Configuring Dynamic BGP IPv6 VPN Flow Specification

In IPv6 VPNs, BGP IPv6 VPN Flow Specification routes are generated by a traffic analysis server in dynamic BGP IPv6 VPN Flow Specification.

Usage Scenario

When deploying dynamic BGP IPv6 VPN Flow Specification, a BGP IPv6 VPN Flow Specification peer relationship needs to be established between the traffic analysis server and each ingress of the network to transmit BGP IPv6 VPN Flow Specification routes.

In an AS with multiple ingresses, a BGP Flow route reflector (Flow RR) can be deployed to reduce the number of BGP IPv6 VPN Flow Specification peer relationships and save CPU resources.

If you want to filter traffic based on the address prefix but the BGP IPv6 VPN Flow Specification route carrying the filtering rule cannot be authenticated, disable the authentication of BGP IPv6 VPN Flow Specification routes received from a specified peer.

Pre-configuration Tasks

Before configuring dynamic BGP IPv6 VPN Flow Specification, configuring a VPN instance and bind interfaces to a VPN instance.

Procedure

Establish a BGP IPv6 VPN Flow Specification peer relationship.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run vpn-instance vpn-instance-name
  A BGP-VPN instance is created, and its view is displayed.
4. Run peer { ipv4-address | ipv6-address } as-number as-number
  An IP address and AS number are specified for the peer.
5. Run quit
  Return to the previous view.
6. Run ipv6-flow vpn-instance vpn-instance-name
  The BGP-Flow VPN instance IPv6 address family is enabled, and its view is displayed.
7. Run peer { ipv4-address | ipv6-address } enable
  A BGP IPv6 VPN Flow Specification peer relationship is established.
  
  After the BGP IPv6 VPN Flow Specification peer relationship is established BGP-Flow VPN instance IPv6 address family view, the BGP IPv6 VPN Flow Specification route generated by the traffic analysis server is imported to the BGP routing table and then sent to the peer.
8. Run commit
  The configuration is committed.
(Optional) Configure a Flow RR.
Before configuring a Flow RR, establish a BGP IPv6 VPN Flow Specification peer relationship between the Flow RR with the traffic analysis server and every ingress.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
  The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } reflect-client
  A Flow RR and its client are configured.
  
  The router on which the peer reflect-client command is run functions as the Flow RR, and its peers function as clients.
5. (Optional) Run undo reflect between-clients
  
  By default, route reflection among clients through the RR is enabled.
  
  If the clients of a Flow RR have established full-mesh connections with each other, run the undo reflect between-clients command to disable route reflection between these clients through the RR. This can reduce the link cost.
6. (Optional) Run reflector cluster-id { cluster-id-value | cluster-id-ipv4 }
  A cluster ID is configured for the Flow RR.
  
  If there are multiple Flow RRs in a cluster, use this command to set the same cluster ID for these Flow RRs.
  
  The reflector cluster-id command is applicable only to Flow RRs.
7. Run commit
  The configuration is committed.
(Optional) Add the AS_Path attribute as a check item to BGP IPv6 VPN Flow Specification route verification rules.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
  The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run route validation-mode include-as
  The AS_Path attribute is added as a check item to BGP IPv6 VPN Flow Specification route verification rules.
  BGP Flow Specification routes are verified as follows:
  - Mode 1: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route according to Figure 1. The route is considered valid only if the verification succeeds.
  - Mode 2: After receiving a BGP Flow Specification route with a destination address as the filtering rule, the device verifies the route by checking whether the AS_Path attribute of the route carries the AS_Set or AS_Sequence field. The route is considered valid only if its AS_Path attribute does not carry the AS_Set or AS_Sequence field.
  If the route validation-mode include-as command is run on a device, the device first uses mode 2 to verify BGP Flow Specification routes.
  - If the verification using mode 2 succeeds, the BGP Flow Specification route is considered valid, and the device no longer verifies the routes using mode 1.
  - If the verification using mode 2 fails, the device verifies the routes using mode 1.
  If the route validation-mode include-as command is not run on a device, the device uses mode 1 to verify BGP Flow Specification routes.
  Figure 1 BGP Flow Specification route verification rules
5. Run commit
  The configuration is committed.
(Optional) Disable BGP IPv6 VPN Flow Specification route authentication.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-flow vpn-instance vpn-instance-name
  The BGP-Flow VPN instance IPv6 address family view is displayed.
4. Run peer { ipv4-address | ipv6-address } validation-disable
  The device is disabled from authenticating BGP IPv6 VPN Flow Specification routes received from a specified peer.
5. Run commit
  The configuration is committed.
(Optional) Disable BGP FlowSpec protection.
1. Run system-view
  The system view is displayed.
2. Run flowspec protocol-protect { ipv4 | ipv6 } disable
  BGP FlowSpec protection is disabled.
3. Run commit
  The configuration is committed.

Checking the Configurations

When the preceding configuration is complete, you can run the following commands to verify the configurations.

Run the display bgp flow vpnv6 vpn-instance vpn-instance-name peer [ [ ipv4-address | ipv6-address ] verbose ] command to check information about BGP IPv6 VPN Flow Specification peers.
Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-table command to check information about BGP IPv6 VPN Flow Specification routes.
Run the display bgp flow vpnv6 vpn-instance vpn-instance-name routing-table [ peer { ipv4-address | ipv6-address } { advertised-routes | received-routes [ active ] } ] statistics command to check statistics about BGP IPv6 VPN Flow Specification routes.
Run the display flowspec ipv6 rule reindex-value slot slot-id command to check information about combined rules in the BGP IPv6 Flow Specification route rule table.
Run the display flowspec ipv6 rule statistics slot slot-id command to check statistics about the rules for BGP IPv6 Flow Specification routes to take effect.