<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<pre><span class="tlid-translation translation" tabindex="-1"><span title="" class="">Continuing my previous thread. We are trying to adapt WANGUARD Filter to work with REDBACK.
Use cases for Wanguard Filter: <a class="moz-txt-link-freetext" href="https://www.andrisoft.com/support/portal/kb/article/use-cases-for-the-filter">https://www.andrisoft.com/support/portal/kb/article/use-cases-for-the-filter</a>
</span></span>
1)
My lab config:
context BGP
interface p2p-wanguard-filter intercontext p2p 1
ip address 10.10.1.1/30
community-list ExaRedirect
seq 10 permit 65000:667
route-map wanguard-in permit 200
match community-list ExaRedirect
set ip next-hop 10.10.1.2
route-map wanguard-out deny 10
router bgp 123456
neighbor 192.168.12.184 external
remote-as 65000
send community
no enforce first-as
address-family ipv4 unicast
route-map wanguard-in in
route-map wanguard-out out
ip route 192.168.99.89/32 context FILTER
context WANGUARD-FILTER
interface p2p-bgp intercontext p2p 1
ip address 10.10.1.2/30
interface wanguard
description to Wanguard FilterIN eth0
ip address 192.168.99.89/30
ip route 0.0.0.0/0 192.168.99.90 description Server with WANGUARD Filter
2)
DOCS: Wanguard Filter Deployment Scenario
Side-filtering - Wanguard Filter sends a BGP routing update to a border router (or route reflector) that
sets its server as the next hop for the suspect traffic. The cleaned traffic is routed back into the network
using static or dynamic routing.
In WANGUARD I set community 6500:667 for testing IP A.B.C.D
BGP#show bgp route A.B.C.D/32
BGP ipv4 unicast routing table entry: A.B.C.D/32, version 0
Paths: total 1, best path count 0, best peer 0.0.0.0
Not downloaded to RIB (no bestpath)
Not advertised to any peer
65000
Nexthop 10.10.1.2 (0), peer 192.168.12.184 (192.168.12.184), AS 65000
Origin IGP, localpref 100, med 0, weight 100, external
Community: 65000:667
3)
But WANGUARD Filter server interface FilterIN with IP 192.168.99.90/30 do not receives any packets from WANGUARD-FILTER context.
QUESTION:
It is possible in SE600 to work that scenario with next-hop in my lab config or should I do it in other way?
Thank you in advance for any help or suggestions.
PS: Link do Wanguard docs: <a class="moz-txt-link-freetext" href="https://www.andrisoft.com/support/portal/download?id=2&id_version=36">https://www.andrisoft.com/support/portal/download?id=2&id_version=36</a>
</pre>
<pre class="moz-signature" cols="72">--
Best regards,
Łukasz Kopiszka
<a class="moz-txt-link-freetext" href="http://alfa-system.pl">http://alfa-system.pl</a>
</pre>
</body>
</html>