Example for Configuring Static BGP VPNv6 Flow Specification
This section provides an example for configuring static BGP VPNv6 Flow Specification to allow BGP VPNv6 Flow Specification routes to be transmitted and traffic filtering policies to be generated. The policies improve security of devices in VPNs.
Networking Requirements
In Figure 1, CE1 resides in AS 100, and PE1 and PE2 reside in AS 200. All the devices belong to the same VPN. PE1 is an ingress of the VPN in AS 200, and AS 200 can communicate with AS 100 through PE1.
If an attack source exists in AS 100, attack traffic is transmitted to AS 200 through PE1, which severely affects the VPN performance of AS 200.
In this case, it is required that static BGP VPNv6 Flow Specification be configured to address this problem. To meet the requirement, you need to create a BGP VPN IPv6 Flow Specification route on PE2, and enable the BGP-Flow VPNv6 address family so that a BGP VPNv6 Flow Specification route is generated automatically. Then establish a BGP VPNv6 Flow Specification peer relationship between PE1 and PE2 to transmit the BGP VPNv6 Flow Specification route. The BGP VPNv6 Flow Specification route is used to generate a traffic filtering policy for traffic filtering and control.
Configuration Roadmap
The configuration roadmap is as follows:
Configure an IP address for each involved interface.
Create a VPN instance on PE1 and PE2 and bind the VPN instance to PE1's interface that is connected to CE1.
On PE2, configure a BGP VPN IPv6 Flow Specification route (FlowSpec1) to discard the attack traffic whose source port number is 159.
Establish a BGP VPNv6 Flow Specification peer relationship between PE1 and PE2 so that the generated BGP VPNv6 Flow Specification route can be sent to PE1 and be used by PE1 to generate a traffic filtering policy.
Data Preparation
AS number (100) of CE1 and the AS number (200) of PE1 and PE2
Name of a VPN instance (vpna)
Procedure
- Assign an IP address and a mask to each interface.
For configuration details, see "Configuration Files" in this section.
- Create a VPN instance and bind the VPN instance to PE1's interface that is connected to CE1.
# Configure PE1.
[~PE1] ip vpn-instance vpna [*PE1-vpn-instance-vpna] ipv6-family [*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1 [*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 export-extcommunity [*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 import-extcommunity [*PE1-vpn-instance-vpna-af-ipv6] commit [~PE1-vpn-instance-vpna-af-ipv6] quit [~PE1-vpn-instance-vpna] ipv4-family [~PE1-vpn-instance-vpna] route-distinguisher 100:1 [*PE1-vpn-instance-vpna-af-ipv4] commit [~PE1-vpn-instance-vpna-af-ipv4] quit [~PE1-vpn-instance-vpna] quit [~PE1] interface GigabitEthernet0/1/0 [~PE1-GigabitEthernet0/1/0] undo shutdown [*PE1-GigabitEthernet0/1/0] ip binding vpn-instance vpna [*PE1-GigabitEthernet0/1/0] ip address 10.1.1.2 255.255.255.0 [*PE1-GigabitEthernet0/1/0] commit [~PE1-GigabitEthernet0/1/0] quit [~PE1] interface GigabitEthernet0/1/8 [~PE1-GigabitEthernet0/1/8] undo shutdown [*PE1-GigabitEthernet0/1/8] ip address 10.2.1.1 255.255.255.0 [*PE1-GigabitEthernet0/1/8] commit [~PE1-GigabitEthernet0/1/8] quit
# Configure PE2.
[~PE2] ip vpn-instance vpna [*PE2-vpn-instance-vpna] ipv6-family [*PE2-vpn-instance-vpna-af-ipv6] route-distinguisher 200:1 [*PE2-vpn-instance-vpna-af-ipv6] vpn-target 111:1 export-extcommunity [*PE2-vpn-instance-vpna-af-ipv6] vpn-target 111:1 import-extcommunity [*PE2-vpn-instance-vpna-af-ipv6] commit [~PE2-vpn-instance-vpna-af-ipv6] quit [~PE2-vpn-instance-vpna] quit [~PE2] interface GigabitEthernet0/1/0 [~PE2-GigabitEthernet0/1/0] undo shutdown [*PE2-GigabitEthernet0/1/0] ip address 10.2.1.2 255.255.255.0 [*PE2-GigabitEthernet0/1/0] commit [~PE2-GigabitEthernet0/1/0] quit
- Configure a BGP VPN IPv6 Flow Specification route.
