No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Static BGP VPNv6 Flow Specification

Configuring Static BGP VPNv6 Flow Specification

Static BGP VPNv6 Flow Specification allows BGP VPNv6 Flow Specification routes to be transmitted and traffic filtering policies to be generated. The policies improve security of devices in VPNs.

Usage Scenario

To deploy static BGP VPNv6 Flow Specification, create a BGP VPN IPv6 Flow Specification route first, and then establish a BGP VPNv6 Flow Specification peer relationship between the device on which the BGP VPN IPv6 Flow Specification route is created and the network ingress to transmit the BGP VPNv6 Flow Specification route.

In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be deployed to reduce the number of BGP VPNv6 Flow Specification peer relationships and save CPU resources.

If you want to filter traffic based on an address prefix and the BGP VPNv6 Flow Specification route carrying the filtering rule fails to be authenticated, disable the authentication of the BGP VPNv6 Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring static BGP VPNv6 Flow Specification, configure a VPN instance and bind an interface to the VPN instance.

Procedure

  1. Create a BGP VPN IPv6 Flow Specification route.
    1. Run system-view

      The system view is displayed.

    2. Run flow-route flowroute-name ipv6 vpn-instance vpn-instance-name

      A BGP VPN IPv6 Flow Specification route is created, and the Flow-Route IPv6 VPN instance view is displayed.

      A BGP VPN IPv6 Flow Specification route can contain multiple if-match and apply clauses. If-match clauses define traffic filtering rules, and apply clauses define traffic behaviors. The relationship between clauses is as follows:
      • The relationship among if-match clauses of different types is "AND."

      • If multiple if-match clauses of the same type are configured, the last configuration overrides the previous one.

      • The relationship among the traffic behaviors defined by apply clauses is "AND."

      The traffic behaviors defined by apply clauses apply to all traffic matching the filtering rules of if-match clauses.

    3. According to the characteristics of the traffic to be controlled, you can configure one or more if-match clauses to define traffic filtering rules as required. Detailed configurations are as follows:

      • To set a traffic filtering rule that is based on a destination IP address, run the if-match destination ipv6-address ipv6-mask-length command.

        NOTE:

        If you want to control the traffic destined for a specified IPv6 address and the BGP VPN IPv6 Flow Specification route carrying the filtering rule configured using the if-match destination command fails to be authenticated, run the peer validation-disable command to disable the authentication of BGP VPN IPv6 Flow Specification routes.

        By default, 0.0.0.0/0 is used as the prefix in the peer import or export policy against which BGP VPN IPv6 Flow Specification routes are matched. To use a peer import or export policy to match BGP VPN IPv6 Flow Specification routes against the destination IPv6 address specified in the if-match destination command, run the route match-destination command.

      • To set a traffic filtering rule that is based on a source IP address, run the if-match source ipv6-address ipv6-mask-length command.

      • To set a traffic filtering rule that is based on a port number, run the if-match port operator port command.

      • To set a traffic filtering rule that is based on a source port number, run the if-match source-port operator port command.

      • To set a traffic filtering rule that is based on a destination port number, run the if-match destination-port operator port command.

        NOTE:

        The if-match port command is mutually exclusive with the if-match destination-port or if-match source-port command.

      • To set a traffic filtering rule that is based on the protocol used to carry traffic, run the if-match protocol operator protocol command.

      • To set a traffic filtering rule that is based on a service type, run the if-match dscp operator dscp command.

      • To set a traffic filtering rule that is based on a TCP flag value, run the if-match tcp-flags { match | not } tcp-flags command.

        Network attackers may send a large number of invalid TCP packets to attack network devices. To control the unidirectional traffic of TCP packets for the sake of communication security, you can run the if-match tcp-flags command to match BGP VPN IPv6 Flow Specification routes against a specified TCP flag value. The traffic behavior specified in the apply clause applies to the traffic that matches the TCP flag value.

      • To set a traffic filtering rule that is based on a packet fragmentation type, run the if-match fragment-type { match | not } fragment-type-name command.

      • To set a traffic filtering rule that is based on an ICMP packet code, run the if-match icmp-code operator icmp-code command.

      • To set a traffic filtering rule that is based on an ICMP packet type, run the if-match icmp-type { greater-than | less-than | equal } icmp-type command.

      • To set a traffic filtering rule that is based on the length of the message carrying the BGP VPN IPv6 Flow Specification route, run the if-match packet-length { greater-than | less-than | equal } packet-length-value command.

    4. Configure apply clauses to define traffic behaviors as required. Detailed configurations are as follows:

      • To discard the traffic that matches the specified filtering rules, run the apply deny command.

      • To redirect the attack traffic that matches the specified filtering rules to a traffic cleaning device or black hole, run the apply redirect vpn-target vpn-target-import } command.

      • To redefine the service type for the traffic that matches the specified filtering rules, run the apply remark-dscp command.

      • To limit the rate of the traffic that matches the specified filtering rules, run the apply traffic-rate command.

      • To sample the traffic that matches the specified filtering rules, run the apply traffic-action sample command.

