513# show ip bgp summary
11. Choose ENTER. The following sample screen appears:
7513(config)#>show ip bgp summary
BGP router identifier 192.168.77.1, local AS number 5000
BGP table version is 81, main routing table version 81
5 network entries and 5 paths using 605 bytes of memory
2 BGP path attribute entries using 244 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
1 BGP route-map cache entries using 16 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP activity 51/46 prefixes, 67/62 paths, scan interval 60 secs
Neighbor				V	 AS		MsgRcvd		MsgSent		TblVer		InQ	OutQ		Up/Down		State/PfxRcd
192.168.3.3				4	 6000		 6030		 5961		81		0	0		2d03h		 0
192.168.3.12				4	 7000		30030		30002		81		0	0		6d03h		 1
192.168.3.21				4	 8000		11829		11834		81		0	0		1w1d		 0
192.168.3.88				4	 9000			0		0	 0		0	0		never		Active
192.168.3.99				4	64555			0		0	 0		0	0		never		Active
... ... ...
The zero (Ø) and Active indicators in the State/PfxRcd column indicate a BGP session problem.

Note 0 digit or Active at the State/PfxRcd column indicates a BGP session problem.

There should be a correlation between the Guard BGP router IP address and the IP address indicated at the Router's end (192.168.3.12 I the sample screen). See the above sample screen.

To check the BGP session on the Juniper Router-to-Guard path, perform the following:

1. From the Juniper divert-from router prompt line, type the following:
jun@axl# run show bgp summary
2. Choose ENTER. The following sample screen appears:
jun@axl # run show bgp summary 
Groups: 10 Peers: 10 Down peers: 5
Peer

AS

InPkt

OutPkt

OutQ

Flaps

Last Up/Dwn

State|#Active/Received/Damped.

192.168.3.12

64555

10

10

0

0

2w6d14h

0/1/0

GRM Routing Table Records and Advertising Verification

This procedure is aimed at checking that the zone IP mask is correctly inserted in the GRM routing tables and that consequently the Guard properly advertises the route to the divert-from router.

To verify the route to the divert-from router, perform the following:

1. From the Configuration command group levels, type the following:
admin@GUARD-conf# router 
2. Choose ENTER. The system enters the Zebra application.

3. The router> prompt appears indicating that the system is in the Zebra non- privileged mode.

4. Type enable and choose ENTER to switch to privileged mode. The following prompt appears:
router#
5. Type the following:
router# show ip route
6. Choose ENTER. The following sample screen appears:
C>* 10.0.0.0/8 is directly connected, eth0
C>* 127.0.0.0/8 is directly connected, l0
C>* 192.168.3.0/24 is directly connected, giga1
C>* 192.168.3.13/32 is directly connected, giga1
C>* 192.168.3.14/32 is directly connected, giga1
G>* 192.168.4.2/32 is directly connected, l0
S>* 192.168.4.2/32 [1/0] via 192.168.3.2, giga1
router#
This sample screen indicates that the Guard has inserted a line (marked with G>) into the Zebra routing tables stating zone IP mask.

To verify that the Guard has advertised the route to the Cisco divert-from router:

1. From the Guard's router configuration level, type the following:
router> show ip bgp neighbors 192.168.3.1 advertised-routes
2. Choose ENTER. The following sample screen appears:
router> show ip bgp neighbors 192.168.3.1 advertised-routes
BGP table version is 4, local router ID is 192.168.3.12
Status codes: s suppressed, d damped, h history, * valid, > best, 
i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop       Metric LocPrf Weight Path
*> 192.168.4.2/32   192.168.3.12     0           32768  ?
Total number of prefixes 1
router>
The sample screen verifies that the Guard advertised the route to the neighboring router (marked in *>).

Divert-from Router Records Verification

This procedure is aimed at checking that the advertised route has been properly inserted into the divert-from router's routing table. The user should verify that:

•The Guard has inserted the route into the divert-from router's routing table

•The route was inserted with a longer prefix

•The route was received via a BGP update

To verify that the route was properly inserted into the Cisco divert-from router, perform the following:

1. From the Cisco divert-from router prompt line, type the following;
7513(config)# show ip route
2. Choose ENTER. The following sample, screen, appears:
7513(config)#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
Gateway of last resort is not set
  192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.4.0/24 [1/0] via 192.168.3.2
B 192.168.4.2/32 [20/0] via 192.168.3.12, 00:00:00
C 10.0.0.0/8 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet5/0
... ... ...
This sample screen indicates that the Guard has inserted the route into the divert-from router's routing table, it has a longer prefix (.../32), and was received via a BGP update.

To verify that the route was properly inserted into the Juniper divert-from router, perform the following:

1. From the Juniper divert-from router prompt line, type the following;
jun@axl# run show route receive-protocol bgp 192.168.3.12 
extensive
2. Choose ENTER. The following sample, screen, appears:
jun@axl# run show route receive-protocol bgp 192.168.3.12 
extensive
inet.0: 1 destinations, 1 routes (31 active, 0 holddown, 0 hidden)
192.168.4.2/32 (2 entries, 1 announced)
     Nexthop:  192.168.3.12
     MED: 0
     Localpref: 100
     AS path: ?