Configuring Static BGP VPNv4 Flow Specification

Static BGP VPNv4 Flow Specification allows BGP VPNv4 Flow Specification routes to be transmitted and traffic filtering policies to be generated. The policies improve security of devices in VPNs.

Usage Scenario

To deploy static BGP VPNv4 Flow Specification, a BGP VPN Flow Specification route needs to be created manually first. After the BGP-Flow VPNv4 address family is enabled, a BGP VPNv4 Flow Specification route is generated automatically. Then a BGP VPNv4 Flow Specification peer relationship needs be established between the device on which the BGP VPN Flow Specification route is created and the network ingress device to transmit the BGP VPNv4 Flow Specification route.

In an AS with multiple ingresses, a BGP VPNv4 Flow route reflector (Flow RR) can be deployed to reduce the number of BGP VPN Flow Specification peer relationships and save network resources.

Pre-configuration Tasks

Before configuring static BGP VPNv4 Flow Specification, complete the following tasks:

Procedure

  1. Generate a BGP VPN Flow Specification route manually.
    1. Run system-view

      The system view is displayed.

    2. Run flow-route flowroute-name vpn-instance vpn-instance-name

      A static BGP VPN Flow Specification route is created, and the Flow-Route VPN instance view is displayed.

      One BGP VPN Flow Specification route can include multiple if-match and apply clauses. if-match clauses define traffic filtering rules, and apply clauses define traffic behaviors. The relationships among clauses are as follows:

      • The relationship among if-match clauses of different types is "AND."

      • If multiple if-match clauses of the same type are configured, some rules override each other, and the relationship among other rules is OR. For details, see the precautions for the if-match command.

      • The relationship among the traffic behaviors defined by apply clauses is "AND."

      The traffic behaviors defined by apply clauses apply to all traffic matching the filtering rules of if-match clauses.

    3. According to characteristics of the traffic to be controlled, you can configure one or more if-match clauses to define traffic filtering rules as needed:

      • To set a destination address-based traffic filtering rule, run the if-match destination ipv4-address { mask | mask-length } command.

        If the BGP VPN Flow Specification route carrying a filtering rule specified by the if-match destination command fails to be authenticated by the remote BGP VPN Flow Specification peer, run the peer validation-disable command to cancel the authentication.

        By default, 0.0.0.0/0 is used as the prefix of each BGP VPN Flow Specification route that matches the export or import policy of a peer. To enable a device to change the prefix of each BGP VPN Flow Specification route that matches the export or import policy of a peer to the destination IP address specified in the if-match destination command, run the route match-destination command.

      • To configure a filtering rule based on the source address, run the if-match source ipv4-address { mask | mask-length } command.

      • To set a filtering rule based on the port number, run the if-match port operator port command.

      • To configure a filtering rule based on the source port number, run the if-match source-port operator port command.

      • To configure a filtering rule based on the destination port number, run the if-match destination-port operator port command.

        if-match port and if-match destination-port or if-match source-port are mutually exclusive.

      • To set a traffic filtering rule that is based on the protocol used to carry traffic, run the if-match protocol operator protocol command.

      • To configure a filtering rule based on the service type, run the if-match dscp operator dscp command.

      • To configure a filtering rule based on the TCP flag, run the if-match tcp-flags { match | not } tcp-flags command.

        Network attackers may send a large number of invalid TCP packets to attack network devices. To control invalid TCP packets to ensure communication security, configure a filtering rule based on the TCP flag for the BGP VPN Flow Specification route using the if-match tcp-flags command. Traffic matching the TCP flag is filtered or controlled using the actions specified in the apply clauses.

      • To configure a filtering rule based on the fragment type, run the if-match fragment-type { match | not } fragment-type-name command.

      • To set a traffic filtering rule that is based on an ICMP packet code, run the if-match icmp-code operator icmp-code command.

      • To set a traffic filtering rule that is based on an ICMP packet type, run the if-match icmp-type { greater-than | less-than | equal } icmp-type command.

      • To configure a filtering rule based on the packet length of BGP VPN Flow Specification routes, run the if-match packet-length { greater-than | less-than | equal } packet-length-value command.

    4. Run the following command as required to configure actions for apply clauses:

      • To discard the matching traffic, run the apply deny command.

      • To redirect the matching traffic to the traffic cleaning device or blackhole, run the apply redirect { vpn-target vpn-target-import | ip redirect-ip-rt } command.

        The device can process the redirection next hop attribute configured using the apply redirect ip redirect-ip-rt command received from a peer only after the peer redirect ip command is run.

      • To re-mark the service class of the matching traffic, run the apply remark-dscp command.

      • To limit the rate of the matching traffic, run the apply traffic-rate command.

      The apply deny and apply traffic-rate commands are mutually exclusive.

