Configuring a guard route, Displaying and maintaining guard routes, Guard route configuration example – H3C Technologies H3C S12500 Series Switches User Manual

Page 296: Network requirements

Advertising
background image

280

If Detector detects no anomalies, Router B will forward the traffic.

Upon detecting any abnormal traffic destined for an address, Detector notifies it to the Guard
device, which then generates a Guard route (or the administrator configures a Guard route
accordingly). The configured Guard route has the same destination address as that of the abnormal

traffic and the Guard device advertises the Guard route to its BGP peer Router B.

After learning the Guard route, Router B forwards the non-confirming traffic to the Guard device.

The Guard device drops malicious packets, and conforming packets are sent back to their
destinations through policy-based routing configured on Router B and the Guard device.

Configuring a Guard route

Guard routes are neither installed into the FIB nor used to forward IP packets. They work together with
BGP. You can enable BGP to redistribute Guard routes. For the configuration of Guard route

redistribution into BGP, see "Configuring BGP."
To configure a Guard route:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Configure a Guard

route.

ip route-guard ip-address mask

By default, no Guard
route is configured.

Displaying and maintaining Guard routes

Task Command

Remarks

Display Guard route information.

display ip routing-table protocol
guard [ inactive | verbose ] [ |
{ begin | exclude | include }

regular-expression ]

Available in any view.

Guard route configuration example

Network requirements

Switch B communicates with the Web server, name server, and E-commerce application server through

Switch A.
Configure Switch A to mirror the traffic (from Switch A) destined for the Web server, name server, and

E-commerce application server to Detector.
The traffic destined for 1.1.1.1 has been found abnormal through Detector. Configure the Guard device

and Switch A to divert the traffic destined for 1.1.1.1 to the Guard device.

Advertising
This manual is related to the following products:

H3C S9500E Series Switches, H3C MSR 5600, H3C MSR 50, H3C MSR 3600, H3C MSR 30, H3C MSR 2600, H3C MSR 20-2X[40], H3C MSR 20-1X, H3C MSR 930, H3C MSR 900, H3C SecPath F5020, H3C SecPath F5040, H3C VMSG VFW1000

Popular Brands
Popular manuals