-
Cisco Guard Configuration Guide (Software Version 3.1(0))
-
Index
-
Preface
-
Introduction
-
Initializing the Guard
-
Configuring the Guard
-
Zone Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Interactive Recommendations Mode
-
Attack Reports
-
Guard Diagnostics and Maintenance
-
Analyzing Guard Mitigation
-
Diversion Configuration
-
Diversion Troubleshooting
-
Glossary
-
Table Of Contents
GRM and Divert-from Router Configuration Verification
The Cisco Divert-from Router Configuration
The Juniper Divert-from Router Configuration
GRM to Divert-from Router BGP Session Configuration Verification
GRM Routing Table Records and Advertising Verification
Divert-from Router Records Verification
Diversion Troubleshooting
This appendix describes troubleshooting procedures designed to overcome diversion problems related to the Guard divert-from routers (Cisco and Juniper). These procedures consists of the following:
Note
This appendix relates to the Guard diverting daemons and routing-related mechanisms as the Guard routing Module (GRM).
•
•
•
GRM and Divert-from Router Configuration Verification
The following demonstrates the way you should configure the GRM BGP (Border Gateway Protocol):
The GRM BGP Configuration
From the Global command group level, type the following:
router(config)# router bgp 7000router(config-router)# redistribute guardrouter(config-router)# bgp router-id 192.168.3.12router(config-router)# neighbor 192.168.3.1 remote-as 5000router(config-router)# neighbor 192.168.3.1 description C2948router(config-router)# neighbor 192.168.3.1 soft-reconfiguration inboundrouter(config-router)# neighbor 192.168.3.1 route-map filter-out outrouter(config-router)# exitrouter(config)# route-map filter-out permit 10router(config-route-map)# set community no-advertise no-exportThe Cisco Divert-from Router Configuration
From the Cisco divert-from router prompt line, type the following:
hostname 7513router bgp 5000bgp log-neighbor-changesneighbor 192.168.3.12 remote-as 7000neighbor 192.168.3.12 description "Guard R2"neighbor 192.168.3.12 soft-reconfiguration inboundneighbor 192.168.3.12 route-map Riverhead-in in!ip classlessip route 192.168.4.0 255.255.255.0 192.168.3.2ip bgp-community new-formatip community-list 10 permit no-export no-advertiseroute-map Riverhead-in permit 10match community 10 exact-matchThe Juniper Divert-from Router Configuration
From the Juniper divert-from router, type the following:
protocols {bgp {log-updown;local-as 5000;group BGP-Diversion {type external;description ### Diversion ###;passive;import bgp-in;peer-as 7000;neighbor 192.168.3.12;}}}policy-options {policy-statement bgp-in {term 10 {from {protocol bgp;community 5000:7000;}}}from {protocol bgp;community 5000:7000;GRM to Divert-from Router BGP Session Configuration Verification
This procedure is aimed at checking the status of the BGP session as established between its two end nodes: the Guard and its neighboring router (the divert-from router). In this procedure you scan, via the show ip bgp summary command, for unusual problem indications messages and checks that the BGP connection is alive.
To check the Guard to divert-from router BGP session status, perform the following:
1.
admin@GUARD-conf# routerThe system enters the Zebra application.
2.
At each command level of the Zebra application, press the question mark (?) key to display the list of commands available at this mode.
3.
4.
router# config terminalThe router(config)# prompt appears.
5.
router(config)# router bgp <AS number>The following prompt appears:
router(config)# show ip bgp summaryThe following sample screen appears:
router> show ip bgp summaryBGP router identifier 192.168.3.12, local AS number 70000 BGP AS-PATH entries0 BGP community entries
4
5000
9
12
0
0
0
00:05:32
0
Total number of neighbors 1router>The sample screen indicates that there is a digit signifying the State/PfxRcd column. This points out that no problem is indicated at the Guard to Router path.
Note
To check the BGP session on the Cisco Router-to-Guard path, perform the following:
6.
