NTA must establish iBGP neighborship with a router to implement null route or BGP diversion. Only in this way can NTA advertise route update notifications for the diversion of attack traffic to a third-party device for cleaning. BGP configuration module allows you to configure parameters for establishing a BGP session. The procedure is as follows:
1. Configure on NTA
Choose Configuration > Global Divert Settings > BGP Configuration. Click Add in the upper-right corner. After completing the configuration, click Save.
| Parameter | Description |
| Name | Specifies a string that identifies the entry. |
| Local AS | Specifies the local AS number, which must be the same as that of the BGP neighbor; otherwise, neighborship cannot be established. |
| Local Port | Specifies the source port for data exchange with BGP neighbors. Generally, it is port 179. |
| Bind IP | Specifies the local IP address used by NTA to establish the BGP neighborship. When two NTA devices constitute a master/backup pair for HA and the local device is a master one, you must select a virtual IP address. |
| Management Port | Specifies the management port of the local route analysis module. The default value is recommended. |
| Keep Alive | Specifies the interval for sending keepalive messages to a BGP neighbor to ensure that the link with the neighbor is operating. The default value is 60 seconds. |
| Hold Time | Specifies the maximum time BGP waits between successive messages before closing the connection. Generally, it is 180 seconds. |
| Maximum Routing Entries | Specifies the maximum number of routing entries that NTA can send in a session based on this BGP entry. Specifying the maximum number can prevent router performance from deteriorating because of NTA sending too many BGP messages. |
| Community | Specifies how the BGP-speaking router treats this route. A maximum of five communities are allowed, with each one in a separate line. In the text box to the right of Community, you can configure parameters other than no-advertise and no-export. The format is xxx:xxx. – no-advertise: If this parameter is set to YES, it indicates that this route is not advertised to any BGP peers. – no-export: If this parameter is set to YES, it indicates that this route is not advertised to other ASs. |
| Null Route IP | Specifies the destination IP address for null route diversion. Traffic reaching the null route IP address will be dropped. This parameter is required only when a BGP session is used in null-route diversion.  – If traffic triggers null-route diversion, NTA uses the BGP protocol to set the next hop of the traffic to the null route IP address, sends a BGP Update message to the neighbor router, and diverts traffic to the BGP neighbor router. – Since a static route is configured on the router to direct all traffic destined for the null-route IP address to null, all traffic destined for the null route IP address will be dropped by the router. |
| Route Neighbor | Specifies a BGP neighbor, which can be added and deleted. To add a BGP neighbor, configure the following parameters: – Name: name of the router that establishes the BGP neighborship with NTA. – Neighbor IP: IP address of the router that establishes the BGP neighborship with NTA. – Remote AS: Specifies the remote autonomous system number of the router that establishes the BGP neighborship with NTA. – Last-Hop IP: IP address of the router that is the last hop of the route from the router to NTA. – Encryption: controls whether to encrypt BGP connections. Selecting this option indicates that communication between NTA and the BGP neighbor will be encrypted and requires you to enter a password in the adjacent text box. |
| Third-party Protection Device | Specifies a third-party device for traffic cleaning. For how to configure a third-party protection device, see user guide section 5.4.3 Protection Device Configuration. This parameter is required only when a BGP session is used in BGP diversion. – If traffic triggers BGP diversion, NTA uses the BGP protocol to set the next hop of the traffic to a third-party protection device, sends a BGP Update message to the neighbor router, and diverts traffic to the BGP neighbor router. – Since a static route destined for the third-party device is configured on the router, traffic reaching the neighboring router will be diverted to the third-party device. |
2. Configure on router
1) View the bgp peer and interface information before configuring
2) Configure bgp peer. Please note that the interface used to establish bgp between the NTA and the router must be network-reachable.
3) Trigger the alert and check if the diversion is successful to the router side
You can also send manual diversion on the NTA Monitor > Routing Table > Manual Traffic Diversion to check if the diversion is successful to the router side.
