config Wanguard , anti ddos system
Please help me this problem:
1. Filter sends a BGP redirect announcement to Divert-from router a /32 prefix route
At this time Quagga will have add :
!
Router bgp 65000
Network 103.206.218.28/32
..
!
>>> In this step, i can't ping to victim-ip , and tracert drop at hop Filter Quagga
2. Divert-from router will send all traffic for that Victim-IP to Filter
3. Filter cleans the traffic and send cleaned traffic back to the network via the router Inject-to/Next-hop
CISCO config:
ip vrf Inside
rd 63735:200
import map VRF-Inside-Import
route-target export 63735:200
route-target import 63735:100
route-target import 63735:200
!
ip vrf Outside
rd 63735:100
route-target export 63735:100
route-target import 63735:100
route-target import 63735:200
!
interface GigabitEthernet1/25
description To_WanGuard
no switchport
ip vrf forwarding Inside
ip address 192.168.20.1 255.255.255.252
!
interface TenGigabitEthernet1/49
description To_IDC
no switchport
ip vrf forwarding Outside
ip address 125.212.208.114 255.255.255.252
!
interface TenGigabitEthernet1/50
description Filter on-ramp
no switchport
ip vrf forwarding Inside
ip address 192.168.10.1 255.255.255.252
!
interface TenGigabitEthernet1/52
description Filter off-ramp
no switchport
ip vrf forwarding Outside
ip address 192.168.30.1 255.255.255.252
!
interface Vlan2
description 103.206.218.0/24
ip vrf forwarding Outside
ip address 103.206.218.254 255.255.255.0
!
router bgp 63735
bgp router-id 192.168.1.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
address-family ipv4 vrf Inside
redistribute connected
exit-address-family
!
address-family ipv4 vrf Outside
network 103.206.218.0 mask 255.255.255.0
redistribute connected
neighbor 115.84.180.65 remote-as 38731
neighbor 115.84.180.65 ebgp-multihop 5
neighbor 115.84.180.65 update-source TenGigabitEthernet1/49
neighbor 115.84.180.65 activate
neighbor 115.84.180.66 remote-as 38731
neighbor 115.84.180.66 ebgp-multihop 5
neighbor 115.84.180.66 update-source TenGigabitEthernet1/49
neighbor 115.84.180.66 activate
neighbor 192.168.30.2 remote-as 65000
neighbor 192.168.30.2 description Filter appliancen
neighbor 192.168.30.2 activate
neighbor 192.168.30.2 soft-reconfiguration inbound
neighbor 192.168.30.2 route-map Wanguard-Filter-in in
neighbor 192.168.30.2 route-map Wanguard-Filter-out out
exit-address-family
!
!
ip extcommunity-list standard VRF-Inside permit rt 63735:200
ip bgp-community new-format
ip community-list expanded Wanguard-Filter permit no-advertise
ip community-list expanded Wanguard-Filter permit 65000:99
ip route vrf Outside 0.0.0.0 0.0.0.0 125.212.208.113
ip route vrf Outside 103.206.218.0 255.255.255.0 Null0
ip route vrf Outside 115.84.180.65 255.255.255.255 125.212.208.113
ip route vrf Outside 115.84.180.66 255.255.255.255 125.212.208.113
ip ssh version 2
!
!
route-map Wanguard-Filter-in permit 10
match community Wanguard-Filter exact-match
!
route-map VRF-Inside-Import deny 10
match community Wanguard-Filter
!
route-map VRF-Inside-Import permit 20
!
route-map Wanguard-Filter-out deny 10
!
rd 63735:200
import map VRF-Inside-Import
route-target export 63735:200
route-target import 63735:100
route-target import 63735:200
!
ip vrf Outside
rd 63735:100
route-target export 63735:100
route-target import 63735:100
route-target import 63735:200
!
interface GigabitEthernet1/25
description To_WanGuard
no switchport
ip vrf forwarding Inside
ip address 192.168.20.1 255.255.255.252
!
interface TenGigabitEthernet1/49
description To_IDC
no switchport
ip vrf forwarding Outside
ip address 125.212.208.114 255.255.255.252
!
interface TenGigabitEthernet1/50
description Filter on-ramp
no switchport
ip vrf forwarding Inside
ip address 192.168.10.1 255.255.255.252
!
interface TenGigabitEthernet1/52
description Filter off-ramp
no switchport
ip vrf forwarding Outside
ip address 192.168.30.1 255.255.255.252
!
interface Vlan2
description 103.206.218.0/24
ip vrf forwarding Outside
ip address 103.206.218.254 255.255.255.0
!
router bgp 63735
bgp router-id 192.168.1.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
address-family ipv4 vrf Inside
redistribute connected
exit-address-family
!
address-family ipv4 vrf Outside
network 103.206.218.0 mask 255.255.255.0
redistribute connected
neighbor 115.84.180.65 remote-as 38731
neighbor 115.84.180.65 ebgp-multihop 5
neighbor 115.84.180.65 update-source TenGigabitEthernet1/49
neighbor 115.84.180.65 activate
neighbor 115.84.180.66 remote-as 38731
neighbor 115.84.180.66 ebgp-multihop 5
neighbor 115.84.180.66 update-source TenGigabitEthernet1/49
neighbor 115.84.180.66 activate
neighbor 192.168.30.2 remote-as 65000
neighbor 192.168.30.2 description Filter appliancen
neighbor 192.168.30.2 activate
neighbor 192.168.30.2 soft-reconfiguration inbound
neighbor 192.168.30.2 route-map Wanguard-Filter-in in
neighbor 192.168.30.2 route-map Wanguard-Filter-out out
exit-address-family
!
!
ip extcommunity-list standard VRF-Inside permit rt 63735:200
ip bgp-community new-format
ip community-list expanded Wanguard-Filter permit no-advertise
ip community-list expanded Wanguard-Filter permit 65000:99
ip route vrf Outside 0.0.0.0 0.0.0.0 125.212.208.113
ip route vrf Outside 103.206.218.0 255.255.255.0 Null0
ip route vrf Outside 115.84.180.65 255.255.255.255 125.212.208.113
ip route vrf Outside 115.84.180.66 255.255.255.255 125.212.208.113
ip ssh version 2
!
!
route-map Wanguard-Filter-in permit 10
match community Wanguard-Filter exact-match
!
route-map VRF-Inside-Import deny 10
match community Wanguard-Filter
!
route-map VRF-Inside-Import permit 20
!
route-map Wanguard-Filter-out deny 10
!
Quagga Filter config:
!
interface enp3s0
ip address 192.168.20.2/30
!
interface enp4s0f1
ip address 192.168.10.2/30
!
interface enp6s0
ip address 192.168.30.2/30
!
router bgp 65000
bgp router-id 192.168.30.2
network 103.206.218.28/32
neighbor 192.168.30.1 remote-as 63735
neighbor 192.168.30.1 description divert-from router
neighbor 192.168.30.1 soft-reconfiguration inbound
neighbor 192.168.30.1 route-map Wanguard-Filter-in in
neighbor 192.168.30.1 route-map Wanguard-Filter-out out
!
route-map Wanguard-Filter-in deny 10
!
route-map Wanguard-Filter-out permit 10
set community 65000:99 no-advertise
Setup guild:
Router device has all 3 roles: Divert-from, Inject-to, and Next-hop
use VRF-Lite by defining two VRFs:
◦one for outside where Divert-from router is (and also its BGP peering with upstream providers and Filter)
◦and another one for inside where Inject-to/Next-hop router are
Filter must have two Layer 3 interfaces/sub-interface:
◦one in VRF-outside
◦one in VRF-inside
like on Layer 2 Forwarding Method, static routes have to be defined on Filter towards subnets destinations
in order to assure normal routing between these two VRFs, MPBGP have to be activated on the router; no MPBGP neighbor have to be defined ***
on VRFs definitions special policies for import/export Route-Targets(RT) have to be defined in the following manner:
▪e.g. mark outside routes with RT 65000:100 and inside routes RT 65000:200
▪on VRF-outside:
import the routes having outside-RT(e.g. 65000:100) and also inside-RT(e.g. 65000:200)
export routes with outside-RT excepting the redirect/diversion routes
▪on VRF-inside:
import the routes having inside-RT and specific routes having outside-RT: the default -route and/ or all other outside routes excepting the routes for diversion learned from Filter
export routes with inside-RT
In this way, the inside routing table will not know about the /32 redirect prefix and will forward/route traffic normally.
use VRF-Lite by defining two VRFs:
◦one for outside where Divert-from router is (and also its BGP peering with upstream providers and Filter)
◦and another one for inside where Inject-to/Next-hop router are
Filter must have two Layer 3 interfaces/sub-interface:
◦one in VRF-outside
◦one in VRF-inside
like on Layer 2 Forwarding Method, static routes have to be defined on Filter towards subnets destinations
in order to assure normal routing between these two VRFs, MPBGP have to be activated on the router; no MPBGP neighbor have to be defined ***
on VRFs definitions special policies for import/export Route-Targets(RT) have to be defined in the following manner:
▪e.g. mark outside routes with RT 65000:100 and inside routes RT 65000:200
▪on VRF-outside:
import the routes having outside-RT(e.g. 65000:100) and also inside-RT(e.g. 65000:200)
export routes with outside-RT excepting the redirect/diversion routes
▪on VRF-inside:
import the routes having inside-RT and specific routes having outside-RT: the default -route and/ or all other outside routes excepting the routes for diversion learned from Filter
export routes with inside-RT
In this way, the inside routing table will not know about the /32 redirect prefix and will forward/route traffic normally.
my network draw:
https://imageshack.com/a/img924/7126/HovfSt.jpg
Thanks.
