Table Of Contents
Troubleshooting Diversion
Configuring a BGP Session on the Guard and the Divert-From Router
Configuring a BGP Session on the Guard
Configuring a BGP Session on the Cisco Divert-from Router
Verifying the Guard to Divert-From Router BGP Session Configuration
Verifying the Guard Routing Table Records and Advertising
Verifying the Divert-From Router Records
Troubleshooting Diversion
This appendix describes troubleshooting procedures designed to overcome traffic diversion problems related to the Guard divert-from routers.
This chapter contains the following topics:
•Configuring a BGP Session on the Guard and the Divert-From Router
•Verifying the Guard to Divert-From Router BGP Session Configuration
•Verifying the Divert-From Router Records
Configuring a BGP Session on the Guard and the Divert-From Router
This section describes how to configure Border Gateway Protocol (BGP) on the Guard and the Cisco divert-from router.
This section contains the following topics:
•Configuring a BGP Session on the Guard
•Configuring a BGP Session on the Cisco Divert-from Router
Configuring a BGP Session on the Guard
This section describes how to configure BGP on the Guard.
Switch to the Zebra application and configure BGP from the global command group level by entering the following commands:
router(config)# router bgp 7000
router(config-router)# redistribute guard
router(config-router)# bgp router-id 192.168.3.12
router(config-router)# neighbor 192.168.3.1 remote-as 5000
router(config-router)# neighbor 192.168.3.1 description C2948
router(config-router)# neighbor 192.168.3.1 soft-reconfiguration inbound
router(config-router)# neighbor 192.168.3.1 route-map filter-out out
router(config-router)# exit
router(config)# route-map filter-out permit 10
router(config-route-map)# set community no-advertise no-export
Configuring a BGP Session on the Cisco Divert-from Router
From the Cisco divert-from router prompt line, enter the following commands:
neighbor 192.168.3.12 remote-as 7000
neighbor 192.168.3.12 description "Guard"
neighbor 192.168.3.12 soft-reconfiguration inbound
neighbor 192.168.3.12 route-map Guard-in in
ip route 192.168.4.0 255.255.255.0 192.168.3.2
ip bgp-community new-format
ip community-list 10 permit no-export no-advertise
route-map Guard-in permit 10
match community 10 exact-match
Verifying the Guard to Divert-From Router BGP Session Configuration
This procedure describes how to check the status of the BGP session as established between the Guard and the Guard's neighboring router (the divert-from router). In this procedure, entering the show ip bgp summary command from the Guard and from the divert-from router allows you to scan the summary reports for indications of a problem and check that the BGP connection is alive.
To check the Guard to divert-from router BGP session status, perform the following steps:
Step 1 Switch to the Zebra application by entering the following command from the configuration command group level:
The system enters the Zebra application. The router> prompt appears, indicating that the system is in the Zebra non- privileged mode. At each command level of the Zebra application, press the question mark (?) key to display the list of commands available at this mode.
Step 2 Display the BGP summary report by entering the following command:
router> show ip bgp summary
The following example shows that there is no problem indicated on the Guard to router path. The State/PfxRcd column contains a digit (0), indicating that no problems exist with the BGP session.
Note A nondigit signifier (such as idle, active, or connect) at the State/PfxRcd column indicates a BGP session problem.
router> show ip bgp summary
BGP router identifier 192.168.3.12, local AS number 7000
Neighbor
|
V
|
AS
|
MsgRcvd
|
MsgSent
|
TblVer
|
InQ
|
OutQ
|
Up/Down
|
State/PfxRcd
|
192.168.3.1
|
4
|
5000
|
9
|
12
|
0
|
0
|
0
|
00:05:32
|
0
|
Total number of neighbors 1
Step 3 Verify the BGP session on the Cisco Router-to-Guard path by entering the following command from the Cisco divert-from router prompt line:
7513# show ip bgp summary
In the following example, the zero (Ø) and Active indicators in the State/PfxRcd column indicate a BGP session problem.
Note A zero (0) or Active state displayed in the State/PfxRcd column indicates a BGP session problem. A zero (0) state should display only when the Guard uses the BGP session for hijacking traffic only (not for injecting traffic).
A correlation should exist between the Guard BGP router IP address and the IP address indicated at the router's end (192.168.3.12 in the sample screen). See the above sample screen.
7513# show ip bgp summary
BGP router identifier 192.168.77.1, local AS number 5000
BGP table version is 81, main routing table version 81
5 network entries and 5 paths using 605 bytes of memory
2 BGP path attribute entries using 244 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
1 BGP route-map cache entries using 16 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP activity 51/46 prefixes, 67/62 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.3.3 4 6000 6030 5961 81 0 0 2d03h 0
192.168.3.12 4 7000 30030 30002 81 0 0 6d03h 1
192.168.3.21 4 8000 11829 11834 81 0 0 1w1d 0
192.168.3.88 4 9000 0 0 0 0 0 never Active
192.168.3.99 4 64555 0 0 0 0 0 never Active
Verifying the Guard Routing Table Records and Advertising
This procedure describes how to check that the zone IP mask is correctly inserted in the Guard routing tables and that the Guard properly advertises the route to the divert-from router.
To verify the route to the divert-from router, perform the following steps:
Step 1 Switch to the Zebra application by entering the following command from the configuration command group level:
The system enters the Zebra application. The router> prompt appears indicating that the system is in the Zebra non- privileged mode.
Step 2 Switch to the privilege mode by entering the enable command. The following prompt appears:
Step 3 Verify that the Guard has inserted the IP mask information into the routing table by entering the following command:
The following example indicates that the Guard has inserted a line (marked with G>) into the Zebra routing tables that contains the zone IP mask:
C>* 10.0.0.0/8 is directly connected, eth0
C>* 127.0.0.0/8 is directly connected, l0
C>* 192.168.3.0/24 is directly connected, giga1
C>* 192.168.3.13/32 is directly connected, giga1
C>* 192.168.3.14/32 is directly connected, giga1
G>* 192.168.4.2/32 is directly connected, l0
S>* 192.168.4.2/32 [1/0] via 192.168.3.2, giga1
Step 4 Verify that the Guard has advertised the route to the Cisco divert-from router by entering the following command from the Guard's router configuration level:
router> show ip bgp neighbors 192.168.3.1 advertised-routes
The following example verifies that the Guard advertised the route to the neighboring router (marked in *>) :
router> show ip bgp neighbors 192.168.3.1 advertised-routes
BGP table version is 4, local router ID is 192.168.3.12
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.4.2/32 192.168.3.12 0 32768 ?
Total number of prefixes 1
Verifying the Divert-From Router Records
You can verify the following divert-from router information:
•The Guard has inserted the advertised route into the divert-from router's routing table.
•The route was inserted with a longer prefix.
•The route was received through a BGP update.
Verify the divert-from router information by typing the following from the Cisco divert-from router prompt line:
7513(config)# show ip route
The following example shows that the Guard has inserted the route into the divert-from router's routing table. The route has a longer prefix (.../32) and it was received through a BGP update.
7513(config)# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is not set
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.4.0/24 [1/0] via 192.168.3.2
B 192.168.4.2/32 [20/0] via 192.168.3.12, 00:00:00
C 10.0.0.0/8 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet5/0