No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Static BGP IPv6 VPN Flow Specification

Configuring Static BGP IPv6 VPN Flow Specification

In IPv6 VPNs, BGP IPv6 VPN Flow Specification routes are generated manually to control traffic in static BGP IPv6 VPN Flow Specification.

Usage Scenario

When deploying static BGP IPv6 VPN Flow Specification, a BGP IPv6 VPN Flow Specification route needs to be generated manually, and a BGP IPv6 VPN Flow Specification peer relationship needs to be established between the device that generates the BGP IPv6 VPN Flow Specification route and each ingress in the network to transmit BGP IPv6 VPN Flow Specification routes.

In an AS with multiple ingresses, a BGP IPv6 VPN Flow route reflector (Flow RR) can be deployed to reduce the number of BGP IPv6 VPN Flow Specification peer relationships and save CPU resources.

If you want to filter traffic based on the address prefix but the BGP IPv6 VPN Flow Specification route carrying the filtering rule cannot be authenticated, disable the authentication of BGP IPv6 VPN Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring static BGP IPv6 VPN Flow Specification, configure a VPN instance and bind interfaces to a VPN instance.

Procedure

  1. Generate a BGP IPv6 VPN Flow Specification route manually.
    1. Run system-view

      The system view is displayed.

    2. Run flow-route flowroute-name ipv6 vpn-instance vpn-instance-name

      A static BGP IPv6 VPN Flow Specification route is created, and the Flow-Route IPv6 VPN instance view is displayed.

      One BGP IPv6 VPN Flow Specification route can include multiple if-match and apply clauses. The if-match clauses define filtering rules, and the apply clauses specify actions. The relationships between if-match clauses and between apply clauses are as follows:
      • The relationship between if-match clauses of different types is "AND".

      • If you configure the same if-match clause multiple times, the latest configuration overrides the previous ones.

      • The relationship between apply clauses is "AND".

      All traffic matching if-match filtering rules must be filtered with the actions specified by apply clauses.

    3. Based on the characteristics of the traffic to be controlled, choose one or multiple if-match clauses as the filtering rule.

      • To configure a filtering rule based on the destination address, run the if-match destination ipv6-address { mask | mask-length } command.

        NOTE:

        If the BGP IPv6 VPN Flow Specification route carrying a filtering rule specified by the if-match destination command fails to be authenticated by the remote BGP IPv6 VPN Flow Specification peer, run the peer validation-disable command to cancel the authentication.

        By default, 0.0.0.0/0 is used as the prefix of each BGP IPv6 VPN Flow Specification route that matches the export or import policy of a peer. To enable a device to change the prefix of each BGP IPv6 VPN Flow Specification route that matches the export or import policy of a peer to the destination IP address specified in the if-match destination command, run the route match-destination command.

      • To configure a filtering rule based on the source address, run the if-match source ipv6-address { mask | mask-length } command.

      • To configure a filtering rule based on the port number, run the if-match port operator port command.

      • To configure a filtering rule based on the source port number, run the if-match source-port operator port command.

      • To configure a filtering rule based on the destination port number, run the if-match destination-port operator port command.

        NOTE:

        if-match port and if-match destination-port or if-match source-port are mutually exclusive.

      • To configure a filtering rule based on the protocol that bears the traffic, run the if-match protocol operator protocol command.

      • To configure a filtering rule based on the service type, run the if-match dscp operator dscp command.

      • To configure a filtering rule based on the TCP flag, run the if-match tcp-flags { match | not } tcp-flags command.

        Network attackers may send a large number of invalid TCP packets to attack network devices. To control invalid TCP packets to ensure communication security, configure a filtering rule based on the TCP flag for the BGP IPv6 VPN Flow Specification route using the if-match tcp-flags command. Traffic matching the TCP flag is filtered or controlled using the actions specified in the apply clauses.

      • To configure a filtering rule based on the fragment type, run the if-match fragment-type { match | not } fragment-type-name command.

      • To configure a filtering rule based on the code of an ICMP packet, run the if-match icmp-code operator icmp-code command.

      • To configure a filtering rule based on the type of an ICMP packet, run the if-match icmp-type { greater-than | less-than | equal } icmp-type command.

      • To configure a filtering rule based on the packet-length, run the if-match packet-length { greater-than | less-than | equal } packet-length-value command.

    4. Run the following command as required to configure actions for apply clauses:

      • To discard the traffic, run the apply deny command.

      • To redirect the traffic, run the apply redirect { vpn-target vpn-target-import } command.

      • To redefine the service type, run the apply remark-dscp command.

      • To limit the traffic rate, run the apply traffic-rate command.

      • To implement sampling for the matching traffic, run the apply traffic-action sample command.

        After the apply traffic-action sample command is configured in a BGP IPv6 VPN Flow Specification route, sampling is implemented for matching packets. After that, sampled packets are detected to identify and filter out abnormal packets. This protects devices against attacks and enhance network security.

      NOTE:

      The apply deny and apply traffic-rate commands are mutually exclusive.

      If the configured BGP IPv6 VPN Flow Specification route attribute does not need to take effect locally, run the routing-table rib-only [ route-policy route-policy-name | route-filter route-filter-name ] command to disable the device from delivering the BGP IPv6 VPN Flow Specification route to the FES forwarding table.

    5. Run commit

      The configuration is committed.

  2. Establish a BGP IPv6 VPN Flow Specification peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run vpn-instance vpn-instance-name

      A BGP-VPN instance is created, and its view is displayed.

    4. Run peer { ipv4-address | ipv6-address } as-number as-number

      An IP address and AS number are specified for the peer.

    5. Run quit

      Return to the previous view.

    6. Run ipv6-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv6 address family is enabled, and its view is displayed.

    7. Run peer { ipv4-address | ipv6-address } enable

      A BGP IPv6 VPN Flow Specification peer is specified.

      After the BGP IPv6 VPN Flow Specification peer relationship is established in the BGP-Flow VPN instance IPv6 address family view, the manually generated BGP IPv6 VPN Flow Specification route is imported to the BGP routing table and then sent to each peer.

    8. Run commit

      The configuration is committed.

  3. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP IPv6 VPN Flow Specification peer relationship between the Flow RR with the device that generates the BGP IPv6 VPN Flow Specification route and every ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv6 address family view is displayed.

    4. Run peer { ipv4-address | ipv6-address } reflect-client

      A Flow RR and its client are configured.

      The router on which the peer reflect-client command is run functions as the Flow RR, and its peers function as clients.

    5. (Optional) Run undo reflect between-clients

      Route reflection is disabled between clients through the RR.

      By default, route reflection among clients through the RR is enabled.

      If the clients of a Flow RR have established full-mesh connections with each other, run the undo reflect between-clients command to disable route reflection between these clients through the RR. This can reduce the link cost.

    6. (Optional) Run reflector cluster-id cluster-id

      A cluster ID is configured for the Flow RR.

      If there are multiple Flow RRs in a cluster, use this command to set the same cluster ID for these Flow RRs.

      The reflector cluster-id command is applicable only to Flow RRs.

    7. Run commit

      The configuration is committed.

  4. (Optional) Add the AS_Path attribute as a check item to BGP IPv6 VPN Flow Specification route verification rules.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv6 address family view is displayed.

    4. Run route validation-mode include-as

      The AS_Path attribute is added as a check item to BGP IPv6 VPN Flow Specification route verification rules.

      BGP Flow Specification routes are verified as follows:
      • Mode 1: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route according to Figure 11-6. The route is considered valid only if the verification succeeds.
      • Mode 2: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route by checking whether the AS_Path attribute of the route carries the AS_Set or AS_Sequence field. The route is considered valid only if its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
      If the route validation-mode include-as command is run on a device, the device first uses mode 2 to verify BGP Flow Specification routes.
      • If the verification using mode 2 succeeds, the BGP Flow Specification route is considered valid, and the device no longer verifies the routes using mode 1.
      • If the verification using mode 2 fails, the device verifies the routes using mode 1.
      If the route validation-mode include-as command is not run on a device, the device uses mode 1 to verify BGP Flow Specification routes.
      Figure 11-6 BGP Flow Specification route verification rules

    5. Run commit

      The configuration is committed.

  5. (Optional) Disable BGP IPv6 VPN Flow Specification route authentication.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv6 address family view is displayed.

    4. Run peer { ipv4-address | ipv6-address } validation-disable

      The device is disabled from authenticating BGP IPv6 VPN Flow Specification routes received from a specified peer.

    5. Run commit

      The configuration is committed.

Checking the Configurations

When the preceding configuration is complete, you can run the following commands to verify the configurations.

  • Run the display bgp flow vpnv6 vpn-instance vpn-instance-name peer [ [ ipv4-address | ipv6-address ] verbose ] command to check information about BGP IPv6 VPN Flow Specification peers.

  • Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-table command to check information about BGP IPv6 VPN Flow Specification routes.

  • Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-table [ peer { ipv4-address | ipv6-address } { advertised-routes | received-routes [ active ] } ] statistics command to check statistics about BGP IPv6 VPN Flow Specification routes.

# Run the display bgp flow vpnv6 vpn-instance vpn-instance-name peer [ [ ipv4-address | ipv6-address ] verbose ] command. The command output shows that BGP IPv6 VPN Flow Specification peer relationships are established.

<HUAWEI> display bgp flow vpnv6 vpn-instance vpna peer
 
 BGP local router ID : 0.0.0.0
 Local AS number : 200
 Total number of peers : 1                 Peers in established state : 0

  VPN-Instance vpna, Router ID 0.0.0.0:
  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  2001:DB8:1::1   4         200        0        0     0 00:06:15        Idle        0

# Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-table command. The command output shows information about BGP IPv6 VPN Flow Specification routes.

<HUAWEI> display bgp flow vpnv6 vpn-instance vpna routing-table
 
 BGP Local router ID is 0.0.0.0
 Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete
 RPKI validation codes: V - valid, I - invalid, N - not-found

    
 VPN-Instance vpna, Router ID 0.0.0.0:

 Total Number of Routes: 1
 * >  ReIndex : 1
      Dissemination Rules:
       Src. Port      : eq 159
       MED      : 0                   PrefVal  : 0                   
       LocalPref:                           
       Path/Ogn :  i

# Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-table [ peer { ipv4-address | ipv6-address } { advertised-routes | received-routes [ active ] } ] statistics command on the network ingress. The command output shows statistics about the BGP IPv6 VPN Flow Specification routes received from the specified BGP IPv6 VPN Flow Specification peer.

<HUAWEI> display bgp flow vpnv6 vpn-instance vpna routing-table peer 2001:db8:1::2 received-routes active statistics
 Received active routes total: 0
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19708

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next