Example for Configuring Static BGP Flow Specification

If the characteristics of DoS or DDoS attack traffic are known, use the static BGP Flow Specification function by manually configuring BGP Flow Specification routes to ensure network security.

Networking Requirements

As shown in Figure 1, Device A belongs to AS 100, while Device B, Device C, and Device D belong to AS 200. Device B is an ingress of AS 200. AS 200 communicates with AS 100 through Device B.

The attack source in AS 100 may flow into AS 200 through Device B, severely affecting network performance of AS 200.

In this situation, configure static BGP Flow Specification to address this problem. The operation process is as follows: Configure a BGP Flow Specification route manually and establish a BGP Flow Specification peer relationship between Device C and Device B as well as Device D and Device B. Then the route is sent to Device B to discard the attack traffic or limit its rate.

Figure 1 Configuring static BGP Flow Specification

Interfaces 1 through 3 in this example represent GE 0/1/0, GE 0/1/8, and GE 0/1/16, respectively.


Configuration Notes

None.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF on Device B, Device C, and Device D in AS 200 to enable them to communicate with each other.

  2. Configure a BGP Flow Specification route FlowSpec1 manually on Device C to discard attack traffic with the source port ID of 159.

  3. Configure a BGP Flow Specification route FlowSpec1 manually on Device D to limit the rate of attack traffic with the source port ID of 170.

  4. Establish BGP Flow Specification peer relationships between Loopback interfaces of Device B and Device C as well as Device B and Device D. In this situation, BGP Flow Specification routes can be sent to Device B where a traffic policy is generated.

Data Preparation

To complete the configuration, you need the following data:

  • Router ID of Device A (1.1.1.1), router ID of Device B (2.2.2.2), router ID of Device C (3.3.3.3), and router ID of Device D (4.4.4.4)

  • AS number of Device A (100) and AS number of Device B, Device C, and Device D (200)

Procedure

  1. Configure an IP address for each interface.

    For detailed configurations, see the configuration files in this example.

  2. Configure OSPF.

    For detailed configurations, see the configuration files in this example.

  3. Configure BGP connections.

    # Configure Device A.

    [~DeviceA] bgp 100
[*DeviceA-bgp] router-id 1.1.1.1
[*DeviceA-bgp] peer 10.10.1.2 as-number 200
[*DeviceA-bgp] commit
[~DeviceA-bgp] quit

    # Configure Device B.

    [~DeviceB] bgp 200
[*DeviceB-bgp] router-id 2.2.2.2
[*DeviceB-bgp] peer 10.10.1.1 as-number 100
[*DeviceB-bgp] peer 3.3.3.3 as-number 200
[*DeviceB-bgp] peer 3.3.3.3 connect-interface LoopBack1
[*DeviceB-bgp] peer 4.4.4.4 as-number 200
[*DeviceB-bgp] peer 4.4.4.4 connect-interface LoopBack1
[*DeviceB-bgp] commit
[~DeviceB-bgp] quit

    # Configure Device C.

    [~DeviceC] bgp 200
[*DeviceC-bgp] router-id 3.3.3.3
[*DeviceC-bgp] peer 2.2.2.2 as-number 200
[*DeviceC-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*DeviceC-bgp] commit
[~DeviceC-bgp] quit

    # Configure Device D.

    [~DeviceD] bgp 200
[*DeviceD-bgp] router-id 4.4.4.4
[*DeviceD-bgp] peer 2.2.2.2 as-number 200
[*DeviceD-bgp] peer 2.2.2.2 connect-interface LoopBack1
[*DeviceD-bgp] commit
[~DeviceD-bgp] quit

  4. Configure BGP Flow Specification routes.

    # Configure Device C.

    [~DeviceC] flow-route FlowSpec1
[*DeviceC-flow-route] if-match source-port equal 159
[*DeviceC-flow-route] apply deny
[*DeviceC-flow-route] commit
[~DeviceC-flow-route] quit

    # Configure Device D.

    [~DeviceD] flow-route FlowSpec2
[*DeviceD-flow-route] if-match source-port equal 170
[*DeviceD-flow-route] apply traffic-rate 10000
[*DeviceD-flow-route] commit
[~DeviceD-flow-route] quit

  5. Configure BGP Flow Specification peer relationships.

    # Configure Device B.

    [~DeviceB]bgp 200
[*DeviceB-bgp] ipv4-family flow
[*DeviceB-bgp-af-ipv4-flow] peer 3.3.3.3 enable
[*DeviceB-bgp-af-ipv4-flow] peer 4.4.4.4 enable
[*DeviceB-bgp-af-ipv4-flow] commit
[~DeviceB-bgp-af-ipv4-flow] quit
[~DeviceB-bgp] quit

    # Configure Device C.

    [~DeviceC]bgp 200
[*DeviceC-bgp] ipv4-family flow
[*DeviceC-bgp-af-ipv4-flow] peer 2.2.2.2 enable
[*DeviceC-bgp-af-ipv4-flow] commit
[~DeviceC-bgp-af-ipv4-flow] quit
[~DeviceC-bgp] quit

    # Configure Device D.

    [~DeviceD]bgp 200
[*DeviceD-bgp] ipv4-family flow
[*DeviceD-bgp-af-ipv4-flow] peer 2.2.2.2 enable
[*DeviceD-bgp-af-ipv4-flow] commit
[~DeviceD-bgp-af-ipv4-flow] quit
[~DeviceD-bgp] quit

  6. Verify the configuration.

    # Check BGP Flow Specification peer connection status on Device B. BGP Flow Specification peer relationships are successfully established.

