R1

GD

ER

ISP1

R2

R3

R4

ISP2

Normal Data Traffic

AS100

AS600

AS700

AS65535

AS200

Normal Operation:R1 peer to IPS1 with EBGP, and R2 peer to ISP2 with EBGPand R1,R2,R3,R4 is all IBGP session.

the GD is cisco anomaly guard module which is activated when ddos attack from internetIF the ddos attack starts, we advertises 32 bit host route to ISP1, and then the attack goes to ER router like numbering

diversion to ER when Attack start

R1

GD

ER

ISP1

R2

R3

R4

ISP2

Normal Data Traffic

AS100

AS600

AS700

AS65535

AS200

I would like to configure GD, R1, ER bgp configuration like below,

first, the GD generates 32 bit host route and announce to R1 with community set 100:20and then R1 is accept only community 100:20 route update from GD, and advertise to ER only 100:20 route which is receivedfrom GD, and then ER advertises finally ISP1 host ip address.

My question is that I don’t know how configure R1 like above scenario. please check the configuration following next sheet.

diversion to ER when Attack start

! define guard’s RHI route like staticaccess-list 10 permit 203.254.217.68access-list 10 permit 203.254.217.66access-list 10 permit 203.254.217.67

! accept only match 10 and all denyroute-map adm-redip permit 10 match ip next-hop 10

route-map adm-redip deny 20

! set community tag when outgoing to R1route-map bgp permit 10 match ip next-hop 10 set community 100:10

router bgp 200 neighbor x.x.x.x remote-as 100 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x next-hop-self neighbor x.x.x.x route-map bgp out redistribute static route-map adm-redip

GD! ip community-list 1 permit 100:10!route-map filter-a permit 10 match community 1!router bgp 100 neighbor x.x.x.x remote-as 200 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map filter-a in neighbor x.x.x.x remote-as 65535 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map filter-a out

R1! ip community-list 1 permit 100:10!route-map filter-a permit 10 match community 1!router bgp 65535 neighbor x.x.x.x remote-as 100 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map filter-a in neighbor x.x.x.x remote-as 600 neighbor x.x.x.x send-community neighbor x.x.x.x soft-reconfiguration inbound neighbor x.x.x.x route-map bgp out!route-map bgp permit 10 match ip community 1 set community no-advertise!

ER

the Guard generates 32bit host routingupdate to MSFC , and redistributed to BGP and then update R1 communitytagged 100:10

the R1 received the 32bit host routing from GDtagged 100:10, if the community-tag is 100:10 then accept routing, and update ER tagged 100:10

ER received routing update from R1 tagged 100:1032bit host route and update ISP1 to set no advertise

finally the 32bit host routing goes into ER router