The apply redirect command enables a device to redirect the traffic matching a filtering rule.
The undo apply redirect command cancels the configuration.
By default, no traffic is redirected.
| Parameter | Description | Value |
|---|---|---|
| vpn-target vpn-target-import |
Specifies the name of a target VPN to which attack traffic is redirected. |
The value is in the format of AS number (in the range from 0 to 65535):user-defined number (in the range from 0 to 4294967295), ipv4-address:AS number (in the range from 0 to 65535), AS number (in the range from 0 to 65535).AS number (in the range from 0 to 65535):AS number (in the range from 0 to 65535), or user-defined number (in the range from 65536 to 4294967295):AS number (in the range from 0 to 65535). The AS number and user-defined number cannot both be 0s. Specifically, a VPN target cannot be 0:0 or 0.0:0. |
| ip redirect-ip-rt |
Specifies a redirected IP address. |
The value is in the format of ipv4-address:0 or ipv4-address:1. ipv4-address is in dotted decimal notation. The value 0 indicates that traffic can be forwarded only through redirection. The value 1 indicates that the original forwarded traffic is not affected and traffic is copied and then redirected. Currently, traffic can be forwarded only through redirection regardless of whether the value is in the format of ipv4-address:0 or ipv4-address:1. |
| color colorvalue |
Sets a value of the color attribute to redirect traffic to an SR-MPLS TE Policy tunnel. Currently, this parameter can be configured only in the Flow-Route view. |
The value of the color attribute is in the format of color flag:4-byte user-defined number. For example, the value can be set to 0:100. Currently, the color flag value is fixed at 0, and the 4-byte user-defined number is an integer ranging from 0 to 4294967295. |
Usage Scenario
The apply redirect command is used to redirect the traffic matching a filtering rule to a specified VPN instance or next-hop IP address to protect the target device from attacks.
To accurately redirect matching traffic to a specified SR-MPLS TE Policy tunnel, specify redirect-ip-rt and colorvalue in the command. Traffic can be redirected to the SR-MPLS TE Policy tunnel only if the tunnel matches the configured traffic policy and redirect-ip-rt and colorvalue.Prerequisites
A BGP Flow Specification route or BGP VPN Flow Specification route has been configured using the flow-route command in the system view.
Configuration Impact
If the apply redirect command is run multiple times for the same BGP Flow Specification route or BGP VPN Flow Specification route, only the latest configuration takes effect.
If a BGP FlowSpec route received from a peer carries the redirection next-hop attribute specified using the apply redirect ip command, the device can process this attribute only after the peer redirect ip command is run on the device.<HUAWEI> system-view [~HUAWEI] tunnel-policy fl [*HUAWEI-tunnel-policy-fl] tunnel select-seq srte-policy load-balance-number 1 unmix [*HUAWEI-tunnel-policy-fl] quit [*HUAWEI] tunnel-selector fl permit node 10 [*HUAWEI-tunnel-selector] apply tunnel-policy fl [*HUAWEI-tunnel-selector] quit [*HUAWEI] bgp 100 [*HUAWEI-bgp] peer 10.1.1.1 as-number 200 [*HUAWEI-bgp] ipv4-family flow [*HUAWEI-bgp-af-ipv4-flow] peer 10.1.1.1 enable [*HUAWEI-bgp-af-ipv4-flow] peer 10.1.1.1 redirect ip [*HUAWEI-bgp-af-ipv4-flow] redirect ip recursive-lookup tunnel tunnel-selector fl [*HUAWEI-bgp-af-ipv4-flow] quit [*HUAWEI-bgp] quit [*HUAWEI] flow-route Rule1 [*HUAWEI-flow-route] if-match port equal 24 [*HUAWEI-flow-route] apply redirect ip 1.1.1.1:0 color 0:6
<HUAWEI> system-view [~HUAWEI] flow-route Rule1 [*HUAWEI-flow-route] if-match port equal 24 [*HUAWEI-flow-route] apply redirect vpn-target 4:4