Configuring Static BGP IPv6 Flow Specification

Static BGP IPv6 Flow Specification allows BGP IPv6 Flow Specification routes to be manually created to control traffic.

Usage Scenario

Before deploying static BGP IPv6 Flow Specification, you need to manually create a BGP IPv6 Flow Specification route and establish a BGP IPv6 Flow Specification peer relationship between the device on which the BGP Flow Specification route is created and each ingress on the network to transmit BGP IPv6 Flow Specification routes.

In an AS with multiple ingresses, a BGP IPv6 Flow route reflector (Flow RR) can be deployed to reduce the number of BGP IPv6 Flow Specification peer relationships and save network resources.

If you want to filter traffic based on the address prefix but the BGP IPv6 Flow Specification route carrying the filtering rule fails the authentication, disable the authentication of BGP IPv6 Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring static BGP IPv6 Flow Specification, complete the following task:

Configure a BGP4+ peer or configure a BGP peer.

Procedure

Generate a BGP IPv6 Flow Specification route manually.
1. Run system-view
  The system view is displayed.
2. Run flow-route flowroute-name ipv6
  A static BGP IPv6 Flow Specification route is created, and the Flow-Route-IPv6 view is displayed.
  One BGP IPv6 Flow Specification route can include multiple if-match and apply clauses. If-match clauses define traffic filtering rules, and apply clauses define traffic behaviors. The relationships between the clauses are as follows:
  - The relationship between multiple if-match clauses of different types is AND.
  - If multiple if-match clauses of the same type are configured, some rules override each other, and the relationship among other rules is OR. For details, see the precautions for the if-match command.
  - The relationship between traffic behaviors defined by apply clauses is AND.
  The traffic behaviors defined by apply clauses apply to all traffic matching the filtering rules of if-match clauses.
3. Based on the characteristics of the traffic to be controlled, choose one or more of the following If-match clauses to filter traffic:
  - To filter traffic based on the destination IPv6 address, run the if-match destination ipv6-address ipv6-mask-length command.
    
    If traffic must be filtered based on a destination IP address but the BGP IPv6 Flow Specification rule carrying the rule defined by the if-match destination command fails the authentication, run the peer validation-disable command to disable the authentication of BGP IPv6 Flow Specification routes.
    
    By default, 0::0/0 is used as the prefix of each BGP IPv6 Flow Specification route that matches the export or import policy of a peer. To enable a device to change the prefix of each BGP IPv6 Flow Specification route that matches the export or import policy configured for a peer to the destination IP address specified in the if-match destination command, run the route match-destination command.
  - To filter traffic based on the source IPv6 address, run the if-match source ipv6-address ipv6-mask-length command.
  - To set a port number-based traffic filtering rule, run the if-match port { greater-than | less-than | equal } port or if-match port greater-than port less-than upper-port-value command.
  - To set a source port number-based traffic filtering rule, run the if-match source-port { greater-than | less-than | equal } port or if-match source-port greater-than source-port less-than upper-source-port-value command.
  - To set a destination port number-based traffic filtering rule, run the if-match destination-port { greater-than | less-than | equal } port or if-match destination-port greater-than port less-than upper-port-value command.
    
    if-match port and if-match destination-port or if-match source-port are mutually exclusive.
  - To set a protocol-based traffic filtering rule, run the if-match protocol { greater-than | less-than | equal } protocol or if-match protocol greater-than protocol less-than upper-protocol-value command.
  - To set a DSCP-based traffic filtering rule, run the if-match dscp { greater-than | less-than | equal } dscp or if-match dscp greater-than dscp less-than upper-dscp-value command.
  - To set a TCP-flag value-based traffic filtering rule, run the if-match tcp-flags { match | not | any-match } tcp-flags command.
    
    Network attackers may send a large number of invalid TCP packets to attack network devices. To control invalid TCP packets to ensure communication security, configure a filtering rule based on the TCP flag for the BGP IPv6 Flow Specification route using the if-match tcp-flags command. Traffic matching the TCP flag is filtered or controlled using the actions specified in the apply clauses.
  - To filter traffic based on the packet fragment type, run the if-match fragment-type { match | not } fragment-type-name command.
  - To set an ICMP message code-based traffic filtering rule, run the if-match icmp-code { greater-than | less-than | equal } icmp-code or if-match icmp-code greater-than icmp-code less-than upper-icmp-code-value command.
  - To set an ICMP message type-based traffic filtering rule, run the if-match icmp-type { greater-than | less-than | equal } icmp-type or if-match icmp-type greater-than icmp-type less-than upper-icmp-type-value command.
  - To set a filtering rule based on the packet length of a BGP IPv6 Flow Specification route, run the if-match packet-length { greater-than | less-than | equal } packet-length-value or if-match packet-length greater-than packet-length-value less-than upper-packet-length-value command.
  After you configure the flow-route flowroute-name ipv6 command, the if-match dscp, or if-match packet-length command cannot be executed and a prompt message is displayed if being manually configured, and these commands can be successfully executed if being dynamically delivered. However, these commands do not take effect.
4. Run the following command as required to configure actions for apply clauses:
  - To discard the matching traffic, run the apply deny command.
  - To redirect the matching traffic to the traffic cleaning device or blackhole, run the apply redirect vpn-target vpn-target-import command.
  - To re-mark the service class of the matching traffic, run the apply remark-dscp command.
  - To limit the rate of the matching traffic, run the apply traffic-rate command.
  - To implement sampling for the matching traffic, run the apply traffic-action sample command.
    
    You can run the apply traffic-action sample command for a BGP IPv6 Flow Specification route to sample the traffic that matches the specified filtering rules. Through sampling, abnormal traffic can be identified and filtered out, which protects the attacked device and improves network security.
  - To redirect matched traffic to the specified next hop IPv6 address, run the apply redirect ipv6 redirectIPv6RT [ color colorValue [ prefix-sid prefix-sid-value ] ] command.
    The apply redirect ipv6 redirectIPv6RT command must be used together with the local-route redirect ipv6 recursive-lookup ip command so that matched traffic can be redirected to the specified next hop IPv6 address. The apply redirect ipv6 redirectIPv6RT color colorValue prefix-sid prefix-sid-value command must be used together with the local-route redirect ipv6 recursive-lookup tunnel tunnel-selector tunnel-selector-name command to trigger tunnel recursion.
  The apply deny and apply traffic-rate commands are mutually exclusive.
  
  If the configured BGP IPv6 Flow Specification route attribute does not need to take effect locally, run the routing-table rib-only [ route-policy route-policy-name | route-filter route-filter-name ] command to disable the device from delivering the BGP IPv6 Flow Specification route to the FES forwarding table.
5. Run commit
  The configuration is committed.
Establish a BGP IPv6 Flow Specification peer relationship.
BGP IPv6 Flow Specification peer relationships must be established between the network ingress and device on which the BGP IPv6 Flow Specification route is manually created.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } enable
  A BGP IPv6 Flow Specification peer relationship is established.
  
  After the BGP IPv6 Flow Specification peer relationship is established in the BGP-Flow-IPv6 address family view, the manually generated BGP Flow Specification route is automatically imported to the BGP routing table and then sent to the peer.
5. Run commit
  The configuration is committed.
(Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP IPv6 Flow Specification peer relationship between the Flow RR and the device on which the BGP IPv6 Flow Specification route is generated and between the Flow RR and every network ingress.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } reflect-client
  A Flow RR is configured, and a client is specified for it.
  
  The router configured with the peer reflect-client command functions as a Flow RR, and the specified peer functions as a client.
5. (Optional) Run undo reflect between-clients
  Route reflection between clients through the RR is disabled.
  
  If the clients of a Flow RR are fully meshed, you can run the undo reflect between-clients command on the Flow RR to disable route reflection between clients through the RR, which reduces costs.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
  A cluster ID is configured for the Flow RR.
  
  If a cluster has multiple Flow RRs, run this command to set the same cluster-id for these RRs.
  
  The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
  The configuration is committed.
(Optional) Disable BGP IPv6 Flow Specification route authentication.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run peer ipv6-address validation-disable
  The device is disabled from authenticating BGP IPv6 Flow Specification routes received from a specified peer.
5. Run commit
  The configuration is committed.
(Optional) Enable CAR and packet loss statistics collection for BGP Flow Specification.
1. Run flowspec statistic enable
  CAR and packet loss statistics collection is configured for BGP Flow Specification.
2. Run commit
  The configuration is committed.
(Optional) Disable BGP Flow Specification on the interface.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run flowspec disable [ ipv4 | ipv6 ]
  BGP Flow Specification is disabled on the interface.
  
  This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.
  
  If BGP Flow Specification does not need to be disabled on sub-interfaces, run the flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to disable BGP Flow Specification only on the main interface.
4. Run commit
  The configuration is committed.
(Optional) Disable BGP FlowSpec protection.
1. Run system-view
  The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
  BGP FlowSpec protection is disabled.
3. Run commit
  The configuration is committed.
(Optional) Configure the device to redirect traffic to a specified IPv6 next hop based on a static BGP IPv6 Flow Specification route.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run local-route redirect ipv6 recursive-lookup ip
  The device is configured to redirect traffic to a specified IPv6 next hop based on a static BGP IPv6 Flow Specification route.
5. Run commit
  The configuration is committed.
(Optional) Allow the device to recurse static BGP IPv6 Flow Specification routes to tunnels.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family flow
  The BGP-Flow-IPv6 address family view is displayed.
4. Run local-route redirect ipv6 recursive-lookup tunnel tunnel-selector tunnel-selector-name
  The device is allowed to recurse static BGP IPv6 Flow Specification routes to tunnels.
5. Run commit
  The configuration is committed.

Verifying the Configuration

After configuring static BGP IPv6 VPN Flow Specification, verify the configuration.

Run the display bgp flow ipv6 peer command to check information about the BGP IPv6 Flow Specification peer.
Run the display bgp flow ipv6 routing-table command to check information about BGP IPv6 Flow Specification routes.
Run the display bgp flow ipv6 routing-table statistics command to check statistics about BGP IPv6 Flow Specification routes.
Run the display flowspec ipv6 statistics reIndex command to check statistics about traffic matching a filtering rule in a BGP IPv6 Flow Specification route.
Run the display flowspec ipv6 rule reindex-value slot slot-id command to check information about combined rules in the BGP IPv6 Flow Specification route rule table.
Run the display flowspec ipv6 rule statistics slot slot-id command to check statistics about the rules for BGP IPv6 Flow Specification routes to take effect.