[rbak-nsp] Next-hop or equivalent (trying to use Wanguard Filter with REDBACK)

Łukasz Kopiszka lukasz at alfa-system.pl
Tue Jan 8 05:33:36 EST 2019 

Continuing my previous thread. We are trying to adapt WANGUARD Filter to 
work with REDBACK. Use cases for Wanguard Filter: 
https://www.andrisoft.com/support/portal/kb/article/use-cases-for-the-filter 


1)
My lab config:

context BGP

  interface p2p-wanguard-filter intercontext p2p 1
   ip address 10.10.1.1/30

  community-list ExaRedirect
   seq 10 permit 65000:667

  route-map wanguard-in permit 200
   match community-list ExaRedirect
   set ip next-hop 10.10.1.2

  route-map wanguard-out deny 10

  router bgp 123456
   neighbor 192.168.12.184 external
     remote-as 65000
     send community
     no enforce first-as
     address-family ipv4 unicast
       route-map wanguard-in in
       route-map wanguard-out out


   ip route 192.168.99.89/32 context FILTER


context WANGUARD-FILTER
  interface p2p-bgp intercontext p2p 1
   ip address 10.10.1.2/30

  interface wanguard
   description to Wanguard FilterIN eth0
   ip address 192.168.99.89/30

  ip route 0.0.0.0/0 192.168.99.90 description Server with WANGUARD Filter


2)
DOCS: Wanguard Filter Deployment Scenario
Side-filtering - Wanguard Filter sends a BGP routing update to a border router (or route reflector) that
sets its server as the next hop for the suspect traffic. The cleaned traffic is routed back into the network
using static or dynamic routing.


In WANGUARD I set community 6500:667 for testing IP A.B.C.D


BGP#show bgp route A.B.C.D/32
BGP ipv4 unicast routing table entry: A.B.C.D/32, version 0
Paths: total 1, best path count 0, best peer 0.0.0.0
Not downloaded to RIB (no bestpath)
Not advertised to any peer

65000
   Nexthop 10.10.1.2 (0), peer 192.168.12.184 (192.168.12.184), AS 65000
   Origin IGP, localpref 100, med 0, weight 100, external
   Community: 65000:667

3)
But WANGUARD Filter server interface FilterIN with IP 192.168.99.90/30 do not receives any packets from WANGUARD-FILTER context.



QUESTION:

It is possible in SE600 to work that scenario with next-hop in my lab config or should I do it in other way?

Thank you in advance for any help or suggestions.


  
PS: Link do Wanguard docs: https://www.andrisoft.com/support/portal/download?id=2&id_version=36

-- 
Best regards,
Łukasz Kopiszka
http://alfa-system.pl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20190108/38cf70f2/attachment.html>

More information about the redback-nsp mailing list