Configuring Static BGP VPN Flow Specification

In VPNs, BGP VPN Flow Specification routes are generated manually to control traffic in static BGP VPN Flow Specification.

Usage Scenario

When deploying static BGP VPN Flow Specification, a BGP VPN Flow Specification route needs to be generated manually, and a BGP VPN Flow Specification peer relationship needs to be established between the device that generates the BGP VPN Flow Specification route and each ingress in the network to transmit BGP VPN Flow Specification routes.

In an AS with multiple ingresses, a BGP VPN Flow route reflector (Flow RR) can be deployed to reduce the number of BGP VPN Flow Specification peer relationships and save network resources.

If you want to filter traffic based on the address prefix but the BGP VPN Flow Specification route carrying the filtering rule cannot be authenticated, disable the authentication of BGP VPN Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring static BGP VPN Flow Specification, configure a VPN instance and bind interfaces to a VPN instance.

Procedure

  1. Generate a BGP VPN Flow Specification route manually.
    1. Run system-view

      The system view is displayed.

    2. Run flow-route flowroute-name vpn-instance vpn-instance-name

      A static BGP VPN Flow Specification route is created, and the Flow-Route VPN instance view is displayed.

      One BGP VPN Flow Specification route can include multiple if-match and apply clauses. if-match clauses define traffic filtering rules, and apply clauses define traffic behaviors. The relationships among clauses are as follows:

      • The relationship among if-match clauses of different types is "AND."

      • If multiple if-match clauses of the same type are configured, some rules override each other, and the relationship among other rules is OR. For details, see the precautions for the if-match command.

      • The relationship among the traffic behaviors defined by apply clauses is "AND."

      The traffic behaviors defined by apply clauses apply to all traffic matching the filtering rules of if-match clauses.

    3. Based on the characteristics of the traffic to be controlled, choose one or multiple if-match clauses as the filtering rule.

      • To set a destination address-based traffic filtering rule, run the if-match destination ipv4-address { mask | mask-length } command.

        If the BGP VPN Flow Specification route carrying a filtering rule specified by the if-match destination command fails to be authenticated by the remote BGP VPN Flow Specification peer, run the peer validation-disable command to cancel the authentication.

        By default, 0.0.0.0/0 is used as the prefix of each BGP VPN Flow Specification route that matches the export or import policy of a peer. To enable a device to change the prefix of each BGP VPN Flow Specification route that matches the export or import policy of a peer to the destination IP address specified in the if-match destination command, run the route match-destination command.

      • To configure a filtering rule based on the source address, run the if-match source ipv4-address { mask | mask-length } command.
      • To set a port number-based traffic filtering rule, run the if-match port { greater-than | less-than | equal } port or if-match port greater-than port less-than upper-port-value command.
      • To set a source port number-based traffic filtering rule, run the if-match source-port { greater-than | less-than | equal } port or if-match source-port greater-than source-port less-than upper-source-port-value command.
      • To set a destination port number-based traffic filtering rule, run the if-match destination-port { greater-than | less-than | equal } port or if-match destination-port greater-than port less-than upper-port-value command.

        if-match port and if-match destination-port or if-match source-port are mutually exclusive.

      • To set a protocol-based traffic filtering rule, run the if-match protocol { greater-than | less-than | equal } protocol or if-match protocol greater-than protocol less-than upper-protocol-value command.

      • To set a DSCP-based traffic filtering rule, run the if-match dscp { greater-than | less-than | equal } dscp or if-match dscp greater-than dscp less-than upper-dscp-value command.

      • To set a TCP-flag value-based traffic filtering rule, run the if-match tcp-flags { match | not | any-match } tcp-flags command.

        Network attackers may send a large number of invalid TCP packets to attack network devices. To control invalid TCP packets to ensure communication security, configure a filtering rule based on the TCP flag for the BGP VPN Flow Specification route using the if-match tcp-flags command. Traffic matching the TCP flag is filtered or controlled using the actions specified in the apply clauses.

      • To configure a filtering rule based on the fragment type, run the if-match fragment-type { match | not } fragment-type-name command.

      • To set an ICMP message code-based traffic filtering rule, run the if-match icmp-code { greater-than | less-than | equal } icmp-code or if-match icmp-code greater-than icmp-code less-than upper-icmp-code-value command.

      • To set an ICMP message type-based traffic filtering rule, run the if-match icmp-type { greater-than | less-than | equal } icmp-type or if-match icmp-type greater-than icmp-type less-than upper-icmp-type-value command.

      • To set a filtering rule based on the packet length of a BGP VPN Flow Specification route, run the if-match packet-length { greater-than | less-than | equal } packet-length-value or if-match packet-length greater-than packet-length-value less-than upper-packet-length-value command.

    4. Run the following command as required to configure actions for apply clauses:

      • To discard the matching traffic, run the apply deny command.

      • To redirect the matching traffic to the traffic cleaning device or blackhole, run the apply redirect { vpn-target vpn-target-import | ip redirect-ip-rt } command.

        The device can process the redirection next hop attribute configured using the apply redirect ip redirect-ip-rt command received from a peer only after the peer redirect ip command is run.

      • To re-mark the service class of the matching traffic, run the apply remark-dscp command.

      • To limit the rate of the matching traffic, run the apply traffic-rate command.

      • To implement sampling for the matching traffic, run the apply traffic-action sample command.

        You can run the apply traffic-action sample command for a BGP VPN Flow Specification route to sample the traffic that matches the specified filtering rules. Through sampling, abnormal traffic can be identified and filtered out, which protects the attacked device and improves network security.

      The apply deny and apply traffic-rate commands are mutually exclusive.

      If the configured BGP VPN Flow Specification route attribute does not need to take effect locally, run the routing-table rib-only [ route-policy route-policy-name | route-filter route-filter-name ] command to disable the device from delivering the BGP VPN Flow Specification route to the FES forwarding table.

    5. Run commit

      The configuration is committed.

  2. Establish a BGP VPN Flow Specification peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run vpn-instance vpn-instance-name

      A BGP-VPN instance is created, and its view is displayed.

    4. Run peer ipv4-address as-number as-number

      An IP address and AS number are specified for the peer.

    5. Run quit

      Return to the previous view.

    6. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family is enabled, and its view is displayed.

    7. Run peer ipv4-address enable

      A BGP VPN Flow Specification peer is specified.

      After the BGP VPN Flow Specification peer relationship is established in the BGP-Flow VPN instance IPv4 address family view, the BGP VPN Flow Specification route generated by the traffic analysis server is imported automatically to the BGP routing table and then sent to the peer.

    8. Run commit

      The configuration is committed.

  3. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP VPN Flow Specification peer relationship between the Flow RR and device on which the BGP VPN Flow Specification route is generated and between the Flow RR and every network ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run peer ipv4-address reflect-client

      A Flow RR is configured, and a client is specified for it.

      The router configured with the peer reflect-client command functions as a Flow RR and the specified peer functions as a client.

    5. (Optional) Run undo reflect between-clients

      Route reflection between clients through the RR is disabled.

      By default, route reflection among clients through the RR is enabled.

      If the clients of a Flow RR are fully meshed, you can run the undo reflect between-clients command on the Flow RR to disable route reflection between clients through the RR, which reduces costs.

    6. (Optional) Run reflector cluster-id {cluster-id-value | cluster-id-ipv4 }

      A cluster ID is configured for the Flow RR.

      If a cluster has multiple flow RRs, run this command to set the same cluster-id for these RRs.

      The reflector cluster-id command is applicable only to Flow RRs.

    7. Run commit

      The configuration is committed.

  4. (Optional) Add the AS_Path attribute as a check item to BGP VPN Flow Specification route verification rules.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run route validation-mode include-as

      The AS_Path attribute is added as a check item to BGP VPN Flow Specification route verification rules.

      BGP Flow Specification routes are verified as follows:
      • Mode 1: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route according to Figure 1. The route is considered valid only if the verification succeeds.
      • Mode 2: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route by checking whether the AS_Path attribute of the route carries the AS_Set or AS_Sequence field. The route is considered valid only if its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
      If the route validation-mode include-as command is run on a device, the device first uses mode 2 to verify BGP Flow Specification routes.
      • If the verification using mode 2 succeeds, the BGP Flow Specification route is considered valid, and the device no longer verifies the routes using mode 1.
      • If the verification using mode 2 fails, the device verifies the routes using mode 1.
      If the route validation-mode include-as command is not run on a device, the device uses mode 1 to verify BGP Flow Specification routes.
      Figure 1 BGP Flow Specification route verification rules

    5. Run commit

      The configuration is committed.

  5. (Optional) Disable BGP VPN Flow Specification route authentication.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run peer ipv4-address validation-disable

      The device is disabled from authenticating BGP VPN Flow Specification routes received from a specified peer.

    5. Run commit

      The configuration is committed.

  6. (Optional) Disable the device from validating the routes that carry a redirection extended community attribute and are received from a specified EBGP peer.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpn-instance vpn-instance-name

      The BGP-Flow VPN instance IPv4 address family view is displayed.

    4. Run peer ipv4-address redirect ip validation-disable

      The device is disabled from validating the routes that carry a redirection extended community attribute and are received from a specified EBGP peer.

    5. Run commit

      The configuration is committed.

  7. (Optional) Set the redirection next-hop attribute ID for BGP VPN Flow Specification routes.

    The redirection next-hop attribute ID can be 0x010C (ID defined in a relevant RFC) or 0x0800 (ID defined in a relevant draft). If a Huawei device needs to communicate with a non-Huawei device that does not support the redirection next-hop attribute ID of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPN Flow Specification routes as required.

    • Set the redirection next-hop attribute ID to 0x010C (ID defined in a relevant RFC) for BGP VPN Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-flow vpn-instance vpn-instance-name

        The BGP-Flow VPN instance IPv4 address family view is displayed.

      4. Run peer ipv4-address redirect ip rfc-compatible

        The redirection next-hop attribute ID is set to 0x010C (ID defined in a relevant RFC) for BGP VPN Flow Specification routes.

      5. Run commit

        The configuration is committed.

    • Set the redirection next-hop attribute ID to 0x0800 (ID defined in a relevant draft) for BGP VPN Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-flow vpn-instance vpn-instance-name

        The BGP-Flow VPN instance IPv4 address family view is displayed.

      4. Run peer ipv4-address redirect ip draft-compatible

        The redirection next-hop attribute ID is set to 0x0800 (ID defined in a relevant draft) for BGP VPN Flow Specification routes.

      5. Run commit

        The configuration is committed.

  8. (Optional) Enable the CAR statistics and packet loss statistics function for BGP Flow Specification.
    1. Run flowspec statistic enable

      The CAR statistics and packet loss statistics function is enabled for BGP Flow Specification.

    2. Run commit

      The configuration is committed.

  9. (Optional) Disable BGP Flow Specification on the interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run flowspec disable [ ipv4 | ipv6 ]

      BGP Flow Specification is disabled on the interface.

      This command cannot be run on Eth-Trunk member interfaces. If the command is run on a main interface, the configuration also takes effect on sub-interfaces.

      If BGP Flow Specification does not need to be disabled on sub-interfaces, run the flowspec disable [ ipv4 | ipv6 ] sub-port-exclude command on the main interface to disable BGP Flow Specification only on the main interface.

    4. Run commit

      The configuration is committed.

  10. (Optional) Disable BGP FlowSpec protection.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

      BGP FlowSpec protection is disabled.

    3. Run commit

      The configuration is committed.

  11. (Optional) Enable BGP Flow Specification IPv4 fragmentation rules to comply with RFC 5575.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec ipv4-fragment-rule switch

      BGP Flow Specification IPv4 fragmentation rules are enabled to comply with RFC 5575.

    3. Run commit

      The configuration is committed.

Verifying the Configuration

After configuring static BGP VPN Flow Specification, verify the configuration.

  • Run the display bgp flow vpnv4 vpn-instance vpn-instance-name peer [ [ ipv4-address ] verbose ] command to check information about BGP VPN Flow Specification peers.

  • Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-table command to check information about BGP VPN Flow Specification routes.

  • Run the display bgp flow vpnv4 vpn-instance vpn-instance-name routing-table [ peer ipv4-address { advertised-routes | received-routes [ active ] } ] statistics command to check statistics about BGP VPN Flow Specification routes.

  • Run the display flowspec rule reindex-value slot slot-id command to check information about combined rules in the BGP FlowSpec local rule table.
  • Run the display flowspec rule statistics slot slot-id command to check statistics about the rules for BGP FlowSpe routes to take effect.
Parent Topic: BGP Flow Specification Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >