-
Cisco Guard Configuration Guide (Software Version 6.0)
-
Index
-
Preface
-
Product Overview
-
Initializing the Guard
-
Configuring the Guard
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Using Attack Reports
-
Using Guard Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Mitigation
-
Understanding Zone Traffic Diversion
-
Troubleshooting Diversion
-
Feedback
Table Of Contents
Configuring a BGP Session on the Guard and the Divert-From Router
Configuring a BGP Session on the Guard
Configuring a BGP Session on the Cisco Divert-from Router
Verifying the Guard to Divert-From Router BGP Session Configuration
Verifying the Guard Routing Table Records and Advertising
Verifying the Divert-From Router Records
Troubleshooting Diversion
This appendix describes troubleshooting procedures designed to overcome traffic diversion problems related to the Guard divert-from routers.
This chapter contains the following topics:
•
Configuring a BGP Session on the Guard and the Divert-From Router
•
•
Configuring a BGP Session on the Guard and the Divert-From Router
This section describes how to configure Border Gateway Protocol (BGP) on the Guard and the Cisco divert-from router.
This section contains the following topics:
•
•
Configuring a BGP Session on the Guard
This section describes how to configure BGP on the Guard.
Switch to the Zebra application and configure BGP from the global command group level by entering the following commands:
admin@GUARD-conf# routerrouter> enablerouter# config terminalrouter(config)# router bgp 7000router(config-router)# redistribute guardrouter(config-router)# bgp router-id 192.168.3.12router(config-router)# neighbor 192.168.3.1 remote-as 5000router(config-router)# neighbor 192.168.3.1 description C2948router(config-router)# neighbor 192.168.3.1 soft-reconfiguration inboundrouter(config-router)# neighbor 192.168.3.1 route-map filter-out outrouter(config-router)# exitrouter(config)# route-map filter-out permit 10router(config-route-map)# set community no-advertise no-exportConfiguring a BGP Session on the Cisco Divert-from Router
From the Cisco divert-from router prompt line, enter the following commands:
router bgp 5000bgp log-neighbor-changesneighbor 192.168.3.12 remote-as 7000neighbor 192.168.3.12 description "Guard"neighbor 192.168.3.12 soft-reconfiguration inboundneighbor 192.168.3.12 route-map Guard-in in!ip classlessip route 192.168.4.0 255.255.255.0 192.168.3.2ip bgp-community new-formatip community-list 10 permit no-export no-advertiseroute-map Guard-in permit 10match community 10 exact-matchVerifying the Guard to Divert-From Router BGP Session Configuration
This procedure describes how to check the status of the BGP session as established between the Guard and the Guard's neighboring router (the divert-from router). In this procedure, entering the show ip bgp summary command from the Guard and from the divert-from router allows you to scan the summary reports for indications of a problem and check that the BGP connection is alive.
To check the Guard to divert-from router BGP session status, perform the following steps:
Step 1
admin@GUARD-conf# routerThe system enters the Zebra application. The router> prompt appears, indicating that the system is in the Zebra non- privileged mode. At each command level of the Zebra application, press the question mark (?) key to display the list of commands available at this mode.
Step 2
router> show ip bgp summaryThe following example shows that there is no problem indicated on the Guard to router path. The State/PfxRcd column contains a digit (0), indicating that no problems exist with the BGP session.
Note
router> show ip bgp summaryBGP router identifier 192.168.3.12, local AS number 70000 BGP AS-PATH entries0 BGP community entries
4
5000
9
12
0
0
0
00:05:32
0
Total number of neighbors 1router>Step 3
7513# show ip bgp summaryIn the following example, the zero (Ø) and Active indicators in the State/PfxRcd column indicate a BGP session problem.
Note
A correlation should exist between the Guard BGP router IP address and the IP address indicated at the router's end (192.168.3.12 in the sample screen). See the above sample screen.
7513# show ip bgp summaryBGP router identifier 192.168.77.1, local AS number 5000BGP table version is 81, main routing table version 815 network entries and 5 paths using 605 bytes of memory2 BGP path attribute entries using 244 bytes of memory1 BGP AS-PATH entries using 24 bytes of memory1 BGP route-map cache entries using 16 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP activity 51/46 prefixes, 67/62 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd192.168.3.3 4 6000 6030 5961 81 0 0 2d03h 0192.168.3.12 4 7000 30030 30002 81 0 0 6d03h 1192.168.3.21 4 8000 11829 11834 81 0 0 1w1d 0192.168.3.88 4 9000 0 0 0 0 0 never Active192.168.3.99 4 64555 0 0 0 0 0 never Active... ... ...
Verifying the Guard Routing Table Records and Advertising
This procedure describes how to check that the zone IP mask is correctly inserted in the Guard routing tables and that the Guard properly advertises the route to the divert-from router.
To verify the route to the divert-from router, perform the following steps:
Step 1
admin@GUARD-conf# routerThe system enters the Zebra application. The router> prompt appears indicating that the system is in the Zebra non- privileged mode.
Step 2
router#Step 3
router# show ip routeThe following example indicates that the Guard has inserted a line (marked with G>) into the Zebra routing tables that contains the zone IP mask:
router# show ip routeC>* 10.0.0.0/8 is directly connected, eth0C>* 127.0.0.0/8 is directly connected, l0C>* 192.168.3.0/24 is directly connected, giga1C>* 192.168.3.13/32 is directly connected, giga1C>* 192.168.3.14/32 is directly connected, giga1G>* 192.168.4.2/32 is directly connected, l0S>* 192.168.4.2/32 [1/0] via 192.168.3.2, giga1router#Step 4
router> show ip bgp neighbors 192.168.3.1 advertised-routesThe following example verifies that the Guard advertised the route to the neighboring router (marked in *>) :
router> show ip bgp neighbors 192.168.3.1 advertised-routesBGP table version is 4, local router ID is 192.168.3.12Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 192.168.4.2/32 192.168.3.12 0 32768 ?Total number of prefixes 1router>
Verifying the Divert-From Router Records
You can verify the following divert-from router information:
•
•
•
Verify the divert-from router information by typing the following from the Cisco divert-from router prompt line:
7513(config)# show ip routeThe following example shows that the Guard has inserted the route into the divert-from router's routing table. The route has a longer prefix (.../32) and it was received through a BGP update.
7513(config)# show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRGateway of last resort is not set192.168.4.0/24 is variably subnetted, 2 subnets, 2 masksS 192.168.4.0/24 [1/0] via 192.168.3.2B 192.168.4.2/32 [20/0] via 192.168.3.12, 00:00:00C 10.0.0.0/8 is directly connected, FastEthernet0/1C 192.168.1.0/24 is directly connected, FastEthernet5/0... ... ...
