Configuring guard routes, Overview – H3C Technologies H3C S12500 Series Switches User Manual

Page 295

279

Configuring Guard routes

Overview

A Guard device is used to filter abnormal traffic.
To achieve this, Guard routes are configured on the Guard device to divert abnormal traffic to the Guard
device. A Guard route can be manually configured. In most cases, however, a Guard route is

automatically configured upon receipt of a notification.
Guard routes use Null 0 as the outbound interface and work together with BGP. They are neither installed

into the FIB nor used to forward IP packets. You can enable BGP to redistribute Guard routes to advertise
them to a BGP peer. In this way, traffic that is received by the BGP peer and destined for destinations of

Guard routes is diverted to the Guard device, which then filters and cleans the traffic.

Figure 98 Typical Guard route application

In the figure above, the Guard device is configured with a Guard route and the Detector device detects

network anomalies.

•

Router A communicates with the Web server, name server, and E-commerce application server
through Router B.

•

Router B and the Guard device run BGP and have formed a peer relationship. The import-route
guard command is used in BGP view on the Guard device to enable Guard route redistribution into

BGP.

•

Router B is configured to mirror the traffic (from Router A) destined for the Web server, name server,
and E-commerce application server to Detector.

This manual is related to the following products:

H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000