Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-BGP Layer 3 Bypass Return Path Configuration Example | 381.20 KB |
AFC Business Configuration Guide
Typical Configuration Examples of AFC Bypass BGP Three - layer Return Injection
Configuration Examples of BGP Three - Layer Return Mode
Applicable Products and Versions
Feature Introduction
AFC is generally attached in parallel to core network devices. While not affecting normal services, it filters out DDoS attack traffic in the lower - layer network to protect the services of the lower - layer network and large - customer networks.
AFC consists of two parts: AFD and AFC.
AFD performs real - time attack detection and abnormal traffic analysis on user traffic that is replicated through mirroring or optical splitting.
AFC uses the method of BGP route advertisement to divert user traffic that experiences attacks. It filters attack packets and re - injects the "clean" traffic back to users. Regarding route advertisement methods, one is to statically advertise BGP routes manually, and the other is to dynamically advertise detailed routes of attacked hosts in coordination with AFD.
Both AFD and AFC can be deployed independently. They can both provide users with detailed traffic log analysis reports and attack event handling reports, etc.
Feature Usage
This document is not strictly mapped to specific software and hardware versions. If there are any differences between the usage process and the actual product situation, please refer to the actual device situation.
All configurations in this document are performed and verified in a laboratory environment. Before configuration, all device parameters adopt the factory default settings. If you have already configured the device, to ensure configuration effectiveness, please confirm that the existing configuration does not conflict with the configurations in the following examples.
This document assumes that you are familiar with data communication features such as VLAN, BGP, policy routing, and ACL.
Configuration Guide
System configuration includes basic configuration and business - related configuration of AFD devices and AFC devices, all of which are configured via the WEB interface. The basic configuration of switches is carried out through command - lines. This configuration example demonstrates AFC deployment in bypass mode with BGP traffic redirection for traffic detection.
AFC Business Configuration Guide
· Establish a BGP neighbor relationship between the AFC and the core device. Advertise the 32 - bit static routes of the protected IPs to the core device to achieve traffic diversion to the AFC.
· The AFC cleans the traffic diverted to itself by the core device. Meanwhile, it re - injects the normal traffic of users, which has been cleaned, back into the lower - layer network and further to the normal destination devices.
· When re - injecting the cleaned traffic into the lower - layer network through a three - layer routing method, there are two modes: Single-arm Re-injection Interface and Reinjection Port.
Precautions
Different manufacturers and models of switches or routers have different configuration commands. Please follow the equipment operation manuals for configuration operations.
Typical Configuration Examples of AFC Bypass BGP Three - layer Return Injection
Introduction
This chapter describes the use of the BGP routing protocol for traffic steering when the AFC (Application Function Controller) is deployed in a bypass mode. Subsequently, a three - layer return mode is adopted to forward traffic through policy - based routing.
Usage Restrictions
The application scenarios of the three - layer return mode are those where the network devices directly connected to the core device that performs route steering with the AFC are three - layer switches or routers.
Configuration Examples of BGP Three - Layer Return Mode
Applicable Products and Versions
Software version: H3C i - Ware Software, Version 7.1, ESS 6401.
Networking Requirements
To achieve the traffic cleaning of the protected IP 171.0.3.21 that is under attack, an abnormal - traffic cleaning system is deployed in a bypass manner on the core switching equipment. The core switch R2 establishes a BGP neighbor relationship with the interface GE1/0 of the AFC equipment through the interface G1/0/18 for traffic diversion and cleaning. A policy - based route is configured on the inbound direction of the G1/0/18 interface of the core switch R2 to realize the forwarding of the cleaned - traffic re - injection.
The networking is shown as follows.
Figure 0‑1 Configuration Networking Diagram of the AFC Bypass Deployment in the Three - Layer Re - injection Mode
Implementation Details:
· Host Route Advertisement: The AFC (Anti-DDoS Facility) establishes a BGP neighbor relationship with the core switch R2 through the GE1/0 interface. The AFC advertises the 32 - bit routes of the protected IP addresses to the core switch R2.
· Host Traffic Cleaning: The core switch R2 diverts the traffic of the protected host to the AFC. The AFC cleans the abnormal traffic in the host traffic through cleaning policies.
· Traffic Redirection: The core switch R2 configures policy - based routing and applies it to the input direction of the interface connecting the core switch R2 and the AFC, so as to forward the cleaned back - injected traffic to the designated network.
Table 0‑1 VLAN Allocation List
|
VLAN ID |
Description |
IP Address |
|
1710 |
· The core switch R2 establishes a BGP neighbor relationship with the AFC. · The AFC redirects the cleaned - up traffic back to the core switch R2. |
171.0.0.1/24 |
|
1711 |
· The Layer 3 VLAN interfaces of the core switch R2 connected to the lower - level network. · The Layer 3 VLAN interfaces of the lower - level switches connected to the core switch R2. |
171.0.1.1/24 171.0.1.2/24 |
|
1713 |
· The VLAN where the protected hosts are located. · The gateway address of the protected hosts. |
171.0.3.1/24 |
Table 0‑2 AFC Interface IP Assignment List
|
Interface |
Description |
IP Address |
|
GE1/0 |
· Core switch R2 establishes BGP neighbors with AFC; |
171.0.0.2/24 |
|
GE0/0 |
· AFC management port |
192.168.0.1/24 |
Configuration Ideas
To achieve AFC bypass deployment and BGP three-layer reflux mode configuration, the following steps can be taken for configuration:
Basic Network Configuration on Core Switch R2
Configure the G1/0/17 interface of core switch R2 to interconnect with the G1/0/17 interface of the lower - level switch R3.
BGP Neighbor Configuration on Core Switch R2
Enable the BGP process separately on the AFC and core switch R2, and establish a neighbor relationship between them.
Return Injection Policy Configuration on Core Switch R2
Configure a policy - based route on the inbound direction of the interconnection port (GE1/0/18) between the core and AFC devices. Redirect the traffic with the destination address in the user business address segment (171.0.3.0/24) to be forwarded to the lower - level switch R3. This is to prevent the return traffic from the AFC device from being sent back into the AFC and causing a routing loop, thus completing the return injection of the cleaned traffic.
Basic Network Configuration on Lower - level Switch R3
Configure the G1/0/17 interface of the lower - level switch R3 to interconnect with the G1/0/17 interface of core switch R2.
Business Port Configuration on AFC Device
Configure the IP address and port type of the business port of the AFC device to be interconnected with the internet port of core switch R2, enabling it to communicate with the R2 device. Set the business port type of the AFC device to the Single-arm Re-injection Interface mode (the traffic - diversion and return - injection are on the same physical port).
BGP Route Configuration on AFC Device
Configure the BGP adjacency relationship on the AFC device side to complete the mutual neighbor settings between the two parties.
Traffic Diversion and Cleaning on AFC Device
The AFC device diverts the user business addresses, cleans the user traffic according to the defense strategy, and sends the cleaned traffic back to the core device.
Configuration Steps
Configure Basic Network on Core Switch R2
Create VLANs 1710 and 1711. Among them, VLAN 1710 corresponds to the 171.0.0.0/24 network segment, and its function is for the directly - connected communication between the ports of R2 (a Layer - 3 switch) and AFC GE1/0 to perform route reinjection at the port. VLAN 1711 corresponds to the 171.0.1.0/24 network segment, and its function is to perform routing with the lower layer.
# Create VLAN
[R2]vlan 1710
[R2-vlan1710]quit
[R2]vlan 1711
[R2-vlan1711]quit
# Configure VLAN IP
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]IP address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]quit
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]IP address 171.0.1.1 255.255.255.0
[R2-Vlan-interface1710]quit
# Configure the G1/0/17 interface.
[R2]int GigabitEthernet 1/0/17
[R2-GigabitEthernet1/0/17] port link-mode bridge
[R2-GigabitEthernet1/0/17] port access vlan 1711
# Check the configuration of interface G1/0/17
[R2-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure the G1/0/18 interface.
[R2]int GigabitEthernet 1/0/18
[R2-GigabitEthernet1/0/18] port link-mode bridge
[R2-GigabitEthernet1/0/18] port access vlan 1710
# Check the configuration of interface G1/0/18
[R2-GigabitEthernet1/0/18] dis this
interface GigabitEthernet1/0/18
port link-mode bridge
port access vlan 1710
Configure BGP neighbors on core switch R2
# Configure BGP, AS number is 65535
[R2]bgp 65535
# Configure the router ID
[R2-bgp]router-id 171.0.0.1
[R2-bgp]undo synchronization
# Enable IPv4 unicast with peers, allowing the local router to exchange IPv4 unicast routing information with the specified peers
[R2-bgp] address-family IPv4
[R2-bgp-IPv4]peer 171.0.0.2 enable
# Configure the peer neighbor, the peer AS number is 65534 [R2-bgp]peer 171.0.0.2 as-number 65534
# Configure the peer description, the peer is afc
[R2-bgp]peer 171.0.0.2 descrIPtion afc
# Assign a preference value to the routes received from the peer. The smaller the value, the higher the priority.
[R2-bgp]peer 171.0.0.2 preferred-value 1
[R2-bgp]peer 171.0.0.2 keep-all-routes
# Save all original routing information from peers/peer groups, even if these routes do not pass the configured ingress policy
If BGP IPv6 protocol is configured, you need to enter BGP IPv6 unicast view.
Configure the injection policy on core switch R2
# Configure ACL to match the IP address segmen
[R2]acl number 3003
[R2-acl-adv-3003]rule 1 permit ip destination 171.0.3.0 0.0.0.255
[R2-acl-adv-3003]quit
# Configure access control list 3003 to match the destination address of the 171.0.3.0/24 network segment.
# Creating a policy route
[R2]policy-based-route p_afc_out permit node 5
[R2]if-match acl 3003
[R2]apply ip-address next-hop 171.0.1.2
# Configure the policy routing behavior p_afc_out. The next one is sent to 171.0.1.2, which is the direct route IP address connecting the upper network and the lower network. Please configure it according to the actual address you deployed.
# Applying policy routing on Layer 3 interfaces
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]ip address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]ip policy-based-route p_afc_out
# When applying policy routing, if the interface is in route mode, apply policy routing directly on the interface. If the interface is in bridge mode, configure policy routing on the Layer 3 VLAN interface to which the interface belongs, as shown above.
Configure the basic network on the lower-layer switch R3
Create VLAN 1711 and VLAN 1713. VLAN 1711 corresponds to the 171.0.1.0/24 network segment, which serves as the direct route between the lower-layer switch R3 and the core switch R2 network. VLAN 1713 corresponds to the 171.0.3.0/24 network segment, which is the network segment where the lower-layer network is located.
# Create a VLAN
[R3]vlan 1711
[R3-vlan1711]quit
[R3]vlan 1713
[R3-vlan1713]quit
# Configuring VLAN IP
[R3]int Vlan-interface 1711
[R3-Vlan-interface1711]IP address 171.0.1.2 24
[R3-Vlan-interface1711]quit
[R3]int Vlan-interface 1713
[R3-Vlan-interface1713]IP address 171.0.3.1 24
[R3-Vlan-interface1713]quit
# Configure the G1/0/17 interface.
[R2]int GigabitEthernet 1/0/17
[R2-GigabitEthernet1/0/17] port link-mode bridge
[R2-GigabitEthernet1/0/17] port access vlan 1711
# Check the configuration of G1/0/17
[R2-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure the G1/0/13 interface.
[R2]int GigabitEthernet 1/0/13
[R2-GigabitEthernet1/0/13] port link-mode bridge
[R2-GigabitEthernet1/0/13] port access vlan 1713
# Check the configuration of G1/0/13 interface
[R2-GigabitEthernet1/0/13] dis this
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 1713
AFC equipment service port configuration
To implement the BGP Layer 3 injection mode configuration for AFC bypass standalone deployment, follow the steps below:
Note! For the steps in the configuration that have an 【Apply Config】 button, you need to click this button to make the configuration take effect. This will not be mentioned again below.
Log in to the AFC System Page
Access and log in through a browser: https://192.168.0.1. The account is "admin" and the password is "admin".
Figure 0‑2 Log in to the AFC system page
AFC Address and Port - type Configuration
Enter [System] - [Device] - [Device Management], click [Setup] on the right - hand side of the device, select [Port Settings] in the left - hand navigation bar, and click the [Modify] button to modify information such as the IP, subnet mask, and port binding of GE1/0. (When initially installing the device on the rack, it is necessary to update the configuration to obtain the current network - card configuration of the device.)
The IP address of GE1/0 is 171.0.0.2. The port type is Single-arm Re-injection Interface. The IPv4 next - hop is the port address of the inbound interconnection switch (i.e., the port address of G1/0/18 on the core switch), and its IP address is 171.0.0.1.
Figure 0‑3 Configure GE1/0
AFC device BGP routing configuration
After completing the address and port - type configurations, click the [Route Configure] menu at the bottom, select [Bgp Configure], check the option to enable BGP, and click [Apply Configure]. Follow the steps below for the configuration.
Local BGP Configuration:
Enter [System] - [Device Manage], click the [Setup] operation word in the row of the device with the IP address 127.0.0.1, enter [Route Configure] - [Bgp Configure], and perform the following operations: Check the [Enable BGP] option.
Check the [Enable BGP] option
· Local AS: 65534 // AS number for the AFC device side
· Local Port: 179 // Default port 179
Click [Save],
AFC device local BGP configuration
Figure 0‑4 Starting BGP
Peer BGP Configuration
Click the [Add] button to configure BGP peer information:
· Peer AS: 65535 // Enter the core switch's AS number when BGP is already running on the core switch
· Peer Port: 179 // Default port 179
· LocalPref/MED: 100 // Default value 100
· Peer IP: 171.0.0.1 (IPv4 next-hop address of GE1/0 interface)
Click [Save] to complete the neighbor address addition.
Figure 0‑5 AFC Neighbor BGP Configuration
Apply BGP Configuration:
Click [Apply Configure] to make the BGP configuration take effect.
Traffic Steering and Flow Cleaning of AFC Equipment
Log in to the AFC equipment, enter [Steer Config] - [Traffic Steering Status], click [Hand - Tow], and perform the traffic - steering operation on the test address within the user's network. In this example, the steering address is 171.0.3.21. Select the steering operation "Traffic Steering", and click [Ensure] to complete the steering operation.
Figure 0‑6 Steering the User's Service Address 171.0.3.21
After the traffic is introduced into the AFC (Anti - DDoS Firewall Controller) device, in response to DDoS attacks, the AFC device can automatically use the default policy for cleaning and defense.
Configuration Verification
Verify whether the cleaning service ports of the core switch R2 and the AFC device are interconnected.
Test whether the core switch R2 is routing - connected with the AFC device through ping.
[R2]ping -a 171.0.0.1 171.0.0.2
PING 171.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 171.0.0.2: bytes=56 Sequence=1 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=2 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=3 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=4 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=5 ttl=64 time=3 ms
--- 171.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trIP min/avg/max = 3/3/3 ms
Verify whether the BGP neighbor relationship is established between the core device and the AFC device.
Log in to the core device and check the BGP establishment status via the "display BGP peer" command.
[Sysname] display bgp peer
BGP local router ID : 171.0.0.1
Local AS number : 65535
Total number of peers : 1 Peers in established state : 1
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
171.0.0.2 65534 5 3 0 0 00:01:59 Established
Verify whether the route steering between the core switch R2 and the AFC device is successful. If the steering is successful, a 32-bit route for the host should exist. Check the routing table of the core switch R2.
[R2]display bgp routing-table
Total Number of Routes: 1
BGP Local router ID is 171.0.0.1
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* > 171.0.3.21/32 171.0.0.2 0 1 65534i
Verify whether communication between the client and the traffic-steering server is normal.
Use the ping test to check whether the client can reach the service route.
[root@AFCTest_Client ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A
inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257120 errors:0 dropped:0 overruns:0 frame:0
TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)
[root@AFCTest_Client ~]# ping -c 5 171.0.3.21
PING 171.0.3.21 (171.0.3.21) 56(84) bytes of data.
64 bytes from 171.0.3.21: icmp_seq=1 ttl=124 time=0.799 ms
64 bytes from 171.0.3.21: icmp_seq=2 ttl=124 time=0.736 ms
64 bytes from 171.0.3.21: icmp_seq=3 ttl=124 time=0.862 ms
64 bytes from 171.0.3.21: icmp_seq=4 ttl=124 time=1.47 ms
64 bytes from 171.0.3.21: icmp_seq=5 ttl=124 time=1.02 ms
--- 171.0.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms