No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Static BGP IPv6 Flow Specification

Configuring Static BGP IPv6 Flow Specification

Static BGP IPv6 Flow Specification allows BGP IPv6 Flow Specification routes to be manually created to control traffic.

Usage Scenario

Before deploying static BGP IPv6 Flow Specification, you need to manually create a BGP IPv6 Flow Specification route and establish a BGP IPv6 Flow Specification peer relationship between the device on which the BGP Flow Specification route is created and each ingress on the network to transmit BGP IPv6 Flow Specification routes.

In an AS with multiple ingresses, a BGP IPv6 Flow route reflector (Flow RR) can be deployed to reduce the number of BGP IPv6 Flow Specification peer relationships and save CPU resources.

If you want to filter traffic based on the address prefix but the BGP IPv6 Flow Specification route carrying the filtering rule fails the authentication, disable the authentication of BGP IPv6 Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring the static BGP IPv6 Flow Specification function, complete the following task:

  • Configuring a BGP4+ Peer or Configuring a BGP Peer

Procedure

  1. Generate a BGP IPv6 Flow Specification route manually.
    1. Run system-view

      The system view is displayed.

    2. Run flow-route flowroute-name ipv6

      A static BGP IPv6 Flow Specification route is created, and the Flow-Route-IPv6 view is displayed.

      A BGP IPv6 Flow Specification route can contain multiple if-match and apply clauses. The if-match clauses define filtering rules, and the apply clauses specify actions. The relationships between clauses are as follows:
      • The if-match clauses of different types are in an AND relationship.

      • If if-match clauses of the same type are configured repeatedly, only the latest configuration takes effect.

      • Multiple apply clauses are in an AND relationship.

      The traffic behavior defined in an apply clause must be applied to all traffic matching the if-match clause.

    3. Based on the characteristics of the traffic to be controlled, choose one or more of the following If-match clauses to filter traffic:

      • To filter traffic based on the destination IPv6 address, run the if-match destination ipv6-address ipv6-mask-length command.

        NOTE:

        If traffic must be filtered based on a destination IP address but the BGP IPv6 Flow Specification rule carrying the rule defined by the if-match destination command fails the authentication, run the peer validation-disable command to disable the authentication of BGP IPv6 Flow Specification routes.

        By default, 0::0/0 is used as the prefix of each BGP IPv6 Flow Specification route that matches the export or import policy of a peer. To enable a device to change the prefix of each BGP FlowSpec route that matches the export or import policy of a peer to the destination IP address specified in the if-match destination command, run the route match-destination command.

      • To filter traffic based on the source IPv6 address, run the if-match source ipv6-address ipv6-mask-length command.

      • To filter traffic based on the port number, run the if-match port operator port command.

      • To filter traffic based on the source port number, run the if-match source-port operator port command.

      • To filter traffic based on the destination port number, run the if-match destination-port operator port command.

        NOTE:

        if-match port and if-match destination-port or if-match source-port are mutually exclusive.

      • To filter traffic based on the traffic protocol, run the if-match protocol operator protocol command.

      • To filter traffic based on the service class, run the if-match dscp operator dscp command.

      • To filter traffic based on the TCP flag value, run the if-match tcp-flags { match | not } tcp-flags command.

        Network attackers may send a large number of invalid TCP packets to attack network devices. To control invalid TCP packets to ensure communication security, configure a filtering rule based on the TCP flag for the BGP FlowSpec route using the if-match tcp-flags command. Traffic matching the TCP flag is filtered or controlled using the actions specified in the apply clauses.

      • To filter traffic based on the packet fragment type, run the if-match fragment-type { match | not } fragment-type-name command.

      • To filter traffic based on the ICMP code, run the if-match icmp-code operator icmp-code command.

      • To filter traffic based on the ICMP packet type, run the if-match icmp-type operator icmp-code command.

      • To filter traffic based on the packet length, run the if-match packet-length { greater-than | less-than | equal } packet-length-value command.

      NOTE:

      After you configure the flow-route flowroute-name ipv6 command, the if-match dscp, if-match tcp-flags, if-match fragment-type, or if-match packet-length command cannot be executed and a prompt message is displayed if being manually configured, and these commands can be successfully executed if being dynamically delivered. However,these commands do not take effect.

    4. Run the following command as required to configure actions for apply clauses:

      • To discard the matching traffic, run the apply deny command.

      • To redirect the matching traffic, run the apply redirect vpn-target vpn-target-import command.

      • To re-mark the service class of matching traffic, run the apply remark-dscp command.

      • To implement rate limiting for the matching traffic, run the apply traffic-rate command.

      • To implement sampling for the matching traffic, run the apply traffic-action sample command.

        After the apply traffic-action sample command is configured in a BGP IPv6 Flow Specification route, sampling is implemented for matching packets. After that, sampled packets are detected to identify and filter out abnormal packets. This protects devices against attacks and enhance network security.

      NOTE:

      The apply deny and apply traffic-rate commands are mutually exclusive.

      If the configured BGP IPv6 Flow Specification route attribute does not need to take effect locally, run the routing-table rib-only [ route-policy route-policy-name | route-filter route-filter-name ] command to disable the device from delivering the BGP IPv6 Flow Specification route to the FES forwarding table.

    5. Run commit

      The configuration is committed.

  2. Establish a BGP IPv6 Flow Specification peer relationship.

    BGP IPv6 Flow Specification peer relationships must be established between the network ingress and device on which the BGP IPv6 Flow Specification route is manually created.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family flow

      The BGP-Flow-IPv6 address family view is displayed.

    4. Run peer { ipv4-address | ipv6-address } enable

      A BGP IPv6 Flow Specification peer relationship is established.

      After a BGP IPv6 Flow Specification peer relationship is established in the BGP-Flow-IPv6 address family view, the manually created BGP IPv6 Flow Specification routes are automatically imported into the BGP routing table and sent to the BGP IPv6 Flow Specification peer.

    5. Run commit

      The configuration is committed.

  3. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP IPv6 Flow Specification peer relationship between the Flow RR and device on which the BGP IPv6 Flow Specification route is generated and between the Flow RR and every network ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family flow

      The BGP-Flow-IPv6 address family view is displayed.

    4. Run peer { ipv4-address | ipv6-address } reflect-client

      A Flow RR and its clients are configured.

      The router where the peer reflect-client command is run functions as the RR, and the specified peers function as clients.

    5. (Optional) Run undo reflect between-clients

      Route reflection between clients through the RR is disabled.

      If the clients of an RR have established full-mesh connections with each other, you can run the undo reflect between-clients command to disable route reflection among these clients through the RR to reduce the link cost.

    6. (Optional) Run reflector cluster-id cluster-id

      A cluster ID is configured for the RR.

      If a cluster has multiple RRs, you can use this command to set the same cluster ID for these RRs to prevent routing loops.

      The reflector cluster-id command applies only to RRs.

    7. Run commit

      The configuration is committed.

  4. (Optional) Disable BGP IPv6 Flow Specification route authentication.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family flow

      The BGP-Flow-IPv6 address family view is displayed.

    4. Run peer ipv6-address validation-disable

      The authentication of BGP IPv6 Flow Specification routes received from a specified peer is disabled.

    5. Run commit

      The configuration is committed.

  5. (Optional) Enable the CAR statistics and packet loss statistics function for BGP flow specification.
    1. Run flowspec statistic enable

      Enable the CAR statistics and packet loss statistics function for BGP flow specification.

    2. Run commit

      The configuration is committed.

  6. (Optional) Disable BGP Flow Specification on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec disable [ ipv4 | ipv6 ]

      BGP Flow Specification is disabled on the interface.

      NOTE:

      This command can be configured only on the main interface and cannot be configured on sub-interfaces or Eth-Trunk member interfaces. When the command is configured on a main interface, the command configuration also takes effect on its sub-interfaces.

    4. Run commit

      The configuration is committed.

Checking the Configurations

After configuring the static BGP IPv6 Flow Specification function, check the configurations.

  • Run the display bgp flow ipv6 peer command to check information about the BGP IPv6 Flow Specification peer.

  • Run the display bgp flow ipv6 routing-table command to check information about BGP IPv6 Flow Specification routes.

  • Run the display bgp flow ipv6 routing-table statistics command to check statistics about BGP IPv6 Flow Specification routes.

# Run the display bgp flow peer command. The command output shows whether the BGP IPv6 Flow Specification peer relationships are successfully established. For example:

<HUAWEI> display bgp flow ipv6 peer
 BGP local router ID : 1.1.1.2
 Local AS number : 200
 Total number of peers : 1                 Peers in established state : 1
  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  19::1           4         200        5        5     0 00:00:00 Established    1

# Run the display bgp flow routing-table command. The command output shows the BGP IPv6 Flow Specification route information and cluster information of the RR. For example:

<HUAWEI> display bgp flow ipv6 routing-table 66
BGP Local router ID is 10.1.2.1
 Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP,   - incomplete
 RPKI validation codes: V - valid, I - invalid, N - not-found

 Total Number of Routes: 1
 *    ReIndex : 66
      Dissemination Rules:
       Protocol       : eq 8
       Dest. Port     : lt 65535
       Src. Port      : gt 65535
       ICMP Type      : lt 254
       ICMP Code      : gt 200
       MED      : 0                   PrefVal  : 0                   
       LocalPref: 100                       
       Path/Ogn : 200 300 100i

# Run the display bgp flow ipv6 routing-table peer { ipv4-address | ipv6-address } advertised-routes statistics command on a network ingress. The command output shows statistics about BGP IPv6 Flow Specification routes received from the specified peer. For example:

<HUAWEI> display bgp flow ipv6 routing-table peer 1.1.1.1 received-routes statistics
Received active routes total: 4
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19837

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next