No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring dynamic BGP Flow Specification with a BGP Flow RR

Example for Configuring dynamic BGP Flow Specification with a BGP Flow RR

Flow Specification with a Flow RR avoids setup of unnecessary BGP Flow Specification peer relationships.

Networking Requirements

BGP Flow Specification is used to guard against denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks. Usually, the characteristics of attack traffic are unknown, and in this situation, dynamic BGP Flow Specification needs to be deployed. In an AS with multiple ingresses, a Flow route reflector (Flow RR) can be configured to avoid unnecessary mesh connections between the ingresses and the traffic analysis server. The ingresses and the traffic analysis server functions as clients, and the Flow RR reflects BGP Flow Specification routes generated by the traffic analysis server to the ingresses.

As shown in Figure 11-9, AS 100 can communicate with other ASs through Device A and Device B. When DoS or DDoS attack traffic flows to AS 100 through Device A and Device B, AS 100 will be congested. In this situation, BGP Flow Specification needs to be deployed. In this networking, use dynamic BGP Flow Specification as an example. Meanwhile, a BGP Flow RR also needs to be deployed to reduce the number of BGP Flow Specification peer relationships maintained on the traffic analysis server and save CPU resources. Configure a Flow RR in AS 100 to reflect BGP Flow Specification routes generated by the traffic analysis server to Device A and Device B so that attack traffic can be controlled.

Figure 11-9 Configuring BGP Flow Specification with a Flow RR
NOTE:

Interfaces 1 through 3 in this example are GE 0/1/0, GE 0/2/0, GE 0/3/0, respectively.



Configuration Notes

None.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Connect Flow RR to Device A, Device B, and Server using OSPF.

  2. Establish BGP Flow Specification peer relationships between Flow RR and Device A, Flow RR and Device B, and Flow RR and Server.

    NOTE:

    A traffic analysis server is a third-party device, and it must function as a BGP Flow Specification peer.

  3. Configure Flow RR as a Flow RR and configure Device A and Device B as clients to enable Flow RR to reflect BGP Flow Specification routes generated by Server to Device A and Device B.

Data Preparation

To complete the configuration, you need the following data:
  • Router ID of Device A (1.1.1.1), router ID of Device B (2.2.2.2), and router ID of Flow RR (3.3.3.3)

  • AS numbers of Device A, Device B, Flow RR, and Server: 100

  • ID of the cluster to which Flow RR belongs: 1

Procedure

  1. Configure an IP address for each interface.

    For detailed configurations, see the configuration files in this example.

  2. Configure OSPF.

    For detailed configurations, see the configuration files in this example.

  3. Configure BGP Flow Specification peer relationships.

    # Configure Device A.

    [~DeviceA] bgp 100
    [*DeviceA-bgp] router-id 1.1.1.1
    [*DeviceA-bgp] peer 3.3.3.3 as-number 100
    [*DeviceA-bgp] peer 3.3.3.3 connect-interface LoopBack1
    [*DeviceA-bgp] ipv4-family flow
    [*DeviceA-bgp-af-ipv4-flow] peer 3.3.3.3 enable
    [*DeviceA-bgp-af-ipv4-flow] commit
    [~DeviceA-bgp-af-ipv4-flow] quit
    [~DeviceA-bgp] quit

    # Configure Device B.

    [~DeviceB] bgp 100
    [*DeviceB-bgp] router-id 2.2.2.2
    [*DeviceB-bgp] peer 3.3.3.3 as-number 100
    [*DeviceB-bgp] peer 3.3.3.3 connect-interface LoopBack1
    [*DeviceB-bgp] ipv4-family flow
    [*DeviceB-bgp-af-ipv4-flow] peer 3.3.3.3 enable
    [*DeviceB-bgp-af-ipv4-flow] commit
    [~DeviceB-bgp-af-ipv4-flow] quit
    [~DeviceB-bgp] quit

    # Configure Flow RR.

    [Flow RR] bgp 100
    [Flow RR-bgp] router-id 3.3.3.3
    [Flow RR-bgp] peer 1.1.1.1 as-number 100
    [Flow RR-bgp] peer 1.1.1.1 connect-interface LoopBack1
    [Flow RR-bgp] peer 2.2.2.2 as-number 100
    [Flow RR-bgp] peer 2.2.2.2 connect-interface LoopBack1
    [Flow RR-bgp] peer 20.1.1.2 as-number 100
    [Flow RR-bgp] ipv4-family flow
    [Flow RR-bgp-af-ipv4-flow] peer 1.1.1.1 enable
    [Flow RR-bgp-af-ipv4-flow] peer 2.2.2.2 enable
    [Flow RR-bgp-af-ipv4-flow] peer 20.1.1.2 enable
    [Flow RR-bgp-af-ipv4-flow] peer 20.1.1.2 validation-disable
    [Flow RR-bgp-af-ipv4-flow] commit
    [Flow RR-bgp-af-ipv4-flow] quit
    [Flow RR-bgp] quit

  4. Configure a Flow RR.

    # Configure Flow RR.

    [Flow RR]bgp 100
    [Flow RR-bgp] ipv4-family flow
    [Flow RR-bgp-af-ipv4-flow] reflector cluster-id 1
    [Flow RR-bgp-af-ipv4-flow] peer 1.1.1.1 reflect-client
    [Flow RR-bgp-af-ipv4-flow] peer 2.2.2.2 reflect-client
    [Flow RR-bgp-af-ipv4-flow] peer 20.1.1.2 reflect-client
    [Flow RR-bgp-af-ipv4-flow] commit
    [Flow RR-bgp-af-ipv4-flow] quit
    [Flow RR-bgp] quit

  5. Verify the configuration.

    # Check BGP Flow Specification routes received by Device A.

    <DeviceA> display bgp flow routing-table
     BGP Local router ID is 1.1.1.1
     Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
                   h - history,  i - internal, s - suppressed, S - Stale
                   Origin : i - IGP, e - EGP, ? - incomplete
     RPKI validation codes: V - valid, I - invalid, N - not-found
    
     Total Number of Routes: 1
    
     * >  ReIndex : 33
          Dissemination Rules:
           Port           : eq 100
           FragmentType   : match non-fragment
    
           MED      : 0                   PrefVal  : 0
           LocalPref: 100
           Path/Ogn :  i

    # Check the traffic policy in each BGP Flow Specification route based on the ReIndex shown in the preceding output.

    <DeviceA> display bgp flow routing-table 33
     BGP local router ID : 1.1.1.1
     Local AS number : 100
     ReIndex : 33
     Order   : 2147483647
     Dissemination Rules :
       Port           : eq 100
       FragmentType   : match non-fragment
    
     BGP flow-ipv4 routing table entry information of 33:
     Match action :
       apply traffic-rate 9600
     From: 3.3.3.3 (3.3.3.3)
     Route Duration: 0d00h16m31s
     AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
     Originator: 20.1.1.2
     Cluster list: 0.0.0.1
     Not advertised to any peer yet

    The command output shows that Device A has learned a route from Flow RR advertised by Server. Originator and cluster ID are also displayed.

Configuration Files

  • Device A configuration file

    #
    sysname DeviceA
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 30.1.1.2 255.255.255.0
    #
    interface LoopBack1
     ip address 1.1.1.1 255.255.255.255
    #
    bgp 100
     router-id 1.1.1.1
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.3 enable
     #
     ipv4-family flow
      peer 3.3.3.3 enable
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.1 0.0.0.0
      network 30.1.1.0 0.0.0.255
    #
    return
  • Device B configuration file

    #
    sysname DeviceB
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 10.1.1.2 255.255.255.0
    #
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    bgp 100
     router-id 2.2.2.2
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.3 enable
     #
     ipv4-family flow
      peer 3.3.3.3 enable
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.2 0.0.0.0
      network 10.1.1.0 0.0.0.255
    #
    return
  • Configuration file of Flow RR

    #
    sysname Flow RR
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 30.1.1.1 255.255.255.0
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 20.1.1.1 255.255.255.0
    #
    interface GigabitEthernet0/3/0
     undo shutdown
     ip address 10.1.1.1 255.255.255.0
    #
    interface LoopBack1
     ip address 3.3.3.3 255.255.255.255
    #
    bgp 100
     router-id 3.3.3.3
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack1
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack1
     peer 20.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
      peer 2.2.2.2 enable
      peer 20.1.1.2 enable
     #
     ipv4-family flow
      reflector cluster-id 1
      peer 1.1.1.1 enable
      peer 1.1.1.1 reflect-client
      peer 2.2.2.2 enable
      peer 2.2.2.2 reflect-client
      peer 20.1.1.2 enable
      peer 20.1.1.2 reflect-client
      peer 20.1.1.2 validation-disable
    #
    ospf 1
     area 0.0.0.0
      network 3.3.3.3 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 20.1.1.0 0.0.0.255
      network 30.1.1.0 0.0.0.255
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21714

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next