# Configure PE2.
[~PE2] flow-route FlowSpec1 ipv6 vpn-instance vpna [*PE2-flow-route-vpna] if-match source-port equal 159 [*PE2-flow-route-vpna] apply deny [*PE2-flow-route-vpna] commit [~PE2-flow-route-vpna] quit
- Establish a BGP VPNv6 Flow Specification peer relationship.
# Configure PE1.
[~PE1]bgp 200 [*PE1-bgp] peer 10.2.1.2 as-number 200 [*PE1-bgp] vpn-instance vpna [*PE1-bgp-instance-vpna] quit [*PE1-bgp] ipv6-flow vpn-instance vpna [*PE1-bgp-flow-vpna] quit [*PE1-bgp] ipv6-flow vpnv6 [*PE1-bgp-af-flow-vpnv6] peer 10.2.1.2 enable [*PE1-bgp-af-flow-vpnv6] commit [~PE1-bgp-af-flow-vpnv6] quit [~PE1-bgp] quit
# Configure PE2.
[~PE2]bgp 200 [*PE2-bgp] peer 10.2.1.1 as-number 200 [*PE2-bgp] vpn-instance vpna [*PE2-bgp-instance-vpna] quit [*PE2-bgp] ipv6-flow vpn-instance vpna [*PE2-bgp-flow-6-vpna] quit [*PE2-bgp] ipv6-flow vpnv6 [*PE2-bgp-af-flow-vpnv6] peer 10.2.1.1 enable [*PE2-bgp-af-flow-vpnv6] commit [~PE2-bgp-af-flow-vpnv6] quit [~PE2-bgp] quit
- Verify the configuration.
# Check whether the BGP VPNv6 Flow Specification peer relationship is established on PE2. The command output shows that the peer relationship is established.
<PE2> display bgp flow vpnv6 all peer BGP local router ID : 10.2.1.2 Local AS number : 200 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.2.1.1 4 200 1042 1051 0 15:07:49 Established 0
# Check information about the BGP VPNv6 Flow Specification routes received by PE1.
<PE1> display bgp flow vpnv6 route-distinguisher 200:1 routing-table BGP Local router ID is 10.1.1.2 Status codes: * - valid, > - best, d - damped, x - best external, a - add path, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete RPKI validation codes: V - valid, I - invalid, N - not-found Route Distinguisher: 200:1 Total Number of Routes: 1 * > ReIndex : 536870913 Dissemination Rules: Src. Port : eq 159 MED : 0 PrefVal : 0 LocalPref: 100 Path/Ogn : i# Specify ReIndex of the BGP VPNv6 Flow Specification route to check the traffic filtering rule carried in the route.
<PE1> display bgp flow vpnv6 all routing-table 536870913 BGP local router ID : 10.1.1.2 Local AS number : 200 ReIndex : 536870913 Order : 0 Dissemination Rules : Src. Port : eq 159 BGP flow-vpnv6 routing table entry information of 536870913: Route Distinguisher: 200:1 Match action : apply deny From: 10.2.1.2 (10.2.1.2) Route Duration: 0d13h59m46s Ext-Community: RT <111 : 1> AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255 Not advertised to any peer yet
Configuration Files
CE1 configuration file
# sysname CE1 # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.1 255.255.255.0 # bgp 100 peer 10.1.1.2 as-number 200 # ipv6-family unicast undo synchronization peer 10.1.1.2 enable # ipv6-family flow peer 10.1.1.2 enable # returnPE1 configuration file
# sysname PE1 # ip vpn-instance vpna ipv6-family route-distinguisher 100:1 apply-label per-instance vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity ipv4-family route-distinguisher 100:1 apply-label per-instance # interface GigabitEthernet0/1/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet0/1/8 undo shutdown ip address 10.2.1.1 255.255.255.0 # bgp 200 peer 10.2.1.2 as-number 200 # ipv6-family unicast undo synchronization peer 10.2.1.2 enable # vpn-instance vpna # ipv6-flow vpn-instance vpna # ipv6-flow vpnv6 policy vpn-target peer 10.2.1.2 enable # return
PE2 configuration file
# sysname PE2 # ip vpn-instance vpna ipv6-family route-distinguisher 200:1 apply-label per-instance vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # interface GigabitEthernet0/1/0 undo shutdown ip address 10.2.1.2 255.255.255.0 # bgp 200 peer 10.2.1.1 as-number 200 # ipv6-family unicast undo synchronization peer 10.2.1.1 enable # vpn-instance vpna # ipv6-flow vpn-instance vpna # ipv6-flow vpnv6 policy vpn-target peer 10.2.1.1 enable # flow-route FlowSpec1 ipv6 vpn-instance vpna if-match source-port equal 159 apply deny # return