        You can run the apply traffic-action sample command for a BGP VPN IPv6 Flow Specification route to sample the traffic that matches the specified filtering rules. Through sampling, abnormal traffic can be identified and filtered out, which protects the attacked device and improves network security.

      NOTE:

      The apply deny and apply traffic-rate commands are mutually exclusive.

      If a configured BGP VPN IPv6 Flow Specification route does not need to take effect locally, you can run the routing-table rib-only [ route-policy route-policy-name | route-filter route-filter-name ] command to prevent it from being delivered to the FES forwarding table.

    5. Run commit

      The configuration is committed.

  2. Establish a BGP VPNv6 Flow Specification peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run vpn-instance vpn-instance-name

      A BGP-VPN instance is created, and its view is displayed.

    4. Run peer { ipv4-address | ipv6-address } as-number as-number

      An IP address and AS number are specified for the peer.

    5. Run quit

      Return to the previous view.

    6. Run ipv6-flow vpnv6

      The BGP-Flow VPNv6 address family is enabled, and its view is displayed.

    7. Run peer { ipv4-address | ipv6-address } enable

      A BGP VPNv6 Flow Specification peer relationship is established.

      After the peer relationship is established in the BGP-Flow VPNv6 address family view, the BGP VPN IPv6 Flow Specification route created on the traffic analysis server is automatically imported to the BGP routing table and sent to the BGP VPNv6 Flow Specification peer.

    8. Run commit

      The configuration is committed.

  3. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP VPNv6 Flow Specification peer relationship between the Flow RR and the device on which the BGP VPN IPv6 Flow Specification route is created, and between the Flow RR and the network ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-flow vpnv6

      The BGP-Flow VPNv6 address family is enabled, and its view is displayed.

    4. Run peer { ipv4-address | ipv6-address } reflect-client

      The device is configured as a flow RR, and the specified peer is configured as a client.

      The router on which the peer reflect-client command is run functions as a flow RR, and the specified peer functions as a client.

    5. (Optional) Run undo reflect between-clients

      Route reflection between clients through the flow RR is disabled.

      By default, route reflection among clients through the RR is enabled.

      If the clients of a flow RR have established full-mesh connections with each other, you can run the undo reflect between-clients command on the flow RR to disable route reflection between clients through the RR to reduce the cost.

    6. (Optional) Run reflector cluster-id cluster-id

      A cluster ID is configured for the flow RR.

      If a cluster has multiple flow RRs, you need to run this command to set the same cluster ID for these RRs.

      The reflector cluster-id command is applicable only to flow RRs.

    7. Run commit

      The configuration is committed.

Checking the Configurations

Run the following commands to check the previous configuration.

  • Run the display bgp flow vpnv6 all peer [ [ ipv4-address ] verbose ] command to check information about all BGP VPNv6 Flow Specification peers.

  • Run the display bgp flow vpnv6 { all | route-distinguisher route-distinguisher } routing-table [ reindex ] command to check information about all BGP VPNv6 Flow Specification routes or about the BGP VPNv6 Flow Specification routes with a specified RD.

  • Run the display bgp flow vpnv6 { all | route-distinguisher route-distinguisher } routing-table statistics command to check statistics about all BGP VPNv6 Flow Specification routes or about the BGP VPNv6 Flow Specification routes with a specified RD.

# Run the display bgp flow vpnv6 all peer [ [ ipv4-address ] verbose ] command to check whether the BGP VPNv6 Flow Specification peer relationship is established.

<HUAWEI> display bgp flow vpnv6 all peer
 
 BGP local router ID : 10.2.1.2
 Local AS number : 200
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  10.2.1.1        4         200     1042     1051     0 15:07:49 Established        0

# Run the display bgp flow vpnv6 { all | route-distinguisher route-distinguisher } routing-table [ reindex ] command to check information about BGP VPNv6 Flow Specification routes.

<HUAWEI> display bgp flow vpnv6 all routing-table 536870913
 
 BGP local router ID : 10.2.1.2
 Local AS number : 200
 ReIndex : 536870913
 Order   : 0
 Dissemination Rules :
   Src. Port      : eq 159
 
 BGP flow-vpnv6 routing table entry information of 536870913:
 Route Distinguisher: 200:1
 Match action :
   apply deny
 From: 0.0.0.0 (0.0.0.0) 
 Route Duration: 0d00h02m53s
 Ext-Community: RT <111 : 1>
 AS-path Nil, origin igp, MED 0, pref-val 0, valid, local, best, pre 255
 Advertised to such 1 peers:
    10.2.1.1

# Run the display bgp flow vpnv6 { all | route-distinguisher route-distinguisher } routing-table statistics command on the network ingress to check statistics about the BGP VPNv6 Flow Specification routes received from the specified BGP VPNv6 Flow Specification peer.

<HUAWEI> display bgp flow vpnv6 route-distinguisher 200:1 routing-table statistics
 Route Distinguisher: 200:1
 
 Total Number of Routes: 1
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21711

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next