Configuring Dynamic BGP IPv6 Flow Specification

Dynamic BGP IPv6 Flow Specification uses a traffic analysis server to generate BGP IPv6 Flow Specification routes to control traffic.

Usage Scenario

Before deploying dynamic BGP IPv6 Flow Specification, you need to establish a BGP IPv6 Flow Specification peer relationship between the traffic analysis server and each ingress of the network to transmit BGP IPv6 Flow Specification routes.

In an AS with multiple ingresses, a BGP IPv6 Flow route reflector (Flow RR) can be deployed to reduce the number of BGP IPv6 Flow Specification peer relationships and save network resources.

If you want to filter traffic based on the address prefix but the BGP IPv6 Flow Specification route carrying the filtering rule fails the authentication, disable the authentication of BGP IPv6 Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring the dynamic BGP IPv6 Flow Specification function, complete the following task:

Configure a BGP4+ peer or configure a BGP peer.

Procedure

Establish a BGP IPv6 Flow Specification peer relationship.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } enable
  A BGP IPv6 Flow Specification peer relationship is established.
  
  After the BGP IPv6 Flow Specification peer relationship is established in the BGP-Flow-IPv6 address family view, the BGP IPv6 Flow Specification route generated by the traffic analysis server is imported automatically to the BGP routing table and then sent to the peer.
5. Run commit
  The configuration is committed.
(Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP IPv6 Flow Specification peer relationship between the Flow RR and traffic analysis server and between the Flow RR and every network ingress.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } reflect-client
  An IPv6 Flow RR and a client are configured.
  
  The router on which the peer reflect-client command is run is configured as a Flow RR, and each network ingress and traffic analysis server need to be configured as clients.
5. (Optional) Run undo reflect between-clients
  Route reflection between clients through the RR is disabled.
  
  If the clients of a Flow RR are fully meshed, you can run the undo reflect between-clients command on the Flow RR to disable route reflection between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
  A cluster ID is configured for the Flow RR.
  
  If a cluster has multiple flow RRs, run this command to set the same cluster-id for these RRs.
  
  The reflector cluster-id command applies only to RRs.
7. Run commit
  The configuration is committed.
(Optional) Disable BGP IPv6 Flow Specification route authentication.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } validation-disable
  The authentication of BGP IPv6 Flow Specification routes received from a specified peer is disabled.
5. Run commit
  The configuration is committed.
(Optional) Enable CAR and packet loss statistics collection for BGP Flow Specification.
1. Run flowspec statistic enable
  CAR and packet loss statistics collection is enabled for BGP Flow Specification.
2. Run commit
  The configuration is committed.
(Optional) Disable BGP Flow Specification on the interface.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run flowspec disable [ ipv4 | ipv6 ]
  BGP Flow Specification is disabled on the interface.
  
  This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.
  
  If BGP Flow Specification does not need to be disabled on sub-interfaces, run the flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to disable BGP Flow Specification only on the main interface.
4. Run commit
  The configuration is committed.
(Optional) Disable BGP FlowSpec protection.
1. Run system-view
  The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
  BGP FlowSpec protection is disabled.
3. Run commit
  The configuration is committed.
(Optional) Configure the device to redirect traffic to a specified IPv6 next hop after receiving a BGP IPv6 Flow Specification route from a peer.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } redirect ipv6 recursive-lookup ip
  The device is configured to redirect traffic to a specified IPv6 next hop after receiving a BGP IPv6 Flow Specification route from a peer.
5. Run commit
  The configuration is committed.
(Optional) Allow the device to recurse the BGP IPv6 Flow Specification routes received from a peer to a tunnel.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } redirect ipv6 recursive-lookup tunnel tunnel-selector tunnel-selector-name
  The device is allowed to recurse the BGP IPv6 Flow Specification routes received from a peer to a tunnel.
5. Run commit
  The configuration is committed.
(Optional) Disable the device from validating the redirection next-hop attribute carried in the routes that are received from an EBGP peer.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } redirect ipv6 validation-disable
  The device is disabled from validating the redirection next-hop attribute carried in the routes that are received from the specified EBGP peer.
5. Run commit
  The configuration is committed.

Verifying the Configuration

After configuring the dynamic BGP IPv6 Flow Specification function, verify the configuration.

Run the display bgp flow ipv6 peer command to check information about BGP IPv6 Flow Specification peers.
Run the display bgp flow ipv6 routing-table command to check information about BGP IPv6 Flow Specification routes.
Run the display bgp flow ipv6 routing-table statistics command to check statistics about BGP IPv6 Flow Specification routes.
Run the display flowspec ipv6 rule reindex-value slot slot-id command to check information about combined rules in the BGP IPv6 Flow Specification route rule table.
Run the display flowspec ipv6 rule statistics slot slot-id command to check statistics about the rules for BGP IPv6 Flow Specification routes to take effect.