flowspec refluence

Function

The flowspec refluence command configures the role of an interface in BGP FlowSpec as an interface that injects the cleaned traffic back to the device so that the received traffic that matches FlowSpec rules on the interface will not be redirected again.

The undo flowspec refluence command cancels the configuration.

By default, an interface is not configured as the one that injects the cleaned traffic back to the device.

Format

flowspec refluence

undo flowspec refluence

Parameters

None

Views

100GE interface view, 10G LAN interface view, 400GE interface view, 40GE interface view, 50GE interface view, Eth-Trunk interface view, GE optical interface view, GE electrical interface view, Sub-interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
cpu-defend write

Usage Guidelines

Usage Scenario

You can redirect attack traffic to a traffic cleaning device to protect valid services against DoS/DDoS attacks. The traffic cleaning function is applied to IP forwarding scenarios.

To prevent returned traffic from matching the FlowSpec rules again and returning to the traffic cleaning device, specify an interface that injects the cleaned traffic back to the device and run the flowspec refluence command on the interface.

Configuration Impact

After the flowspec refluence command is configured on a main interface, the traffic cleaning function is flooded to all sub-interfaces on the main interface. and the traffic cleaning function is mutually exclusive with the traffic policy function configured using the traffic-policy (interface view) command.

Precautions

  • The flowspec refluence and capture-packet commands are mutually exclusive.
  • The flowspec disable [ ipv4 | ipv6 ] and flowspec refluence commands are mutually exclusive.
  • This command is used to prevent returned traffic from matching the FlowSpec rules again and to simply forward the returned traffic to the public network. For example, if the interface that receives returned traffic is bound to a VPN and configured with traffic cleaning, the returned traffic is not processed based on the default VPN configuration and is simply forwarded to the public network.
  • After the flowspec refluence command is configured on a main interface, this command takes effect on all sub-interfaces of the main interface. To be specific, VPN traffic on all sub-interfaces of the main interface is redirected to the public network.
  • The flowspec refluence command can redirect packets only to the public network. Configuring the flowspec disable command and the redirection function to implement this function is recommended. However, if the if-match any rule is configured for redirection, Layer 3 protocol packets are matched. You can configure a specific rule to prevent Layer 3 protocol packets from being matched.
  • This command cannot be configured on Eth-Trunk member interfaces. When the command is configured on a main interface, the command configuration also takes effect on its sub-interfaces.

Example

# Configure the role of GE 0/1/0 as an interface that injects the cleaned traffic back to the device. 
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/0
[~HUAWEI-GigabitEthernet0/1/0] flowspec refluence
Parent Topic: BGP Flow Specification Configuration Commands
Copyright ? Huawei Technologies Co., Ltd.
Copyright ? Huawei Technologies Co., Ltd.
< Previous topic Next topic >