Example for Configuring Dynamic BGP IPv6 VPN Flow Specification
In IPv6 VPNs, if the characteristics of DoS or DDoS attack traffic is unknown, a traffic analysis server can help implement BGP IPv6 VPN Flow Specification to ensure network security.
Networking Requirements
As shown in Figure 1, in an IPv6 VPN, CE1 belongs to AS 100, whereas PE1 and Server belong to AS 200. PE1 is an ingress of AS 200. AS 200 communicates with AS 100 through PE1.
The attack source in AS 100 may flow into AS 200 through PE1, posing a threat to AS 200. In this situation, configure dynamic BGP IPv6 VPN Flow Specification to ensure network security. The operation process is as follows: Deploy a traffic analysis server and establish a BGP IPv6 VPN Flow Specification peer relationship between the traffic analysis server and PE1. PE1 samples traffic periodically and sends the sampled traffic to the traffic analysis server. The traffic analysis server generates a BGP IPv6 VPN Flow Specification route based on the characteristics of sampled attack traffic and sends the route to PE1. PE1 converts the route into a traffic policy to filter and control attack traffic, ensuring the proper transition of services in AS 200.
Configuration Roadmap
The configuration roadmap is as follows:
Configure an IP address for each interface.
Create a VPN instance on PE1 and Server and bind the VPN instance to their interfaces.
Establish a BGP IPv6 VPN Flow Specification peer relationship between PE1 and Server to enable the generated BGP IPv6 VPN Flow Specification routes to be sent to PE1. Then a traffic policy is generated.
The traffic analysis server is a third-party device, and it must be a BGP IPv6 VPN Flow Specification peer of another device.
Data Preparation
AS number of CE1 (100) and AS number of PE1, and Server (200)
Name of a VPN instance (vpna)
Procedure
- Configure an IP address for each interface.
For detailed configurations, see the configuration files in this example.
- Create a VPN instance and bind it to each interface.
# Configure PE1.
[~PE1] ip vpn-instance vpna [*PE1-vpn-instance-vpna] ipv6-family [*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 2:2 [*PE1-vpn-instance-vpna-af-ipv6] vpn-target 2:2 export-extcommunity [*PE1-vpn-instance-vpna-af-ipv6] vpn-target 2:2 import-extcommunity [*PE1-vpn-instance-vpna-af-ipv6] commit [~PE1-vpn-instance-vpna-af-ipv6] quit [~PE1-vpn-instance-vpna] quit [~PE1] interface GigabitEthernet0/1/0 [~PE1-GigabitEthernet0/1/0] undo shutdown [*PE1-GigabitEthernet0/1/0] ip binding vpn-instance vpna [*PE1-GigabitEthernet0/1/0] ipv6 enable [*PE1-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::2 64 [*PE1-GigabitEthernet0/1/0] commit [~PE1-GigabitEthernet0/1/0] quit
- Configure a BGP IPv6 VPN Flow Specification peer and disable route authentication.
# Configure PE1.
[~PE1]bgp 200 [*PE1-bgp] vpn-instance vpna [*PE1-bgp-instance-vpna] peer 2001:db8:1::1 as-number 100 [*PE1-bgp-instance-vpna] quit [*PE1-bgp] ipv6-flow vpn-instance vpna [*PE1-bgp-flow-6-vpna] peer 2001:db8:1::1 enable [*PE1-bgp-flow-6-vpna] commit [~PE1-bgp-flow-6-vpna] quit [~PE1-bgp] quit
- Verify the configuration.
# Check whether BGP IPv6 VPN Flow Specification peer relationships are established on PE1. The command output shows that BGP IPv6 VPN Flow Specification peer relationships are established.
<PE1> display bgp flow vpnv6 vpn-instance vpna peer BGP local router ID : 0.0.0.0 Local AS number : 200 Total number of peers : 1 Peers in established state : 0 VPN-Instance vpna, Router ID 0.0.0.0: Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2001:DB8:1::1 4 200 0 0 0 00:06:15 Idle 0
# Check information about the BGP IPv6 VPN Flow Specification routes received by PE1.
<PE1> display bgp flow vpnv6 vpn-instance vpna routing-table BGP Local router ID is 0.0.0.0 Status codes: * - valid, > - best, d - damped, x - best external, a - add path, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete RPKI validation codes: V - valid, I - invalid, N - not-found VPN-Instance vpna, Router ID 0.0.0.0: Total Number of Routes: 1 * > ReIndex : 1 Dissemination Rules: Src. Port : eq 159 MED : 0 PrefVal : 0 LocalPref: Path/Ogn : i# Check the traffic filtering rule carried in the BGP IPv6 VPN Flow Specification route by specifying ReIndex of the route.
<PE1> display bgp flow vpnv6 vpn-instance vpna routing-table 1 BGP local router ID : 0.0.0.0 Local AS number : 200 ReIndex : 1 Order : 0 Dissemination Rules : Src. Port : eq 159 BGP flow-ipv6 routing table entry information of 1: Local : FlowSpec1 Match action : apply deny Route Duration: 0d00h07m04s AS-path Nil, origin igp, MED 0, pref-val 0, valid, local, best, pre 0 Not advertised to any peer yet
Configuration Files
CE1 configuration file
# sysname CE1 # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2001:db8:1::1/64 # bgp 100 peer 2001:db8:1::2 as-number 200 # ipv4-family unicast undo synchronization # ipv6-family flow peer 2001:db8:1::2 enable # returnPE1 configuration file
# sysname PE1 # ip vpn-instance vpna ipv6-family route-distinguisher 2:2 apply-label per-instance vpn-target 2:2 export-extcommunity vpn-target 2:2 import-extcommunity # interface GigabitEthernet0/1/0 undo shutdown ip binding vpn-instance vpna ipv6 enable ipv6 address 2001:db8:1::2/64 # bgp 200 # ipv4-family unicast undo synchronization # vpn-instance vpna peer 2001:db8:1::1 as-number 200 # ipv6-flow vpn-instance vpna peer 2001:db8:1::1 enable # return