No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Dynamic BGP Flow Specification

Configuring Dynamic BGP Flow Specification

BGP Flow Specification routes are generated by a traffic analysis server in dynamic BGP Flow Specification.

Usage Scenario

When deploying dynamic BGP Flow Specification, a BGP Flow Specification peer relationship needs to be established between the traffic analysis server and each ingress of the network to transmit BGP Flow Specification routes.

In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be deployed to reduce the number of BGP Flow Specification peer relationships and save CPU resources.

If you want to filter traffic based on the address prefix but the BGP Flow Specification route carrying the filtering rule cannot be authenticated, disable the authentication of BGP Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring dynamic BGP Flow Specification, configure a BGP peer.

Procedure

  1. Establish a BGP Flow Specification peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address enable

      A BGP Flow Specification peer relationship is established.

      After the BGP Flow Specification peer relationship is established in the BGP-Flow address family view, the BGP Flow Specification route generated by the traffic analysis server is imported to the BGP routing table and then sent to the peer.

    5. Run commit

      The configuration is committed.

  2. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP Flow Specification peer relationship between the Flow RR with the traffic analysis server and every ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address reflect-client

      A Flow RR and its client are configured.

      The router on which the peer reflect-client command is run functions as the Flow RR, and its peers function as clients.

    5. (Optional) Run undo reflect between-clients

      By default, route reflection among clients through the RR is enabled.

      If the clients of a Flow RR have established full-mesh connections with each other, run the undo reflect between-clients command to disable route reflection between these clients through the RR. This can reduce the link cost.

    6. (Optional) Run reflector cluster-id cluster-id

      A cluster ID is configured for the Flow RR.

      If there are multiple Flow RRs in a cluster, use this command to set the same cluster ID for these Flow RRs.

      NOTE:

      The reflector cluster-id command is applicable only to Flow RRs.

    7. Run commit

      The configuration is committed.

  3. (Optional) Add the AS_Path attribute as a check item to BGP Flow Specification route verification rules.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run route validation-mode include-as

      The AS_Path attribute is added as a check item to BGP Flow Specification route verification rules.

      BGP Flow Specification routes are verified as follows:
      • Mode 1: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route according to Figure 11-1. The route is considered valid only if the verification succeeds.
      • Mode 2: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route by checking whether the AS_Path attribute of the route carries the AS_Set or AS_Sequence field. The route is considered valid only if its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
      If the route validation-mode include-as command is run on a device, the device first uses mode 2 to verify BGP Flow Specification routes.
      • If the verification using mode 2 succeeds, the BGP Flow Specification route is considered valid, and the device no longer verifies the routes using mode 1.
      • If the verification using mode 2 fails, the device verifies the routes using mode 1.
      If the route validation-mode include-as command is not run on a device, the device uses mode 1 to verify BGP Flow Specification routes.
      Figure 11-1 BGP Flow Specification route verification rules

    5. Run commit

      The configuration is committed.

  4. (Optional) Disable BGP Flow Specification route authentication.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address validation-disable

      The device is disabled from authenticating BGP Flow Specification routes received from a specified peer.

    5. Run commit

      The configuration is committed.

  5. (Optional) Disable the device from validating the routes that carry a redirection extended community attribute and are received from a specified EBGP peer.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address redirect ip validation-disable

      The device is disabled from validating the routes that carry a redirection extended community attribute and are received from a specified EBGP peer.

    5. Run commit

      The configuration is committed.

  6. (Optional) Set the redirection next-hop attribute ID for BGP Flow Specification routes.

    The redirection next-hop attribute ID can be 0x010C (ID defined in a relevant RFC) or 0x0800 (ID defined in a relevant draft). If a Huawei device needs to communicate with a non-Huawei device that does not support the redirection next-hop attribute ID of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP Flow Specification routes as required.

    • Set the redirection next-hop attribute ID to 0x010C (ID defined in a relevant RFC) for BGP Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-family flow

        The BGP-Flow address family view is displayed.

      4. Run peer ipv4-address redirect ip rfc-compatible

        The redirection next-hop attribute ID is set to 0x010C (ID defined in a relevant RFC) for BGP Flow Specification routes.

      5. Run commit

        The configuration is committed.

    • Set the redirection next-hop attribute ID to 0x0800 (ID defined in a relevant draft) for BGP Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-family flow

        The BGP-Flow address family view is displayed.

      4. Run peer ipv4-address redirect ip draft-compatible

        The redirection next-hop attribute ID is set to 0x0800 (ID defined in a relevant draft) for BGP Flow Specification routes.

      5. Run commit

        The configuration is committed.

  7. (Optional) Configure the role of an interface in dynamic BGP Flow Specification as the inbound interface so that the received traffic that matches FlowSpec rules on the interface will not be redirected again.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec refluence

      The interface role is configured as an inbound interface.

      NOTE:

      This command can be configured only on the main interface and cannot be configured on sub-interfaces or Eth-Trunk member interfaces. When the command is configured on a main interface, the command configuration also takes effect on its sub-interfaces.

    4. Run commit

      The configuration is committed.

  8. (Optional) Disable BGP Flow Specification on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec disable [ ipv4 | ipv6 ]

      BGP Flow Specification is disabled on the interface.

      NOTE:

      This command can be configured only on the main interface and cannot be configured on sub-interfaces or Eth-Trunk member interfaces. When the command is configured on a main interface, the command configuration also takes effect on its sub-interfaces.

    4. Run commit

      The configuration is committed.

  9. (Optional) Enable the device to preferentially iterate the received routes that carry a redirection extended community attribute to LDP LSPs or TE tunnels.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run redirect ip recursive-lookup tunnel [ tunnel-selector tunnel-selector-name ]

      The device is enabled to preferentially iterate the received routes that carry a redirection extended community attribute to LDP LSPs or TE tunnels.

    5. Run commit

      The configuration is committed.

  10. (Optional) Configure IP-information-based BGP flow specification for outgoing packets on the public network.
    1. Run flowspec match-ip-layer mpls-pop

      IP-information-based BGP flow specification is configured for outgoing packets on the public network.

    2. Run commit

      The configuration is committed.

  11. (Optional) Enable the CAR statistics and packet loss statistics function for BGP flow specification.
    1. Run flowspec statistic enable

      Enable the CAR statistics and packet loss statistics function for BGP flow specification.

    2. Run commit

      The configuration is committed.

  12. (Optional) Enable BGP Flowspec for packets that have entered the VXLAN tunnel.
    1. Run flowspec match vxlan-packet enable

      Enable BGP Flowspec for packets that have entered the VXLAN tunnel.

    2. Run commit

      The configuration is committed.

Checking the Configurations

When the preceding configuration is complete, you can run the following commands to verify the configurations.

  • Run the display bgp flow peer [ [ ipv4-address ] verbose ] command to check information about BGP Flow Specification peers.

  • Run the display bgp flow routing-table command to check BGP Flow Specification routes.

  • Run the display bgp flow routing-table [ peer ipv4-address ] [ advertised-routes | received-routes [ active ] ] statistics command to check statistics about BGP Flow Specification routes.

  • Run the display flowspec statistics reindex command to check traffic statistics about BGP flow specification.

# Run the display bgp flow peer command to check whether the BGP Flow Specification peer relationship is successfully established. For example:

<HUAWEI> display bgp flow peer
 BGP Local router ID : 1.2.3.4
 local AS number : 100
 Total number of peers : 1                 Peers in established state : 1
  Peer        V    AS  MsgRcvd  MsgSent  OutQ  Up/Down          State  PrefRcv
  1.2.5.6     4   200       32       35     0 00:17:49    Established        0

# Run the display bgp flow routing-table command to check BGP Flow Specification routes and the cluster of the Flow RR. For example:

<HUAWEI> display bgp flow routing-table 33
 BGP local router ID : 1.1.1.1
 Local AS number : 100
 ReIndex : 33
 Order   : 2147483647
 Dissemination Rules :
   Port           : eq 100
   FragmentType   : match non-fragment

 BGP flow-ipv4 routing table entry information of 33:
 Match action :
   apply traffic-rate 9600
 From: 3.3.3.3 (3.3.3.3)
 Route Duration: 0d00h16m31s
 AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
 Originator: 20.1.1.2
 Cluster list: 1.1.1.1
 Not advertised to any peer yet

# Run the display bgp flow routing-table peer ipv4-address received-routes statistics command on a remote peer closest to the attack source to check statistics about BGP Flow Specification routes. For example:

<HUAWEI> display bgp flow routing-table peer 1.1.1.1 received-routes statistics
 Received routes total: 4
# Run the display flowspec statistics reindex command to check traffic statistics about BGP flow specification.
<HUAWEI> display flowspec statistics 1
ReIndex: 1
Rule number: 0

------------------------------------------------------------------------
Item                              Packets                          Bytes
------------------------------------------------------------------------
Matched                                 0                              0
------------------------------------------------------------------------
Last 30 seconds rate
------------------------------------------------------------------------
Item                                  pps                            bps
------------------------------------------------------------------------
Matched                                 0                              0
------------------------------------------------------------------------
------------------------------------------------------------------------
Item                              Packets                          Bytes
------------------------------------------------------------------------
Pass                                    0                              0
Drop                                    0                              0
------------------------------------------------------------------------
Last 30 seconds rate
------------------------------------------------------------------------
Item                                  pps                            bps
------------------------------------------------------------------------
Pass                                    0                              0
Drop                                    0                              0
------------------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 22027

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next