apply redirect (Flow-Route VPN instance view)

Function

The apply redirect command enables a device to redirect the traffic matching a filtering rule.

The undo apply redirect command cancels the configuration.

By default, no traffic is redirected.

Format

apply redirect { vpn-target vpn-target-import | ip redirect-ip-rt }

undo apply redirect

undo apply redirect ip [ redirect-ip-rt ]

Parameters

Parameter Description Value
vpn-target vpn-target-import

Specifies the name of a target VPN to which attack traffic is redirected.

The value is in the format of AS number (in the range from 0 to 65535):user-defined number (in the range from 0 to 4294967295), ipv4-address:AS number (in the range from 0 to 65535), AS number (in the range from 0 to 65535).AS number (in the range from 0 to 65535):AS number (in the range from 0 to 65535), or user-defined number (in the range from 65536 to 4294967295):AS number (in the range from 0 to 65535). The AS number and user-defined number cannot both be 0s. Specifically, a VPN target cannot be 0:0 or 0.0:0.
ip redirect-ip-rt

Specifies a redirected IP address.

  • In the scenario where the controller delivers BGP Flow Specification rules, redirect-ip-rt can recurse to a tunnel or direct route based on the community 0x90000002 attribute carried in BGP Flow Specification packets.
  • In the scenario where BGP Flow Specification routes are converted from the BGP Flow Specification rules delivered by the controller, redirect-ip-rt can recurse to a tunnel or direct route based on the community 0x90000001 attribute carried in BGP Flow Specification packets.

The value is in the format of ipv4-address:0 or ipv4-address:1. ipv4-address is in dotted decimal notation.

The value 0 indicates that traffic can be forwarded only through redirection. The value 1 indicates that the original forwarded traffic is not affected and traffic is copied and then redirected. Currently, traffic can be forwarded only through redirection regardless of whether the value is in the format of ipv4-address:0 or ipv4-address:1.

Views

Flow-Route VPN instance view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
flow-route write

Usage Guidelines

Usage Scenario

The apply redirect command is used to redirect the traffic matching a filtering rule to a specified VPN instance or next-hop IP address to protect the target device from attacks.

Prerequisites

A BGP Flow Specification route or BGP VPN Flow Specification route has been configured using the flow-route command in the system view.

Configuration Impact

If the apply redirect command is run multiple times for the same BGP Flow Specification route or BGP VPN Flow Specification route, only the latest configuration takes effect.

Precautions

The BGP IPv6 Flow Specification action does not support redirection to a next-hop IPv6 address.

If the BGP Flow Specification route received from a peer carries the redirection next hop attribute configured using the apply redirect ip command, the device can process this attribute only after the peer redirect ip command is run.

Example

# Configure a filtering action for static BGP VPN Flow Specification route Rule 1 to redirect the traffic matching a filtering rule.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpna
[*HUAWEI-vpn-instance-vpna] quit
[*HUAWEI] flow-route Rule1 vpn-instance vpna
[*HUAWEI-flow-route-vpna] if-match port equal 24
[*HUAWEI-flow-route-vpna] apply redirect vpn-target 4:4
Parent Topic: BGP Flow Specification Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >