Example for Configuring Dynamic BGP VPNv6 Flow Specification

This section provides an example for configuring dynamic BGP VPNv6 Flow Specification to allow BGP VPNv6 Flow Specification routes to be transmitted and traffic filtering policies to be generated. The policies improve security of devices in VPNs.

Networking Requirements

Figure 1 shows a VPN, where CE1 belongs to AS 100, PE1 and the server belong to AS 200, and PE1 is a network ingress of AS 200. AS 200 communicates with AS 100 through PE1.

If an attack source exists in AS 100, attack traffic is transmitted to AS 200 through PE1, posing a threat to AS 200. In this case, it is required that dynamic BGP VPNv6 Flow Specification be configured to address this problem. To meet the requirement, you need to deploy a traffic analysis server (the server in Figure 1) and establish a BGP VPNv6 Flow Specification peer relationship between the server and PE1. PE1 samples traffic periodically and sends the sampled traffic to the traffic analysis server. The traffic analysis server generates a BGP VPNv6 Flow Specification route based on the characteristics of sampled attack traffic and sends the route to PE1. PE1 then converts the route into a traffic filtering policy to filter and control attack traffic, ensuring the security of VPN services in AS 200.

Figure 1 Networking for configuring dynamic BGP VPNv6 Flow Specification

Interfaces 1 and 2 in this example represent GE 0/1/0 and GE 0/1/8, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address for each involved interface.

  2. Create a VPN instance on PE1 and the server and bind the VPN instance to PE1's interface that is connected to CE1.

  3. Establish a BGP VPNv6 Flow Specification peer relationship between PE1 and the server so that the generated BGP VPNv6 Flow Specification route can be sent to PE1 and be used by PE1 to generate a traffic filtering policy.

    The traffic analysis server is a third-party device and must have the capability of establishing a BGP VPNv6 Flow Specification peer relationship.

Data Preparation

To complete the configuration, you need the following data:

  • AS number (100) of CE1 and the AS number (200) of PE1 and the server

  • Name of a VPN instance (vpna)

Procedure

  1. Assign an IP address and a mask to each interface.

    For configuration details, see "Configuration Files" in this section.

  2. Create a VPN instance and bind the VPN instance to PE1's interface that is connected to CE1.

    # Configure PE1.

    [~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv6-family
[*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 export-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 import-extcommunity
[*PE1-vpn-instance-vpna-af-ipv6] commit
[~PE1-vpn-instance-vpna-af-ipv6] quit
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface GigabitEthernet0/1/0
[~PE1-GigabitEthernet0/1/0] undo shutdown
[*PE1-GigabitEthernet0/1/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet0/1/0] ipv6 enable
[*PE1-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::2 64
[*PE1-GigabitEthernet0/1/0] commit
[~PE1-GigabitEthernet0/1/0] quit
[~PE1] interface GigabitEthernet0/1/8
[~PE1-GigabitEthernet0/1/8] undo shutdown
[*PE1-GigabitEthernet0/1/8] ip address 10.2.1.1 255.255.255.0
[*PE1-GigabitEthernet0/1/8] commit
[~PE1-GigabitEthernet0/1/8] quit

  3. Establish a BGP VPNv6 Flow Specification peer relationship.

    # Configure PE1.

    [~PE1]bgp 200
[*PE1-bgp] peer 10.2.1.2 as-number 200
[*PE1-bgp] vpn-instance vpna
[*PE1-bgp-instance-vpna] quit
[*PE1-bgp] ipv6-flow vpn-instance vpna
[*PE1-bgp-flow-vpna] quit
[*PE1-bgp] ipv6-flow vpnv6
[*PE1-bgp-af-flow-6-vpnv6] peer 10.2.1.2 enable
[*PE1-bgp-af-flow-6-vpnv6] commit
[~PE1-bgp-af-flow-6-vpnv6] quit
[~PE1-bgp] quit

  4. Verify the configuration.

    # Check whether the BGP VPNv6 Flow Specification peer relationship with the server is established on PE1. The command output shows that the peer relationship is established. In addition, the BGP VPN IPv6 Flow Specification peer relationship is established between CE1 and PE1.

    <PE1> display bgp flow vpnv6 all peer
 
 BGP local router ID : 2001:db8:1::2
 Local AS number : 200
 Total number of peers : 2                 Peers in established state : 2

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  10.2.1.2        4         200     1076     1067     0 15:30:19 Established        1
   
  Peer of  for vpn instance :

  VPN-Instance vpna, Router ID 2001:db8:1::2:
  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  2001:db8:1::1   4         100     1057     1058     0 15:19:07 Established        0

    # Check information about the BGP VPNv6 Flow Specification routes received by PE1. The command output also shows information about the received BGP VPN IPv6 Flow Specification routes.

    <PE1> display bgp flow vpnv6 all routing-table
 BGP Local router ID is 2001:db8:1::2
 Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete
 RPKI validation codes: V - valid, I - invalid, N - not-found

 
 Total number of routes from all PE: 1
 * >  ReIndex : 536870913
      Dissemination Rules:
       Src. Port      : eq 159
       MED      : 0                   PrefVal  : 0                   
       LocalPref: 100                       
       Path/Ogn :  i
    
 VPN-Instance vpna, Router ID 2001:db8:1::2:

 Total Number of Routes: 1
 * >  ReIndex : 1
      Dissemination Rules:
       Src. Port      : eq 159
       MED      : 0                   PrefVal  : 0                   
       LocalPref: 100                       
       Path/Ogn :  i

    # Specify ReIndex of the BGP VPNv6 Flow Specification route to check the traffic filtering rule carried in the route.

    <PE1> display bgp flow vpnv6 all routing-table 536870913
 
 BGP local router ID : 2001:db8:1::2
 Local AS number : 200
 ReIndex : 536870913
 Order   : 0
 Dissemination Rules :
   Src. Port      : eq 159
 
 BGP flow-vpnv6 routing table entry information of 536870913:
 Route Distinguisher: 200:1
 Match action :
   apply deny
 From: 10.2.1.2 (10.2.1.2) 
 Route Duration: 0d13h59m46s
 Ext-Community: RT <111 : 1>
 AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255
 Not advertised to any peer yet

Configuration Files

  • CE1 configuration file

    #
sysname CE1
#               
interface GigabitEthernet0/1/0
 undo shutdown  
 ip address 2001:db8:1::1 255.255.255.0
#               
bgp 100         
 peer 2001:db8:1::2 as-number 200
 #              
 ipv6-family unicast
  undo synchronization 
  peer 2001:db8:1::2 enable
 #              
 ipv6-family flow
  peer 2001:db8:1::2 enable
#               
return

  • PE1 configuration file

    #
sysname PE1
#
ip vpn-instance vpna
 ipv6-family
  route-distinguisher 100:1
  apply-label per-instance
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
 ipv4-family
  route-distinguisher 100:1
  apply-label per-instance
#               
interface GigabitEthernet0/1/0
 undo shutdown  
 ip binding vpn-instance vpna
 ipv6 enable
 ipv6 address 2001:db8:1::2/64
#               
interface GigabitEthernet0/1/8
 undo shutdown  
 ip address 10.2.1.1 255.255.255.0
#               
bgp 200         
 peer 10.2.1.2 as-number 200
 #              
 ipv6-family unicast
  undo synchronization 
  peer 10.2.1.2 enable
 #              
 vpn-instance vpna
 #              
 ipv6-flow vpn-instance vpna
 #              
 ipv6-flow vpnv6
  policy vpn-target
  peer 10.2.1.2 enable
#               
return
Parent Topic: Configuration Examples for BGP Flow Specification
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >