Configuring Dynamic BGP VPN Flow Specification

In VPNs, BGP Flow Specification routes are generated by a traffic analysis server in dynamic BGP VPN Flow Specification.

Usage Scenario

When deploying dynamic BGP VPN Flow Specification, a BGP VPN Flow Specification peer relationship needs to be established between the traffic analysis server and each ingress of the network to transmit BGP VPN Flow Specification routes.

In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be deployed to reduce the number of BGP VPN Flow Specification peer relationships and save CPU resources.

If you want to filter traffic based on the address prefix but the BGP VPN Flow Specification route carrying the filtering rule cannot be authenticated, disable the authentication of BGP VPN Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring dynamic BGP VPN Flow Specification, configure a VPN instance and bind interfaces to a VPN instance.

Procedure

  1. Establish a BGP VPN Flow Specification peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run vpn-instance vpn-instance-name

      A BGP-VPN instance is created, and its view is displayed.

    4. Run peer ipv4-address as-number as-number

      An IP address and AS number are specified for the peer.

    5. Run quit

      Return to the previous view.

    6. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family is enabled, and its view is displayed.

    7. Run peer ipv4-address enable

      A BGP VPN Flow Specification peer relationship is established.

      After the BGP VPN Flow Specification peer relationship is established BGP-Flow VPN instance IPv4 address family view, the BGP VPN Flow Specification route generated by the traffic analysis server is imported to the BGP routing table and then sent to the peer.

    8. Run commit

      The configuration is committed.

  2. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP VPN Flow Specification peer relationship between the Flow RR with the traffic analysis server and every ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run peer ipv4-address reflect-client

      A Flow RR and its client are configured.

      The router on which the peer reflect-client command is run functions as the Flow RR, and its peers function as clients.

    5. (Optional) Run undo reflect between-clients

      By default, route reflection among clients through the RR is enabled.

      If the clients of a Flow RR have established full-mesh connections with each other, run the undo reflect between-clients command to disable route reflection between these clients through the RR. This can reduce the link cost.

    6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }

      A cluster ID is configured for the Flow RR.

      If there are multiple Flow RRs in a cluster, use this command to set the same cluster ID for these Flow RRs.

      The reflector cluster-id command is applicable only to Flow RRs.

    7. Run commit

      The configuration is committed.

  3. (Optional) Add the AS_Path attribute as a check item to BGP VPN Flow Specification route verification rules.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run route validation-mode include-as

      The AS_Path attribute is added as a check item to BGP VPN Flow Specification route verification rules.

      BGP Flow Specification routes are verified as follows:
      • Mode 1: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route according to Figure 1. The route is considered valid only if the verification succeeds.
      • Mode 2: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route by checking whether the AS_Path attribute of the route carries the AS_Set or AS_Sequence field. The route is considered valid only if its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
      If the route validation-mode include-as command is run on a device, the device first uses mode 2 to verify BGP Flow Specification routes.
      • If the verification using mode 2 succeeds, the BGP Flow Specification route is considered valid, and the device no longer verifies the routes using mode 1.
      • If the verification using mode 2 fails, the device verifies the routes using mode 1.
      If the route validation-mode include-as command is not run on a device, the device uses mode 1 to verify BGP Flow Specification routes.
      Figure 1 BGP Flow Specification route verification rules

    5. Run commit

      The configuration is committed.

  4. (Optional) Disable BGP VPN Flow Specification route authentication.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run peer ipv4-address validation-disable

      The device is disabled from authenticating BGP VPN Flow Specification routes received from a specified peer.

    5. Run commit

      The configuration is committed.

  5. (Optional) Disable the device from validating the routes that carry a redirection extended community attribute and are received from a specified EBGP peer.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run peer ipv4-address redirect ip validation-disable

      The device is disabled from validating the routes that carry a redirection extended community attribute and are received from a specified EBGP peer.

    5. Run commit

      The configuration is committed.

  6. (Optional) Set the redirection next-hop attribute ID for BGP VPN Flow Specification routes.

    The redirection next-hop attribute ID can be 0x010C (ID defined in a relevant RFC) or 0x0800 (ID defined in a relevant draft). If a Huawei device needs to communicate with a non-Huawei device that does not support the redirection next-hop attribute ID of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPN Flow Specification routes as required.

    • Set the redirection next-hop attribute ID to 0x010C (ID defined in a relevant RFC) for BGP VPN Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-flow vpn-instance vpn-instance-name

        The BGP-Flow VPN instance IPv4 address family view is displayed.

      4. Run peer ipv4-address redirect ip rfc-compatible

        The redirection next-hop attribute ID is set to 0x010C (ID defined in a relevant RFC) for BGP VPN Flow Specification routes.

      5. Run commit

        The configuration is committed.

    • Set the redirection next-hop attribute ID to 0x0800 (ID defined in a relevant draft) for BGP VPN Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-flow vpn-instance vpn-instance-name

        The BGP-Flow VPN instance IPv4 address family view is displayed.

      4. Run peer ipv4-address redirect ip draft-compatible

        The redirection next-hop attribute ID is set to 0x0800 (ID defined in a relevant draft) for BGP VPN Flow Specification routes.

      5. Run commit

        The configuration is committed.

  7. (Optional) Enable the CAR statistics and packet loss statistics function for BGP Flow Specification.
    1. Run flowspec statistic enable

      Enable the CAR statistics and packet loss statistics function for BGP Flow Specification.

    2. Run commit

      The configuration is committed.

  8. (Optional) Disable BGP Flow Specification on the interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec disable [ ipv4 | ipv6 ]

      BGP Flow Specification is disabled on the interface.

      This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.

      If BGP Flow Specification does not need to be disabled on sub-interfaces, run the flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to disable BGP Flow Specification only on the main interface.

    4. Run commit

      The configuration is committed.

  9. (Optional) Disable BGP FlowSpec protection.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

      BGP FlowSpec protection is disabled.

    3. Run commit

      The configuration is committed.

  10. (Optional) Enable BGP Flow Specification IPv4 fragmentation rules to comply with RFC 5575.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec ipv4-fragment-rule switch

      BGP Flow Specification IPv4 fragmentation rules are enabled to comply with RFC 5575.

    3. Run commit

      The configuration is committed.

Checking the Configurations

When the preceding configuration is complete, you can run the following commands to verify the configurations.

  • Run the display bgp flow vpnv4 vpn-instance vpn-instance-name peer [ [ ipv4-address ] verbose ] command to check information about BGP VPN Flow Specification peers.

  • Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-table command to check information about BGP VPN Flow Specification routes.

  • Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-table [ peer ipv4-address { advertised-routes | received-routes [ active ] } ] statistics command to check statistics about BGP VPN Flow Specification routes.

  • Run the display flowspec rule reindex-value slot slot-id command to check information about combined rules in the BGP FlowSpec local rule table.
  • Run the display flowspec rule statistics slot slot-id command to check statistics about the rules for BGP FlowSpe routes to take effect.
Parent Topic: BGP Flow Specification Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >