Login
- Table of Contents
-
- 12-Layer 3—IP Routing Configuration Guide
- 00-Preface
- 01-Basic IP routing configuration
- 02-Static routing configuration
- 03-RIP configuration
- 04-OSPF configuration
- 05-IS-IS configuration
- 06-BGP configuration
- 07-Policy-based routing configuration
- 08-IPv6 static routing configuration
- 09-IPv6 policy-based routing configuration
- 10-RIPng configuration
- 11-OSPFv3 configuration
- 12-Routing policy configuration
- 13-Guard route configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-Guard route configuration | 92.96 KB |
Restrictions and guidelines: guard route configuration
Restrictions: Hardware compatibility with guard routes
Display and maintenance commands for guard routes
Configuring guard routes
About guard routes
A guard route directs traffic to the guard device for filtering and cleaning. You can manually configure a guard route on the guard device, or use a script to automatically configure a guard route upon receipt of a notification.
Guard route characteristics
Guard routes use Null 0 as the outgoing interface.
Guard routes are inactive routes and will not be installed into the FIB.
You must configure a routing protocol, such as BGP, OSPF, or OSPFv3, to redistribute and advertise guard routes for directing traffic to the guard device.
Guard route mechanism
Figure 1 Guard route network diagram
As shown in Figure 1, Device B uses port mirroring to mirror traffic destined for the application servers to the detector for monitoring. It uses a routing protocol to redistribute guard routes from the guard device.
When no abnormal traffic is detected, Device B forwards traffic without the participation of the guard device.
When abnormal traffic is detected, the detector performs one of the following tasks:
· Sends a notification to the guard device. The guard device then automatically generates a guard route.
· Generates an alarm to notify the network administrator. The administrator then manually configures a guard route on the guard device.
The destination address of the guard route is the address to which the abnormal traffic is destined.
After the guard route is configured, the guard device advertises the route to Device B. Device B directs all traffic destined to the destination address of the guard route to the guard device. The guard device filters and cleans the traffic and then sends the normal traffic back to Device B.
Restrictions and guidelines: guard route configuration
A guard device is typically used for traffic filtering and cleaning. To avoid system consumption, configure a routing policy on the guard device or its connected device to disable receiving and advertising non-guard routes. For more information about routing policies, see "Configuring routing policies."
Restrictions: Hardware compatibility with guard routes
|
Hardware platform |
Module type |
Guard route compatibility |
|
M9006 M9010 M9014 |
Blade III firewall module |
No |
|
Blade IV firewall module |
No |
|
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
Application delivery engine (ADE) module |
No |
|
|
Anomaly flow cleaner (AFC) module |
Yes |
|
|
M9010-GM |
Encryption module |
No |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
No |
|
Application delivery engine (ADE) module |
No |
|
|
Intrusion prevention service (IPS) module |
No |
|
|
Video network gateway module |
No |
|
|
Anomaly flow cleaner (AFC) module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
No |
|
M9008-S-V |
Blade IV firewall module |
No |
|
M9000-AI-E8 |
Blade V firewall module |
No |
|
Application delivery engine (ADE) module |
No |
|
|
M9000-AI-E16 |
Blade V firewall module |
No |
Configuring a guard route
1. Enter system view.
system-view
2. Configure a guard route.
IPv4:
ip route-guard ip-address { mask-length | mask }
By default, no IPv4 guard routes exist.
IPv6:
ipv6 route-guard ipv6-address prefix-length
By default, no IPv6 guard routes exist.
Display and maintenance commands for guard routes
Execute display commands in any view.
|
Task |
Commands |
|
Display IPv4 guard route information. |
display ip routing-table protocol guard [ inactive | verbose ] |
|
Display IPv6 guard route information. |
display ipv6 routing-table protocol guard [ inactive | verbose ] |