Configuring Static BGP Flow Specification

BGP Flow Specification routes are generated manually to control traffic in static BGP Flow Specification.

Usage Scenario

When static BGP Flow Specification is configured, a BGP Flow Specification route needs to be generated manually, and a BGP Flow Specification peer relationship needs to be established between the device that generates the BGP Flow Specification route and each ingress on the network to advertise BGP Flow Specification routes.

In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be deployed to reduce the number of BGP Flow Specification peer relationships to be established and save network resources.

If you want to filter traffic matching a specified address prefix but BGP Flow Specification routes matching the specified address prefix fail to be authenticated, disable the authentication of the BGP Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring static BGP Flow Specification, configure a BGP peer.

Procedure

Create a BGP Flow Specification route manually.

Run system-view
The system view is displayed.
Run flow-route flowroute-name
A static BGP Flow Specification route is created, and the Flow-Route view is displayed.
One BGP Flow Specification route can include multiple if-match and apply clauses. if-match clauses define traffic filtering rules, and apply clauses define traffic behaviors. The relationships among clauses are as follows:
- The relationship among if-match clauses of different types is "AND."
- If multiple if-match clauses of the same type are configured, some rules override each other, and the relationship among other rules is OR. For details, see the precautions for the if-match command.
- The relationship among the traffic behaviors defined by apply clauses is "AND."
The traffic behaviors defined by apply clauses must apply to all traffic matching filtering rules defined by the if-match clauses.

According to characteristics of the traffic to be controlled, you can configure one or more if-match clauses to define traffic filtering rules as needed:

To set a destination address-based traffic filtering rule, run the if-match destination ipv4-address { mask | mask-length } command.

Traffic control is performed based on a specified destination IP address specified in a rule configured using the if-match destination command, but BGP Flow Specification routes matching the rule fail to be authenticated. In this situation, run the peer validation-disable command to disable the authentication.

By default, 0.0.0.0/0 is used as the prefix of each BGP Flow Specification route that matches the export or import policy configured for a peer. To enable a device to change the prefix of each BGP Flow Specification route that matches the export or import policy configured for a peer to the destination IP address specified in the if-match destination command, run the route match-destination command.
To set a source address-based traffic filtering rule, run the if-match source ipv4-address { mask | mask-length } command.
To set a port number-based traffic filtering rule, run the if-match port { greater-than | less-than | equal } port or if-match port greater-than port less-than upper-port-value command.
To set a source port number-based traffic filtering rule, run the if-match source-port { greater-than | less-than | equal } port or if-match source-port greater-than source-port less-than upper-source-port-value command.
To set a destination port number-based traffic filtering rule, run the if-match destination-port { greater-than | less-than | equal } port or if-match destination-port greater-than port less-than upper-port-value command.

The if-match port command is mutually exclusive with the if-match destination-port and if-match source-port commands.
To set a protocol-based traffic filtering rule, run the if-match protocol { greater-than | less-than | equal } protocol or if-match protocol greater-than protocol less-than upper-protocol-value command.
To set a DSCP-based traffic filtering rule, run the if-match dscp { greater-than | less-than | equal } dscp or if-match dscp greater-than dscp less-than upper-dscp-value command.
To set a TCP-flag value-based traffic filtering rule, run the if-match tcp-flags { match | not | any-match } tcp-flags command.

Network attackers may send a large number of invalid TCP packets to attack network devices. To control invalid TCP packets to ensure communication security, configure a filtering rule based on the TCP flag for the BGP Flow Specification route using the if-match tcp-flags command. The traffic behavior specified in the apply clause applies to the traffic that matches the TCP flag value.
To set a fragment type-based traffic filtering rule, run the if-match fragment-type { match | not } fragment-type-name command.
To set an ICMP message code-based traffic filtering rule, run the if-match icmp-code { greater-than | less-than | equal } icmp-code or if-match icmp-code greater-than icmp-code less-than upper-icmp-code-value command.

To set an ICMP message type-based traffic filtering rule, run the if-match icmp-type { greater-than | less-than | equal } icmp-type or if-match icmp-type greater-than icmp-type less-than upper-icmp-type-value command.

**Table 1** *icmp-type* and *icmp-code* values corresponding to ICMP message names
icmp-name	icmp-type	icmp-code
Echo	8	0
Echo-reply	0	0
Parameter-problem	12	0
Port-unreachable	3	3
Protocol-unreachable	3	2
Reassembly-timeout	11	1
Source-quench	4	0
Source-route-failed	3	5
Timestamp-reply	14	0
Timestamp-request	13	0
Ttl-exceeded	11	0
Fragmentneed-DFset	3	4
Host-redirect	5	1
Host-tos-redirect	5	3
Host-unreachable	3	1
Information-reply	16	0
Information-request	15	0
Net-redirect	5	0
Net-tos-redirect	5	2
Net-unreachable	3	0

To set a filtering rule based on the packet length of a BGP Flow Specification route, run the if-match packet-length { greater-than | less-than | equal } packet-length-value or if-match packet-length greater-than packet-length-value less-than upper-packet-length-value command.

Run the following command as required to configure actions for apply clauses:
- To discard the matching traffic, run the apply deny command.
- To redirect the matching traffic to the traffic cleaning device or blackhole, run the apply redirect { vpn-target vpn-target-import | ip redirect-ip-rt } command.
  
  The device can process the redirection next hop attribute configured using the apply redirect ip redirect-ip-rt command received from a peer only after the peer redirect ip command is run.
- To redirect the filtered traffic to an SR-MPLS TE Policy, run the apply redirect ip redirect-ip-rt color colorvalue command.
  
  The device can process the redirection next hop attribute configured using the apply redirect ip redirect-ip-rt color colorvalue command received from a peer only after the peer redirect ip command is run.
- To redirect the filtered traffic to an SRv6 TE Policy, run the apply redirect ipv6 redirect-ipv6-rt color colorvalue [ prefix-sid prefix-sid-value ] command.
- To re-mark the service class of the matching traffic, run the apply remark-dscp command.
- To limit the rate of the matching traffic, run the apply traffic-rate command.
- To implement sampling for the matching traffic, run the apply traffic-action sample command.
  
  You can run the apply traffic-action sample command for a BGP Flow Specification route to sample the traffic that matches the specified filtering rules. Through sampling, abnormal traffic can be identified and filtered out, which protects the attacked device and improves network security.
The apply deny and apply traffic-rate commands are mutually exclusive.

If the configured BGP Flow Specification route attribute does not need to take effect locally, run the routing-table rib-only [ route-policy route-policy-name | route-filter route-filter-name ] command to disable the device from delivering the BGP Flow Specification route to the FES forwarding table.
Run commit
The configuration is committed.

Configure BGP Flow Specification peer relationships.
BGP Flow Specification peer relationships must be established between the network ingress and device on which the BGP Flow Specification route is manually created.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv4-family flow
  The BGP-Flow address family view is displayed.
4. Run peer ipv4-address enable
  The BGP Flow Specification peer relationship is enabled.
  
  After the BGP Flow Specification peer relationship is established in the BGP-Flow address family view, the manually generated BGP Flow Specification route is imported to the BGP routing table and then sent to each peer.
5. Run commit
  The configuration is committed.
(Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP Flow Specification peer relationship between the Flow RR and the device on which the BGP Flow Specification route is generated and between the Flow RR and every network ingress.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv4-family flow
  The BGP-Flow address family view is displayed.
4. Run peer ipv4-address reflect-client
  A Flow RR is configured, and a client is specified for it.
  
  The router configured with the peer reflect-client command functions as a Flow RR and the specified peer functions as a client.
5. (Optional) Run undo reflect between-clients
  Route reflection between clients through the RR is disabled.
  
  By default, route reflection among clients through the RR is enabled.
  
  If the clients of a Flow RR are fully meshed, you can run the undo reflect between-clients command on the Flow RR to disable route reflection between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
  A cluster ID is configured for the Flow RR.
  
  If a cluster has multiple Flow RRs, run this command to set the same cluster-id for these RRs.
  
  The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
  The configuration is committed.
(Optional) Add the AS_Path attribute as a check item to BGP Flow Specification route verification rules.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv4-family flow
  The BGP-Flow address family view is displayed.
4. Run route validation-mode include-as
  The authentication mode of BGP Flow Specification routes is configured to include the AS_Path attribute.
  BGP Flow Specification routes are verified as follows:
  - Mode 1: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route according to Figure 1. The route is considered valid only if the verification succeeds.
  - Mode 2: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route by checking whether the AS_Path attribute of the route carries the AS_Set or AS_Sequence field. The route is considered valid only if its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
  If the route validation-mode include-as command is run on a device, the device first uses mode 2 to verify BGP Flow Specification routes.
  - If the verification using mode 2 succeeds, the BGP Flow Specification route is considered valid, and the device no longer verifies the routes using mode 1.
  - If the verification using mode 2 fails, the device verifies the routes using mode 1.
  If the route validation-mode include-as command is not run on a device, the device uses mode 1 to verify BGP Flow Specification routes.
  Figure 1 BGP Flow Specification route verification rules
5. Run commit
  The configuration is committed.
(Optional) Disable BGP Flow Specification route authentication.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv4-family flow
  The BGP-Flow address family view is displayed.
4. Run peer ipv4-address validation-disable
  The device is disabled from authenticating BGP Flow Specification routes received from a specified peer.
5. Run commit
  The configuration is committed.
(Optional) Disable an EBGP peer from validating the received routes that carry a redirection extended community attribute.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv4-family flow
  The BGP-Flow address family view is displayed.
4. Run peer ipv4-address redirect ip validation-disable
  The EBGP peer is disabled from validating the received routes that carry a redirection extended community attribute and are received from a specified EBGP peer.
5. Run commit
  The configuration is committed.
(Optional) Configure the device to recurse received routes with the redirection next-hop IPv6 address, color, and prefix SID attribute to tunnels.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv4-family flow
  The BGP-Flow address family view is displayed.
4. Run redirect tunnelv6 tunnel-selector tunnel-selector-name
  The device is configured to recurse received routes with the redirection next-hop IPv6 address, color, and prefix SID attributes to tunnels.
5. Run commit
  The configuration is committed.
(Optional) Configure the redirection next-hop attribute ID for BGP Flow Specification routes.
The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or 0x0800 (defined in a related draft). If a Huawei device needs to communicate with a non-Huawei device that does not support the redirection next-hop attribute ID of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP Flow Specification routes as required. Perform one of the following configurations based on the ID supported by non-Huawei devices:
- Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC) for BGP Flow Specification routes.
  1. Run system-view
    The system view is displayed.
  2. Run bgp as-number
    The BGP view is displayed.
  3. Run ipv4-family flow
    The BGP-Flow address family view is displayed.
  4. Run peer ipv4-address redirect ip rfc-compatible
    The redirection next-hop attribute ID of the BGP Flow Specification route is set to 0x010C (defined in a related RFC).
  5. Run commit
    The configuration is committed.
- Change the redirection next-hop attribute ID of BGP Flow Specification routes to 0x0800 (defined in a related draft).
  1. Run system-view
    The system view is displayed.
  2. Run bgp as-number
    The BGP view is displayed.
  3. Run ipv4-family flow
    The BGP-Flow address family view is displayed.
  4. Run peer ipv4-address redirect ip draft-compatible
    The redirection next-hop attribute ID of BGP Flow Specification routes is changed to 0x0800 (defined in a related draft).
  5. Run commit
    The configuration is committed.
(Optional) Configure the interface in the BGP Flow Specification as the traffic-injection interface of the cleaned traffic to prevent the injected traffic from matching the Flow Specification rules and being switched back to the cleaning device.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run flowspec refluence
  The interface the BGP Flow Specification is configured as the traffic-injection interface for cleaning traffic.
  
  This command conflicts with MF classification. Therefore, after this command is configured on an interface, do not configure MF classification on the interface.
  
  This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.
4. Run commit
  The configuration is committed.
(Optional) Disable BGP Flow Specification on the interface.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run flowspec disable [ ipv4 | ipv6 ]
  BGP Flow Specification is disabled on the interface.
  
  This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.
  
  If BGP Flow Specification does not need to be disabled on sub-interfaces, run the flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to disable BGP Flow Specification only on the main interface.
4. Run commit
  The configuration is committed.
(Optional) Configure BGP Flow Specification for packets with a specified IP address sent to the public network.
1. Run flowspec match-ip-layer mpls-pop
  The BGP Flow Specification action is performed on packets with a specified IP address sent to the public network.
2. Run commit
  The configuration is committed.
(Optional) Enable the CAR statistics and packet loss statistics function for BGP Flow Specification.
1. Run flowspec statistic enable
  The CAR and packet loss statistics collection is enabled for BGP Flow Specification.
2. Run commit
  The configuration is committed.
(Optional) Enable BGP FlowSpec for packets that have entered the VXLAN tunnel.
1. Run flowspec match vxlan-packet enable
  BGP FlowSpec is enabled for packets that have entered an IPv4 VXLAN tunnel.
2. Run commit
  The configuration is committed.
(Optional) Enable BGP FlowSpec on a GRE tunnel interface.
1. Run system-view
  The system view is displayed.
2. Run interface tunnel interface-number
  The tunnel interface view is displayed.
3. Run tunnel-protocol gre
  The tunnel is encapsulated as a GRE tunnel.
4. Run flowspec match tunnel-pop
  BGP FlowSpec is enabled on the GRE tunnel interface.
5. Run commit
  The configuration is committed.
(Optional) Disable BGP FlowSpec protection.
1. Run system-view
  The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
  BGP FlowSpec protection is disabled.
3. Run commit
  The configuration is committed.
(Optional) Enable BGP Flow Specification IPv4 fragmentation rules to comply with RFC 5575.
1. Run system-view
  The system view is displayed.
2. Run flowspec ipv4-fragment-rule switch
  BGP Flow Specification IPv4 fragmentation rules are enabled to comply with RFC 5575.
3. Run commit
  The configuration is committed.

Verifying the Configuration

After configuring static BGP Flow Specification, verify the configuration.

Run the display bgp flow peer [ [ ipv4-address ] verbose ] command to check information about BGP Flow Specification peers.
Run the display bgp flow routing-table command to check BGP Flow Specification routing information.
Run the display bgp flow routing-table [ peer ipv4-address ] [ advertised-routes | received-routes [ active ] ] statistics command to check BGP Flow Specification route statistics.
Run the display flowspec statistics reindex command to check statistics about IP packets matching a specific BGP Flow Specification route for BGP Flow Specification protocol protection on interfaces in a specified interface group.
Run the display flowspec rule reindex-value slot slot-id command to check information about combined rules in the BGP FlowSpec local rule table.
Run the display flowspec rule statistics slot slot-id command to check statistics about the rules for BGP FlowSpe routes to take effect.