7513# show ip bgp summaryFor example:
7513(config)#>show ip bgp summaryBGP router identifier 192.168.77.1, local AS number 5000BGP table version is 81, main routing table version 815 network entries and 5 paths using 605 bytes of memory2 BGP path attribute entries using 244 bytes of memory1 BGP AS-PATH entries using 24 bytes of memory1 BGP route-map cache entries using 16 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP activity 51/46 prefixes, 67/62 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd192.168.3.3 4 6000 6030 5961 81 0 0 2d03h 0192.168.3.12 4 7000 30030 30002 81 0 0 6d03h 1192.168.3.21 4 8000 11829 11834 81 0 0 1w1d 0192.168.3.88 4 9000 0 0 0 0 0 never Active192.168.3.99 4 64555 0 0 0 0 0 never Active... ... ...The zero (Ø) and Active indicators in the State/PfxRcd column indicate a BGP session problem.
Note
There should be a correlation between the Guard BGP router IP address and the IP address indicated at the Router's end (192.168.3.12 I the sample screen). See the above sample screen.
To check the BGP session on the Juniper Router-to-Guard path, type the following From the Juniper divert-from router prompt line:
jun@axl# run show bgp summaryFor example:
jun@axl # run show bgp summary Groups: 10 Peers: 10 Down peers: 5
AS
InPkt
OutPkt
OutQ
Flaps
Last Up/Dwn
State|#Active/Received/Damped.
64555
10
10
0
0
2w6d14h
0/1/0
GRM Routing Table Records and Advertising Verification
This procedure is aimed at checking that the zone IP mask is correctly inserted in the GRM routing tables and that consequently the Guard properly advertises the route to the divert-from router.
To verify the route to the divert-from router, perform the following:
1.
admin@GUARD-conf# routerThe system enters the Zebra application.
The router> prompt appears indicating that the system is in the Zebra non- privileged mode.
2.
router#3.
router# show ip routeThe following sample screen appears:
C>* 10.0.0.0/8 is directly connected, eth0C>* 127.0.0.0/8 is directly connected, l0C>* 192.168.3.0/24 is directly connected, giga1C>* 192.168.3.13/32 is directly connected, giga1C>* 192.168.3.14/32 is directly connected, giga1G>* 192.168.4.2/32 is directly connected, l0S>* 192.168.4.2/32 [1/0] via 192.168.3.2, giga1router#This sample screen indicates that the Guard has inserted a line (marked with G>) into the Zebra routing tables stating zone IP mask.
To verify that the Guard has advertised the route to the Cisco divert-from router, type the following From the Guard's router configuration level:
router> show ip bgp neighbors 192.168.3.1 advertised-routesFor example:
router> show ip bgp neighbors 192.168.3.1 advertised-routesBGP table version is 4, local router ID is 192.168.3.12Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 192.168.4.2/32 192.168.3.12 0 32768 ?Total number of prefixes 1router>The sample screen verifies that the Guard advertised the route to the neighboring router (marked in *>).
Divert-from Router Records Verification
This procedure is aimed at checking that the advertised route has been properly inserted into the divert-from router's routing table. You should verify that:
•
•
•
To verify that the route was properly inserted into the Cisco divert-from router, type the following from the Cisco divert-from router prompt line:
7513(config)# show ip routeFor example:
7513(config)#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRGateway of last resort is not set192.168.4.0/24 is variably subnetted, 2 subnets, 2 masksS 192.168.4.0/24 [1/0] via 192.168.3.2B 192.168.4.2/32 [20/0] via 192.168.3.12, 00:00:00C 10.0.0.0/8 is directly connected, FastEthernet0/1C 192.168.1.0/24 is directly connected, FastEthernet5/0... ... ...This sample screen indicates that the Guard has inserted the route into the divert-from router's routing table, it has a longer prefix (.../32), and was received via a BGP update.
To verify that the route was properly inserted into the Juniper divert-from router, type the following from the Juniper divert-from router prompt line:
jun@axl# run show route receive-protocol bgp 192.168.3.12 extensiveFor example:
jun@axl# run show route receive-protocol bgp 192.168.3.12 extensiveinet.0: 1 destinations, 1 routes (31 active, 0 holddown, 0 hidden)192.168.4.2/32 (2 entries, 1 announced)Nexthop: 192.168.3.12MED: 0Localpref: 100AS path: ?