      If the configured BGP VPN Flow Specification route attribute does not need to take effect locally, run the routing-table rib-only [ route-policy route-policy-name | route-filter route-filter-name ] command to disable the device from delivering the BGP VPN Flow Specification route to the FES forwarding table.

    5. Run commit

      The configuration is committed.

  2. Establish a BGP VPNv4 Flow Specification peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run peer ipv4-address as-number as-number

      An IP address and AS number are specified for the peer.

    4. Run ipv4-flow vpnv4

      The BGP-Flow VPNv4 address family is enabled, and its view is displayed.

    5. Run peer ipv4-address enable

      A BGP VPNv4 Flow Specification peer relationship is established.

    6. Run commit

      The configuration is committed.

  3. (Optional) Configure a Flow RR.

    Before configuring a Flow RR, establish a BGP VPNv4 Flow Specification peer relationship between the Flow RR with the device that generates the BGP VPN Flow Specification route and every ingress.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-flow vpnv4

      The BGP-Flow VPNv4 address family is enabled, and its view is displayed.

    4. Run peer ipv4-address reflect-client

      A Flow RR is configured, and a client is specified for it.

      The router configured with the peer reflect-client command functions as a Flow RR and the specified peer functions as a client.

    5. (Optional) Run undo reflect between-clients

      Route reflection between clients through the RR is disabled.

      By default, route reflection among clients through the RR is enabled.

      If the clients of a Flow RR are fully meshed, you can run the undo reflect between-clients command on the Flow RR to disable route reflection between clients through the RR, which reduces costs.

    6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }

      A cluster ID is configured for the Flow RR.

      If a cluster has multiple flow RRs, run this command to set the same cluster-id for these RRs.

      The reflector cluster-id command is applicable only to Flow RRs.

    7. Run commit

      The configuration is committed.

  4. (Optional) Set the redirection next-hop attribute ID for BGP VPNv4 Flow Specification routes.

    The redirection next-hop attribute ID can be 0x010C (ID defined in a relevant RFC) or 0x0800 (ID defined in a relevant draft). If a Huawei device needs to communicate with a non-Huawei device that does not support the redirection next-hop attribute ID of 0x010C or 0x0800, set the redirection next-hop attribute ID of BGP VPNv4 Flow Specification routes as required.

    • Set the redirection next-hop attribute ID to 0x010C (ID defined in a relevant RFC) for BGP VPNv4 Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-flow vpnv4

        The BGP-Flow VPNv4 address family is enabled, and its view is displayed.

      4. Run peer ipv4-address redirect ip rfc-compatible

        The redirection next-hop attribute ID is set to 0x010C (ID defined in a relevant RFC) for BGP VPNv4 Flow Specification routes.

      5. Run commit

        The configuration is committed.

    • Set the redirection next-hop attribute ID to 0x0800 (ID defined in a relevant draft) for BGP VPNv4 Flow Specification routes.

      1. Run system-view

        The system view is displayed.

      2. Run bgp as-number

        The BGP view is displayed.

      3. Run ipv4-flow vpnv4

        The BGP-Flow VPNv4 address family is enabled, and its view is displayed.

      4. Run peer ipv4-address redirect ip draft-compatible

        The redirection next-hop attribute ID is set to 0x0800 (ID defined in a relevant draft) for BGP VPNv4 Flow Specification routes.

      5. Run commit

        The configuration is committed.

  5. (Optional) Disable BGP FlowSpec protection.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec protocol-protect { ipv4 | ipv6 } disable

      BGP FlowSpec protection is disabled.

    3. Run commit

      The configuration is committed.

  6. (Optional) Enable BGP Flow Specification IPv4 fragmentation rules to comply with RFC 5575.
    1. Run system-view

      The system view is displayed.

    2. Run flowspec ipv4-fragment-rule switch

      BGP Flow Specification IPv4 fragmentation rules are enabled to comply with RFC 5575.

    3. Run commit

      The configuration is committed.

Verifying the Configuration

After configuring static BGP VPNv4 Flow Specification, verify the configuration.

  • Run the display bgp flow vpnv4 all peer [ [ ipv4-address ] verbose ] command to check information about all BGP VPN Flow Specification peers and BGP VPNv4 Flow Specification peers.

  • Run the display bgp flow vpnv4 { all | route-distinguisher route-distinguisher } routing-table [ reindex ] command to check information about all BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes or the BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes with a specified RD.

  • Run the display bgp flow vpnv4 { all | route-distinguisher route-distinguisher } routing-table statistics command to check statistics about all BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes or the BGP VPN Flow Specification routes and BGP VPNv4 Flow Specification routes with a specified RD.

  • Run the display flowspec rule reindex-value slot slot-id command to check information about combined rules in the BGP FlowSpec local rule table.
  • Run the display flowspec rule statistics slot slot-id command to check statistics about the rules for BGP FlowSpe routes to take effect.
Parent Topic: BGP Flow Specification Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >