Configuring Dynamic BGP FlowSpec

BGP FlowSpec routes are generated by a traffic analysis server in dynamic BGP FlowSpec.

Usage Scenario

When deploying dynamic BGP FlowSpec, a BGP FlowSpec peer relationship needs to be established between the traffic analysis server and each ingress of the network to transmit BGP FlowSpec routes.

In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be deployed to reduce the number of BGP FlowSpec peer relationships and save CPU resources.

If you want to filter traffic matching a specified address prefix but BGP FlowSpec routes matching the specified address prefix fail to be authenticated, disable the authentication of the BGP FlowSpec routes received from a specified peer.

Pre-configuration Tasks

Before configuring dynamic BGP FlowSpec, configure a BGP peer.

Procedure

  1. Configure a BGP FlowSpec peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address enable

      A BGP FlowSpec peer relationship is established.

      After the BGP FlowSpec peer relationship is established in the BGP-Flow address family view, BGP FlowSpec routes generated by a traffic analysis server are automatically imported to the BGP routing table and then sent to the BGP FlowSpec peer.

    5. Run commit

      The configuration is committed.

  2. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP FlowSpec peer relationship between the Flow RR with the traffic analysis server and every network ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address reflect-client

      A Flow RR and its client are configured.

      The router on which the peer reflect-client command is run is configured as a Flow RR, and the network ingresses and traffic analysis server are configured as clients.

    5. (Optional) Run undo reflect between-clients

      Route reflection among clients is disabled.

      By default, route reflection among clients through the RR is enabled.

      If the clients of a Flow RR are fully meshed, you can run the undo reflect between-clients command on the Flow RR to disable the clients from reflecting routes to one another, which reduces costs.

    6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }

      A cluster ID is configured for the Flow RR.

      If a cluster has multiple Flow RRs, set the same cluster-id for these RRs.

      The reflector cluster-id command is applicable only to Flow RRs.

    7. Run commit

      The configuration is committed.

  3. (Optional) Add the AS_Path attribute as a check item to BGP Flow Specification route verification rules.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run route validation-mode include-as

      The authentication mode of BGP Flow Specification routes is configured to include the AS_Path attribute.

      BGP Flow Specification routes are verified as follows:
      • Mode 1: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route according to Figure 1. The route is considered valid only if the verification succeeds.
      • Mode 2: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route by checking whether the AS_Path attribute of the route carries the AS_Set or AS_Sequence field. The route is considered valid only if its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
      If the route validation-mode include-as command is run on a device, the device first uses mode 2 to verify BGP Flow Specification routes.
      • If the verification using mode 2 succeeds, the BGP Flow Specification route is considered valid, and the device no longer verifies the routes using mode 1.
      • If the verification using mode 2 fails, the device verifies the routes using mode 1.
      If the route validation-mode include-as command is not run on a device, the device uses mode 1 to verify BGP Flow Specification routes.
      Figure 1 BGP Flow Specification route verification rules

    5. Run commit

      The configuration is committed.

  4. (Optional) Disable BGP FlowSpec route authentication.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address validation-disable

      The router is disabled from validating BGP FlowSpec routes received from a specified peer.

    5. Run commit

      The configuration is committed.

  5. (Optional) Disable an EBGP peer from validating the received routes that carry a redirection extended community attribute.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address redirect ip validation-disable

      The EBGP peer is disabled from validating the routes that carry a redirection extended community attribute.

    5. Run commit

      The configuration is committed.

  6. (Optional) Configure a BGP peer to process the received routes that carry the redirection next-hop IPv6 address, color, and prefix SID attributes.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run peer ipv4-address redirect tunnelv6

      The BGP peer is configured to process the received routes that carry the next-hop IPv6 address, color, and prefix SID attributes.

    5. Run commit

      The configuration is committed.

  7. (Optional) Configure the redirection next-hop attribute ID for BGP Flow Specification routes.

    The redirection next-hop attribute ID can be 0x010C (defined in a related RFC) or 0x0800 (defined in a related draft). If a Huawei device needs to communicate with a non-Huawei device that does not support the redirection next-hop attribute ID of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP Flow Specification routes as required. Perform one of the following configurations based on the ID supported by non-Huawei devices:

    • Set the redirection next-hop attribute ID to 0x010C (defined in a related RFC) for BGP Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-family flow

        The BGP-Flow address family view is displayed.

      4. Run peer ipv4-address redirect ip rfc-compatible

        The redirection next-hop attribute ID of the BGP Flow Specification route is set to 0x010C (defined in a related RFC).

      5. Run commit

        The configuration is committed.

    • Change the redirection next-hop attribute ID of BGP Flow Specification routes to 0x0800 (defined in a related draft).

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-family flow

        The BGP-Flow address family view is displayed.

      4. Run peer ipv4-address redirect ip draft-compatible

        The redirection next-hop attribute ID of BGP Flow Specification routes is changed to 0x0800 (defined in a related draft).

      5. Run commit

        The configuration is committed.

  8. (Optional) Configure the interface in the BGP Flow Specification as the traffic-injection interface of the cleaned traffic to prevent the injected traffic from matching the Flow Specification rules and being switched back to the cleaning device.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec refluence

      The interface the BGP Flow Specification is configured as the traffic-injection interface for cleaning traffic.

      This command conflicts with MF classification. Therefore, after this command is configured on an interface, do not configure MF classification on the interface.

      This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.

    4. Run commit

      The configuration is committed.

  9. (Optional) Disable BGP Flow Specification on the interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec disable [ ipv4 | ipv6 ]

      BGP Flow Specification is disabled on the interface.

      This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.

      If BGP Flow Specification does not need to be disabled on sub-interfaces, run the flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to disable BGP Flow Specification only on the main interface.

    4. Run commit

      The configuration is committed.

  10. (Optional) Allow the device to recurse the received routes that carry a redirection extended community attribute to tunnels.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run redirect ip recursive-lookup tunnel [ tunnel-selector tunnel-selector-name ]

      The device is allowed to recurse the received routes that carry a redirection extended community attribute to tunnels.

    5. Run commit

      The configuration is committed.

  11. (Optional) Allow the device to recurse received routes with the next-hop IPv6 address, color attribute, and prefix SID attributes to tunnels.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family flow

      The BGP-Flow address family view is displayed.

    4. Run redirect tunnelv6 tunnel-selector tunnel-selector-name

      The device is allowed to recurse received routes with the next-hop IPv6 address, color, and prefix SID attributes to tunnels.

      To trigger route recursion to SRv6 TE Policies, you must run both the redirect tunnelv6 tunnel-selector tunnel-selector-name command and the peer ipv4-address redirect tunnelv6 command.

    5. Run commit

      The configuration is committed.

  12. (Optional) Configure BGP FlowSpec for packets with a specified IP address sent to the public network.
    1. Run flowspec match-ip-layer mpls-pop

      The BGP FlowSpec action is performed on packets with a specified IP address sent to the public network.

    2. Run commit

      The configuration is committed.

  13. (Optional) Enable the CAR statistics and packet loss statistics function for BGP Flow Specification.
    1. Run flowspec statistic enable

      The CAR and packet loss statistics collection is enabled for BGP FlowSpec.

    2. Run commit

      The configuration is committed.

  14. (Optional) Enable BGP FlowSpec for packets that have entered the VXLAN tunnel.
    1. Run flowspec match vxlan-packet enable

      BGP FlowSpec is enabled for packets that have entered an IPv4 VXLAN tunnel.

    2. Run commit

      The configuration is committed.

  15. (Optional) Enable BGP FlowSpec on a GRE tunnel interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface tunnel interface-number

      The tunnel interface view is displayed.

    3. Run tunnel-protocol gre

      The tunnel is encapsulated as a GRE tunnel.

    4. Run flowspec match tunnel-pop

      BGP FlowSpec is enabled on the GRE tunnel interface.

    5. Run commit

      The configuration is committed.

  16. (Optional) Disable BGP FlowSpec protection.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

      BGP FlowSpec protection is disabled.

    3. Run commit

      The configuration is committed.

  17. (Optional) Enable BGP Flow Specification IPv4 fragmentation rules to comply with RFC 5575.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec ipv4-fragment-rule switch

      BGP Flow Specification IPv4 fragmentation rules are enabled to comply with RFC 5575.

    3. Run commit

      The configuration is committed.

Verifying the Configuration

Run the following commands to verify the previous configuration.

  • Run the display bgp flow peer [ [ ipv4-address ] verbose ] command to check information about BGP FlowSpec peers.

  • Run the display bgp flow routing-table command to check BGP FlowSpec routing information.

  • Run the display bgp flow routing-table [ peer ipv4-address ] [ advertised-routes | received-routes [ active ] ] statistics command to check BGP FlowSpec route statistics.

  • Run the display flowspec statistics reindex command to check statistics about IP packets matching a specific BGP FlowSpec route for BGP FlowSpec protocol protection on interfaces in a specified interface group.

  • Run the display flowspec rule reindex-value slot slot-id command to check information about combined rules in the BGP FlowSpec local rule table.
  • Run the display flowspec rule statistics slot slot-id command to check statistics about the rules for BGP FlowSpe routes to take effect.
Parent Topic: BGP Flow Specification Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >