No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - IP Unicast Routing

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes the concepts and configuration procedures of IP Service features on the device, and provides the configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring BGP GTSM

Example for Configuring BGP GTSM

Networking Requirements

As shown in Figure 9-39, Router A belongs to AS 10, and Router B, Router C, and Router D belong to AS 20. BGP is run in the network and it is required to protect Router B against CPU-utilization attacks.

Figure 9-39 Figure 1 Networking diagram of configuring BGP GTSM

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF on Router B, Router C, and Router D to implement interworking in AS 20.
  2. Set up an EBGP connection between Router A and Router B, and set up IBGP connections between Router B, Router C, and Router D through loopback interfaces.
  3. Configure GTSM on Router A, Router B, Router C, and Router D so that it can protect Router B against CPU-utilization attacks.

Procedure

  1. Configure an IP address to each interface.

    # Configure IP addresses for all interfaces of RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit

    The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here.

  2. Configure OSPF.

    # Configure RouterB.

    [RouterB] ospf
    [RouterB-ospf-1] area 0
    [RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] quit
    [RouterB-ospf-1] area 1
    [RouterB-ospf-1-area-0.0.0.1] network 2.2.2.9 0.0.0.0
    [RouterB-ospf-1-area-0.0.0.1] quit
    [RouterB-ospf-1] quit

    # Configure RouterC.

    [RouterC] ospf
    [RouterC-ospf-1] area 0
    [RouterC-ospf-1-area-0.0.0.0] network 20.1.2.0 0.0.0.255
    [RouterC-ospf-1-area-0.0.0.0] quit
    [RouterC-ospf-1] area 1
    [RouterC-ospf-1-area-0.0.0.1] network 20.1.1.0 0.0.0.255
    [RouterC-ospf-1-area-0.0.0.1] quit
    [RouterC-ospf-1] area 2
    [RouterC-ospf-1-area-0.0.0.1] network 3.3.3.9 0.0.0.0
    [RouterC-ospf-1-area-0.0.0.1] quit
    [RouterC-ospf-1] quit

    # Configure RouterD.

    [RouterD] ospf
    [RouterD-ospf-1] area 0
    [RouterD-ospf-1-area-0.0.0.0] network 20.1.2.0 0.0.0.255
    [RouterD-ospf-1-area-0.0.0.0] quit
    [RouterD-ospf-1] area 1
    [RouterD-ospf-1-area-0.0.0.1] network 4.4.4.9 0.0.0.0
    [RouterD-ospf-1-area-0.0.0.1] quit
    [RouterD-ospf-1] quit

  3. Configure an IBGP connection.

    # Configure Router B.

    [RouterB] bgp 20
    [RouterB-bgp] router-id 2.2.2.9
    [RouterB-bgp] peer 3.3.3.9 as-number 20
    [RouterB-bgp] peer 3.3.3.9 connect-interface LoopBack0
    [RouterB-bgp] peer 3.3.3.9 next-hop-local
    [RouterB-bgp] peer 4.4.4.9 as-number 20
    [RouterB-bgp] peer 4.4.4.9 connect-interface LoopBack0
    [RouterB-bgp] peer 4.4.4.9 next-hop-local

    # Configure Router C.

    [RouterC] bgp 20
    [RouterC-bgp] router-id 3.3.3.9
    [RouterC-bgp] peer 2.2.2.9 as-number 20
    [RouterC-bgp] peer 2.2.2.9 connect-interface LoopBack0
    [RouterC-bgp] peer 4.4.4.9 as-number 20
    [RouterC-bgp] peer 4.4.4.9 connect-interface LoopBack0

    # Configure Router D.

    [RouterD] bgp 20
    [RouterD-bgp] router-id 4.4.4.9
    [RouterD-bgp] peer 2.2.2.9 as-number 20
    [RouterD-bgp] peer 2.2.2.9 connect-interface LoopBack0
    [RouterD-bgp] peer 3.3.3.9 as-number 20
    [RouterD-bgp] peer 3.3.3.9 connect-interface LoopBack0

  4. Configure an EBGP connection.

    # Configure Router A.

    [RouterA] bgp 10
    [RouterA-bgp] router-id 1.1.1.9
    [RouterA-bgp] peer 10.1.1.2 as-number 20

    # Configure Router B.

    [RouterB-bgp] peer 10.1.1.1 as-number 10

    # Display the connection status of the BGP peers.

    [RouterB-bgp] display bgp peer
     BGP local router ID : 2.2.2.9
     Local AS number : 20
     Total number of peers : 3                 Peers in established state : 3
    
      Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      3.3.3.9         4    20        8        7     0 00:05:06 Established       0
      4.4.4.9         4    20        8       10     0 00:05:33 Established       0
      10.1.1.1        4    10        7        7     0 00:04:09 Established       0

    You can view that Router B has set up BGP connections with other routers.

  5. Configure GTSM on Router A and Router B. Router A and Router B are directly connected, so the range of the TTL value between the two routers is [255, 255]. The value of valid-ttl-hops is 1.

    # Configure GTSM on Router A.

    [RouterA-bgp] peer 10.1.1.2 valid-ttl-hops 1

    # Configure GTSM of the EBGP connection on Router B.

    [RouterB-bgp] peer 10.1.1.1 valid-ttl-hops 1

    # Check the GTSM configuration.

    [RouterB-bgp] display bgp peer 10.1.1.1 verbose
             BGP Peer is 10.1.1.1,  remote AS 10
             Type: EBGP link
             BGP version 4, Remote router ID 1.1.1.9
    
             Update-group ID : 2
             BGP current state: Established, Up for 00h49m35s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Received mac routes: 0
             Advertised total routes: 0
             Port:  Local - 179      Remote - 52876
             Configured: Connect-retry Time: 32 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 59 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             57
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 79 messages
                      Update messages                5
                      Open messages                  2
                      KeepAlive messages             71
                      Notification messages          1
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:41:19                                   
     Last keepalive sent    : 2011/09/25 16:41:22                                   
     Last update    received: 2011/09/25 16:11:28
     Last update    sent    : 2011/09/25 16:11:32
     Minimum route advertisement interval is 30 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.

  6. Configure GTSM on Router B and Router C. Router B and Router C are directly connected, so the range of the TTL value between the two routers is [255, 255]. The value of valid-ttl-hops is 1.

    # Configure GTSM on Router B.

    [RouterB-bgp] peer 3.3.3.9 valid-ttl-hops 1

    # Configure GTSM of the IBGP connection on Router C.

    [RouterC-bgp] peer 2.2.2.9 valid-ttl-hops 1

    # View the GTSM configuration.

    [RouterB-bgp] display bgp peer 3.3.3.9 verbose
             BGP Peer is 3.3.3.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 3.3.3.9
    
             Update-group ID : 0
             BGP current state: Established, Up for 00h54m36s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Received mac routes: 0
             Advertised total routes: 0
             Port:  Local - 54998    Remote - 179
             Configured: Connect-retry Time: 32 sec 
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 69 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             58
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:46:19                                   
     Last keepalive sent    : 2011/09/25 16:46:21                                   
     Last update    received: 2011/09/25 16:11:28
     Last update    sent    : 2011/09/25 16:11:32
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.

  7. Configure GTSM on Router C and Router D. Router C and Router D are directly connected, so the range of the TTL value between the two routers is [255, 255]. The value of valid-ttl-hops is 1.

    # Configure GTSM of the IBGP connection on Router C.

    [RouterC-bgp] peer 4.4.4.9 valid-ttl-hops 1

    # Configure GTSM of the IBGP connection on Router D.

    [RouterD-bgp] peer 3.3.3.9 valid-ttl-hops 1

    # Check the GTSM configuration.

    [RouterC-bgp] display bgp peer 4.4.4.9 verbose
             BGP Peer is 4.4.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 4.4.4.9
    
             Update-group ID : 1
             BGP current state: Established, Up for 00h56m06s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Received mac routes: 0
             Advertised total routes: 0
             Port:  Local - 179      Remote - 53758
             Configured: Connect-retry Time: 32 sec 
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 63 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             61
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:47:19                                   
     Last keepalive sent    : 2011/09/25 16:47:21                                   
     Last update    received: 2011/09/25 16:11:28 
     Last update    sent    : 2011/09/25 16:11:32 
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.

  8. Configure GTSM on Router B and Router D. Router B and Router D are connected by Router C, so the range of the TTL value between the two routers is [254, 255]. The value of valid-ttl-hops is 2.

    # Configure GTSM of the IBGP connection on Router B.

    [RouterB-bgp] peer 4.4.4.9 valid-ttl-hops 2

    # Configure GTSM on Router D.

    [RouterD-bgp] peer 2.2.2.9 valid-ttl-hops 2

    # Check the GTSM configuration.

    [RouterB-bgp] display bgp peer 4.4.4.9 verbose
             BGP Peer is 4.4.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 4.4.4.9
    
             Update-group ID : 0
             BGP current state: Established, Up for 00h57m48s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Received mac routes: 0
             Advertised total routes: 0
             Port:  Local - 53714    Remote - 179
             Configured: Connect-retry Time: 32 sec 
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 72 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 82 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2011/09/25 16:47:19                                   
     Last keepalive sent    : 2011/09/25 16:47:21                                   
     Last update    received: 2011/09/25 16:11:28
     Last update    sent    : 2011/09/25 16:11:32
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 2
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    You can view that GTSM is configured, the valid hop count is 2, and the BGP connection is in the Established state.

    NOTE:
    • In this example, if the value of valid-ttl-hops of either Router B or Router D is smaller than 2, the IBGP connection cannot be set up.

    • GTSM must be configured on the two ends of the BGP connection.

  9. Verify the configuration.

    # Run the display gtsm statistics all command on Router B to check the GTSM statistics of Router B. By default, Router B does not discard any packet when all packets match the GTSM policy.

    [RouterB-bgp] display gtsm statistics all
    GTSM Statistics Table
    ----------------------------------------------------------------
    SlotId  Protocol  Total Counters  Drop Counters  Pass Counters
    ----------------------------------------------------------------
     0      BGP       17              0              17
     0      BGPv6     0               0              0
     0      OSPF      0               0              0
     0      LDP       0               0              0
     1      BGP       0               0              0
     1      BGPv6     0               0              0
     1      OSPF      0               0              0
     1      LDP       0               0              0
     2      BGP       0               0              0
     2      BGPv6     0               0              0
     2      OSPF      0               0              0
     2      LDP       0               0              0
     3      BGP       0               0              0
     3      BGPv6     0               0              0
     3      OSPF      0               0              0
     3      LDP       0               0              0
     4      BGP       32              0              32
     4      BGPv6     0               0              0
     4      OSPF      0               0              0
     4      LDP       0               0              0
     5      BGP       0               0              0
     5      BGPv6     0               0              0
     5      OSPF      0               0              0
     5      LDP       0               0              0
     7      BGP       0               0              0
     7      BGPv6     0               0              0
     7      OSPF      0               0              0
     7      LDP       0               0              0
    ----------------------------------------------------------------

    If the host simulates the BGP packets of Router A to attack Router B, the packets are discarded because their TTL value is not 255 when reaching Router B. In the GTSM statistics of Router B, the number of dropped packets increases accordingly.

Configuration Files

  • Configuration file of Router A

    #
     sysname RouterA
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    bgp 10
     router-id 1.1.1.9
     peer 10.1.1.2 as-number 20
     peer 10.1.1.2 valid-ttl-hops 1
     #
     ipv4-family unicast
      undo synchronization
      peer 10.1.1.2 enable
    #
    return
  • Configuration file of Router B

    #
     sysname RouterB
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 20.1.1.1 255.255.255.0
    #
    interface LoopBack0
     ip address 2.2.2.9 255.255.255.255
    #
    bgp 20
     router-id 2.2.2.9
     peer 3.3.3.9 as-number 20
     peer 3.3.3.9 valid-ttl-hops 1
     peer 3.3.3.9 connect-interface LoopBack0
     peer 4.4.4.9 as-number 20
     peer 4.4.4.9 valid-ttl-hops 2
     peer 4.4.4.9 connect-interface LoopBack0
     peer 10.1.1.1 as-number 10
     peer 10.1.1.1 valid-ttl-hops 1
    #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.9 enable
      peer 3.3.3.9 next-hop-local
      peer 4.4.4.9 enable
      peer 4.4.4.9 next-hop-local
      peer 10.1.1.1 enable
    #
    ospf 1
     area 0.0.0.0
      network 20.1.1.0 0.0.0.255
      network 2.2.2.9 0.0.0.0
    #
    return
  • Configuration file of Router C

    #
     sysname RouterC
    #
    interface GigabitEthernet1/0/0
     ip address 20.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 20.1.2.1 255.255.255.0
    #
    interface LoopBack0
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 20
     router-id 3.3.3.9
     peer 2.2.2.9 as-number 20
     peer 2.2.2.9 valid-ttl-hops 1
     peer 2.2.2.9 connect-interface LoopBack0
     peer 4.4.4.9 as-number 20
     peer 4.4.4.9 valid-ttl-hops 1
     peer 4.4.4.9 connect-interface LoopBack0
    #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 4.4.4.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 20.1.2.0 0.0.0.255
      network 20.1.1.0 0.0.0.255
      network 3.3.3.9 0.0.0.0
    #
    return
  • Configuration file of Router D

    #
     sysname RouterD
    #
    interface GigabitEthernet1/0/0
     ip address 20.1.2.2 255.255.255.0
    #
    interface LoopBack0
     ip address 4.4.4.9 255.255.255.255
    #
    bgp 20
     router-id 4.4.4.9
     peer 2.2.2.9 as-number 20
     peer 2.2.2.9 valid-ttl-hops 2
     peer 2.2.2.9 connect-interface LoopBack0
     peer 3.3.3.9 as-number 20
     peer 3.3.3.9 valid-ttl-hops 1
     peer 3.3.3.9 connect-interface LoopBack0
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 3.3.3.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 20.1.2.0 0.0.0.255
      network 4.4.4.9 0.0.0.0
    #
    return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034072

Views: 110780

Downloads: 163

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next