Download presentation
Presentation is loading. Please wait.
Published byRoberta Lamb Modified over 8 years ago
1
R1R1 GD ERER ISP 1 R2R2 R3R3 R4R4 ISP 2 Normal Data Traffic AS100 AS600AS700 AS65535 AS200 Normal Operation: R1 peer to IPS1 with EBGP, and R2 peer to ISP2 with EBGP and R1,R2,R3,R4 is all IBGP session. the GD is cisco anomaly guard module which is activated when ddos attack from internet IF the ddos attack starts, we advertises 32 bit host route to ISP1, and then the attack goes to ER router like numbering diversion to ER when Attack start
2
R1R1 GD ERER ISP 1 R2R2 R3R3 R4R4 ISP 2 Normal Data Traffic AS100 AS600AS700 AS65535 AS200 I would like to configure GD, R1, ER bgp configuration like below, first, the GD generates 32 bit host route and announce to R1 with community set 100:20 and then R1 is accept only community 100:20 route update from GD, and advertise to ER only 100:20 route which is received from GD, and then ER advertises finally ISP1 host ip address. My question is that I don’t know how configure R1 like above scenario. please check the configuration following next sheet. diversion to ER when Attack start
3
! define guard’s RHI route like static access-list 10 permit 203.254.217.68 access-list 10 permit 203.254.217.66 access-list 10 permit 203.254.217.67 ! accept only match 10 and all deny route-map adm-redip permit 10 match ip next-hop 10 route-map adm-redip deny 20 ! set community tag when outgoing to R1 route-map bgp permit 10 match ip next-hop 10 set community 100:10 router bgp 200 neighbor x.x.x.x remote-as 100 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x next-hop-self neighbor x.x.x.x route-map bgp out redistribute static route-map adm-redip GD ! ip community-list 1 permit 100:10 ! route-map filter-a permit 10 match community 1 ! router bgp 100 neighbor x.x.x.x remote-as 200 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map filter-a in neighbor x.x.x.x remote-as 65535 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map filter-a out R1 ! ip community-list 1 permit 100:10 ! route-map filter-a permit 10 match community 1 ! router bgp 65535 neighbor x.x.x.x remote-as 100 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map filter-a in neighbor x.x.x.x remote-as 600 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map bgp out ! route-map bgp permit 10 match ip community 1 set community no-advertise ! ER the Guard generates 32bit host routing update to MSFC, and redistributed to BGP and then update R1 community tagged 100:10 the R1 received the 32bit host routing from GD tagged 100:10, if the community-tag is 100:10 then accept routing, and update ER tagged 100:10 ER received routing update from R1 tagged 100:10 32bit host route and update ISP1 to set no advertise finally the 32bit host routing goes into ER router
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.