Configuring Dynamic BGP VPNv4 Flow Specification

Dynamic BGP VPNv4 Flow Specification allows BGP VPNv4 Flow Specification routes to be transmitted and traffic filtering policies to be generated. The policies improve security of devices in VPNs.

Usage Scenario

When deploying dynamic BGP VPNv4 Flow Specification, a BGP VPNv4 Flow Specification peer relationship needs to be established between the traffic analysis server and each ingress of the network to transmit BGP VPN Flow Specification routes.

In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be deployed to reduce the number of BGP VPNv4 Flow Specification peer relationships and save CPU resources.

Pre-configuration Tasks

Before configuring dynamic BGP VPNv4 Flow Specification, complete the following tasks:

Configure BGP peer relationships.

Procedure

Establish a BGP VPNv4 Flow Specification peer relationship.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run peer ipv4-address as-number as-number
  An IP address and AS number are specified for the peer.
4. Run ipv4-flow vpnv4
  The BGP-Flow VPNv4 address family is enabled, and its view is displayed.
5. Run peer ipv4-address enable
  A BGP VPNv4 Flow Specification peer relationship is established.
6. Run commit
  The configuration is committed.
(Optional) Configure a Flow RR.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv4-flow vpnv4
  The BGP-Flow VPNv4 address family is enabled, and its view is displayed.
4. Run peer ipv4-address reflect-client
  A Flow RR and its client are configured.
  
  The router on which the peer reflect-client command is run functions as the Flow RR, and its peers function as clients.
5. (Optional) Run undo reflect between-clients
  
  By default, route reflection among clients through the RR is enabled.
  
  If the clients of a Flow RR have established full-mesh connections with each other, run the undo reflect between-clients command to disable route reflection between these clients through the RR. This can reduce the link cost.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
  A cluster ID is configured for the Flow RR.
  
  If there are multiple Flow RRs in a cluster, use this command to set the same cluster ID for these Flow RRs.
  
  The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
  The configuration is committed.
(Optional) Set the redirection next-hop attribute ID for BGP VPNv4 Flow Specification routes.
The redirection next-hop attribute ID can be 0x010C (ID defined in a relevant RFC) or 0x0800 (ID defined in a relevant draft). If a Huawei device needs to communicate with a non-Huawei device that does not support the redirection next-hop attribute ID of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPNv4 Flow Specification routes as required.
- Set the redirection next-hop attribute ID to 0x010C (ID defined in a relevant RFC) for BGP VPNv4 Flow Specification routes.
  1. Run system-view
    
    The system view is displayed.
  2. Run bgp as-number
    
    The BGP view is displayed.
  3. Run ipv4-flow vpnv4
    
    The BGP-Flow VPNv4 address family is enabled, and its view is displayed.
  4. Run peer ipv4-address redirect ip rfc-compatible
    
    The redirection next-hop attribute ID is set to 0x010C (ID defined in a relevant RFC) for BGP VPNv4 Flow Specification routes.
  5. Run commit
    
    The configuration is committed.
- Set the redirection next-hop attribute ID to 0x0800 (ID defined in a relevant draft) for BGP VPNv4 Flow Specification routes.
  1. Run system-view
    
    The system view is displayed.
  2. Run bgp as-number
    
    The BGP view is displayed.
  3. Run ipv4-flow vpnv4
    
    The BGP-Flow VPNv4 address family is enabled, and its view is displayed.
  4. Run peer ipv4-address redirect ip draft-compatible
    
    The redirection next-hop attribute ID is set to 0x0800 (ID defined in a relevant draft) for BGP VPNv4 Flow Specification routes.
  5. Run commit
    
    The configuration is committed.
(Optional) Disable BGP FlowSpec protection.
1. Run system-view
  The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
  BGP FlowSpec protection is disabled.
3. Run commit
  The configuration is committed.
(Optional) Enable BGP Flow Specification IPv4 fragmentation rules to comply with RFC 5575.
1. Run system-view
  The system view is displayed.
2. Run flowspec ipv4-fragment-rule switch
  BGP Flow Specification IPv4 fragmentation rules are enabled to comply with RFC 5575.
3. Run commit
  The configuration is committed.

Checking the Configurations

When the preceding configuration is complete, you can run the following commands to verify the configurations.

Run the display bgp flow vpnv4 all peer [ [ ipv4-address ] verbose ] command to check information about all BGP VPN Flow Specification peers and BGP VPNv4 Flow Specification peers.
Run the display bgp flow vpnv4 { all | route-distinguisher route-distinguisher } routing-table [ reindex ] command to check information about all BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes or the BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes with a specified RD.
Run the display bgp flow vpnv4 { all | route-distinguisher route-distinguisher } routing-table statistics command to check statistics about all BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes or the BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes with a specified RD.
Run the display flowspec rule reindex-value slot slot-id command to check information about combined rules in the BGP FlowSpec local rule table.
Run the display flowspec rule statistics slot slot-id command to check statistics about the rules for BGP FlowSpe routes to take effect.