    <DeviceB> display bgp flow peer
BGP local router ID : 2.2.2.2
 Local AS number : 200
 Total number of peers : 2                 Peers in established state : 2

  Peer       V       AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  3.3.3.3    4      200       17       17     0 00:00:47 Established        1
  4.4.4.4    4      200       39       38     0 00:00:03 Established        1

    # Check BGP Flow Specification routes received by Device B.

    <DeviceB> display bgp flow routing-table
 BGP Local router ID is 2.2.2.2
 Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete
 RPKI validation codes: V - valid, I - invalid, N - not-found

 Total Number of Routes: 2

 * >  ReIndex : 33
      Dissemination Rules:
       Src. Port      : eq 159
       MED      : 0                   PrefVal  : 0
       LocalPref: 100
       Path/Ogn :  i
 * >  ReIndex : 34
      Dissemination Rules:
       Src. Port      : eq 170
       MED      : 0                   PrefVal  : 0
       LocalPref: 100
       Path/Ogn :  i

    # Check the traffic policy in each BGP Flow Specification route based on the ReIndex shown in the preceding output.

    <DeviceB> display bgp flow routing-table 33
 BGP local router ID : 2.2.2.2
 Local AS number : 200
 ReIndex : 33
 Order   : 1610612735
 Dissemination Rules :
   Src. Port      : eq 159

 BGP flow-ipv4 routing table entry information of 33:
 Match action :
   apply deny
 From: 3.3.3.3 (10.2.1.2)
 Route Duration: 0d00h01m52s
 AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
 Not advertised to any peers yet
<DeviceB> display bgp flow routing-table 34
 BGP local router ID : 2.2.2.2
 Local AS number : 200
 ReIndex : 34
 Order   : 2952790015
 Dissemination Rules :
   Src. Port      : eq 170

 BGP flow-ipv4 routing table entry information of 34:
 Match action :
   apply traffic-rate 10000 KBps
 From: 4.4.4.4 (10.1.1.2)
 Route Duration: 0d00h11m01s
 AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
 Not advertised to any peers yet

Configuration Files

  • Device A configuration file

    #
sysname DeviceA
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.10.1.1 255.255.255.0
#
interface LoopBack1
 ip address 1.1.1.1 255.255.255.255
#
bgp 100
 router-id 1.1.1.1
 peer 10.10.1.2 as-number 200
 #
 ipv4-family unicast
  undo synchronization 
  peer 10.10.1.2 enable
#
return

  • Device B configuration file

    #
sysname DeviceB
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet0/1/8
undo shutdown
 ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet0/1/16
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
 ip address 2.2.2.2 255.255.255.255
#
bgp 200
 router-id 2.2.2.2
 peer 3.3.3.3 as-number 200
 peer 3.3.3.3 connect-interface LoopBack1
 peer 4.4.4.4 as-number 200
 peer 4.4.4.4 connect-interface LoopBack1
 peer 10.10.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization 
  peer 3.3.3.3 enable
  peer 4.4.4.4 enable
  peer 10.10.1.1 enable
 #
 ipv4-family flow
  peer 3.3.3.3 enable
  peer 4.4.4.4 enable
#
ospf 1
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 10.2.1.0 0.0.0.255
#
return

  • Device C configuration file

    #
sysname DeviceC
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
#
bgp 200
 router-id 3.3.3.3
 peer 2.2.2.2 as-number 200
 peer 2.2.2.2 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization 
  import-route direct
  peer 2.2.2.2 enable
 #
 ipv4-family flow
  peer 2.2.2.2 enable
#
ospf 1
 area 0.0.0.0
  network 3.3.3.3 0.0.0.0
  network 10.2.1.0 0.0.0.255
#
flow-route FlowSpec1
 if-match source-port equal 159
 apply deny
#
return

  • Device D configuration file

    #
sysname DeviceD
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
 ip address 4.4.4.4 255.255.255.255
#
bgp 200
 router-id 4.4.4.4
 peer 2.2.2.2 as-number 200
 peer 2.2.2.2 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization 
  peer 2.2.2.2 enable
 #
 ipv4-family flow
  peer 2.2.2.2 enable
#
ospf 1
 area 0.0.0.0
  network 4.4.4.4 0.0.0.0
  network 10.1.1.0 0.0.0.255
#
flow-route FlowSpec2
 if-match source-port equal 170
 apply traffic-rate 10000
#
return
Parent Topic: Configuration Examples for BGP Flow Specification
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >