No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Dynamic BGP IPv6 Flow Specification

Configuring Dynamic BGP IPv6 Flow Specification

Dynamic BGP IPv6 Flow Specification uses a traffic analysis server to generate BGP IPv6 Flow Specification routes to control traffic.

Usage Scenario

Before deploying dynamic BGP IPv6 Flow Specification, you need to establish a BGP IPv6 Flow Specification peer relationship between the traffic analysis server and each ingress of the network to transmit BGP IPv6 Flow Specification routes.

In an AS with multiple ingresses, a BGP IPv6 Flow route reflector (Flow RR) can be deployed to reduce the number of BGP IPv6 Flow Specification peer relationships and save CPU resources.

If you want to filter traffic based on the address prefix but the BGP IPv6 Flow Specification route carrying the filtering rule fails the authentication, disable the authentication of BGP IPv6 Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring the dynamic BGP IPv6 Flow Specification function, complete the following task:

  • Configuring a BGP4+ Peer or Configuring a BGP Peer

Procedure

  1. Establish a BGP IPv6 Flow Specification peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family flow

      The BGP-Flow-IPv6 address family view is displayed.

    4. Run peer { ipv4-address | ipv6-address } enable

      A BGP IPv6 Flow Specification peer relationship is established.

      After a BGP IPv6 Flow Specification peer relationship is established in the BGP-Flow-IPv6 address family view, the BGP IPv6 Flow Specification routes created on the traffic analysis server are automatically imported into the BGP routing table and sent to the BGP IPv6 Flow Specification peer.

    5. Run commit

      The configuration is committed.

  2. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP IPv6 Flow Specification peer relationship between the Flow RR and traffic analysis server and between the Flow RR and every network ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family flow

      The BGP-Flow-IPv6 address family view is displayed.

    4. Run peer { ipv4-address | ipv6-address } reflect-client

      An IPv6 Flow RR and its clients are configured.

      The router on which the peer reflect-client command is configured functions as the Flow RR, and the network ingresses and traffic analysis server are configured as the clients.

    5. (Optional) Run undo reflect between-clients

      Route reflection between clients through the RR is disabled.

      If the clients of an RR have established full-mesh connections with each other, you can run the undo reflect between-clients command to disable route reflection among these clients through the RR to reduce the link cost.

    6. (Optional) Run reflector cluster-id cluster-id

      A cluster ID is configured for the RR.

      If a cluster has multiple RRs, you can use this command to set the same cluster ID for these RRs to prevent routing loops.

      NOTE:

      The reflector cluster-id command applies only to RRs.

    7. Run commit

      The configuration is committed.

  3. (Optional) Disable BGP IPv6 Flow Specification route authentication.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family flow

      The BGP-Flow-IPv6 address family view is displayed.

    4. Run peer { ipv4-address | ipv6-address } validation-disable

      The authentication of BGP IPv6 Flow Specification routes received from a specified peer is disabled.

    5. Run commit

      The configuration is committed.

  4. (Optional) Enable the CAR statistics and packet loss statistics function for BGP flow specification.
    1. Run flowspec statistic enable

      Enable the CAR statistics and packet loss statistics function for BGP flow specification.

    2. Run commit

      The configuration is committed.

  5. (Optional) Disable BGP Flow Specification on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec disable [ ipv4 | ipv6 ]

      BGP Flow Specification is disabled on the interface.

      NOTE:

      This command can be configured only on the main interface and cannot be configured on sub-interfaces or Eth-Trunk member interfaces. When the command is configured on a main interface, the command configuration also takes effect on its sub-interfaces.

    4. Run commit

      The configuration is committed.

Checking the Configurations

After configuring the dynamic BGP IPv6 Flow Specification function, check the configurations.

  • Run the display bgp flow ipv6 peer command to check information about BGP IPv6 Flow Specification peers.

  • Run the display bgp flow ipv6 routing-table command to check information about BGP IPv6 Flow Specification routes.

  • Run the display bgp flow ipv6 routing-table statistics command to check statistics about BGP IPv6 Flow Specification routes.

# Run the display bgp flow ipv6 peer command. The command output shows whether the BGP IPv6 Flow Specification peer relationships are successfully established. For example:

<HUAWEI> display bgp flow ipv6 peer
 BGP local router ID : 1.1.1.2
 Local AS number : 200
 Total number of peers : 1                 Peers in established state : 1
  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  19::1           4         200        5        5     0 00:00:00 Established    1

# Run the display bgp flow ipv6 routing-table command. The command output shows the BGP IPv6 Flow Specification route information and cluster information of the RR. For example:

<HUAWEI> display bgp flow ipv6 routing-table 66
BGP Local router ID is 10.1.2.1
 Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP,   - incomplete
 RPKI validation codes: V - valid, I - invalid, N - not-found

 Total Number of Routes: 1
 *    ReIndex : 66
      Dissemination Rules:
       Protocol       : eq 8
       Dest. Port     : lt 65535
       Src. Port      : gt 65535
       ICMP Type      : lt 254
       ICMP Code      : gt 200
       MED      : 0                   PrefVal  : 0                   
       LocalPref: 100                       
       Path/Ogn : 200 300 100i

# Run the display bgp flow ipv6 routing-table peer { ipv4-address | ipv6-address } advertised-routes statistics command on a network ingress. The command output shows statistics about BGP IPv6 Flow Specification routes received from the specified peer. For example:

<HUAWEI> display bgp flow ipv6 routing-table peer 1.1.1.1 received-routes statistics
Received active routes total: 4
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20491

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next