WANGUARD 5.2 User Manual & Administrator's Guide
Afer BGP diversion is established, the router's routng tables points to the Filter server as the best route to
the atacked addresses and the router forwards all trafc destned to those addresses to the Filter server.
BGP Configuration Guidelines
This secton provides general guidelines for BGP confguraton on the Filter server and on a divert-from
router.
The guidelines provided in this secton apply to the BGP confguraton on any router from which Filter
system diverts the trafc. The following examples are provided using common External Border Gateway Protocol v4
(eBGP). You should consider the network confguraton and determine whether eBGP or iBGP should be
implemented in your network.
Follow these guidelines when the Filter system and adjacent routers operate using common eBGP:
1. Confgure bgpd with an easy recognizable Autonomous System number.
The bgpd sends routng informaton only when it diverts trafc. This route appear in the router's routng
tables. Using a recognizable value allows you to easy identfy the Filter system in the router's routng
tables.
2. To ensure that the bgpd routng informaton is not redistributed to other internal and external BGP
neighboring devices, perform the following:
●
Confgure the bgpd not to send routng informaton and to drop incoming BGP routng informaton
●
Set the bgpd BGP community atribute values to
no-export
and
no-advertse
.
A match in the community atributes enables bgpd to flter BGP announcements on the router and
enforce this policy.
3. Enter the
sof-reconfguraton inbound
command during the setup procedures. This command is useful
for troubleshootng and allows you to restore a routng table without reconnectng to neighboring
device.
Filter System BGP Configuration
You must confgure the BGP using the Zebra sofware (
htp://www.zebra.org
) or the Quagga sofware (
htp://www.quagga.net
). Quagga is a fork of Zebra and the diferences are minimal. Quagga keeps it's confguraton
fles in
/etc/quagga
while Zebra keeps it's confguraton fles in
/etc/zebra
.
Afer installing Quagga or Zebra, you will have to create some basic confguraton fles, so both zebra and
bgp daemons could start. Setng the passwords for the two daemons is enough to get them started. You should
change “zebrapass” and “bgppass” with your own passwords.
[root@localhost ~]# echo 'password zebrapass' > /etc/quagga/zebra.conf
[root@localhost ~]# echo 'password bgppass' > /etc/quagga/bgpd.conf
[root@localhost ~]# /etc/init.d/zebra start
[root@localhost ~]# /etc/init.d/bgpd start
It is a good idea to tghten the security in the zebra daemon. You must connect to the zebra daemon with
telnet on localhost port 2601 (default zebra port) with the previously defned password (“zebrapass”) and issue the
- 68 -
Содержание Wanguard 5.2
Страница 1: ......