H3C Technologies H3C S12500 Series Switches User Manual
Page 298
282
4.
On the Guard device, enable BGP, configure a routing policy, and configure BGP to redistribute
Guard routes:
# Create ACL 2000 that denies all routes.
<Guard> system-view
[Guard] acl number 2000
[Guard-acl-basic-2000] rule 0 deny
[Guard-acl-basic-2000] quit
# Configure routing policy guard-out so that the received routes matching community 1:1 are not
advertised to any peer or outside of the AS.
[Guard] route-policy guard-out permit node 0
[Guard-route-policy] apply community 1:1 no-export no-advertise
[Guard-route-policy] quit
# Enable BGP, establish a neighbor relationship with Switch A, and redistribute Guard routes.
[Guard] bgp 200
[Guard-bgp] peer 5.5.5.5 as-number 100
[Guard-bgp] import-route guard
# Apply ACL 2000 to filter the routes received from peer 5.5.5.5, namely, to deny all those routes.
[Guard-bgp] peer 5.5.5.5 filter-policy 2000 import
# Apply routing policy guard-out to filter the routes advertised to peer 5.5.5.5 and advertise the
community attribute.
[Guard-bgp] peer 5.5.5.5 route-policy guard-out export
[Guard-bgp] peer 5.5.5.5 advertise-community
[Guard-bgp] quit
NOTE:
The Guard device is used mainly for filtering out abnormal traffic but not for routing packets.
Therefore, a routing policy needs to be configured on the Guard device so that it handles only Guard
routes to reduce resource consumption. For routing policy configuration, see "Configuring routing
policies."
5.
Configure a Guard route on the Guard device when the packets destined for 1.1.1.1 has been
found abnormal through Detector.
[Guard] ip route-guard 1.1.1.1 255.255.255.255
6.
Verify the configuration:
# Display the Guard route configured on the Guard device.
[Guard] display ip routing-table protocol guard
Public Routing Table : Guard
Summary Count : 1
Guard Routing table Status : < Active>
Summary Count : 1
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Guard 40 0 0.0.0.0 NULL0
Guard Routing table Status : < Inactive>
Summary Count : 0