Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example | 581.19 KB |
AFC Business Configuration Guide
Configuration Examples of Typical AFC Bypass Deployment, BGP Route Steering and AFD Linkage
Applicable Products and Versions
Feature Introduction
AFC is generally attached to the core network devices in a bypass manner. While not affecting normal services, it filters DDoS attack traffic appearing in the lower - level network of the core, achieving invisible protection for the network services of major customers.
AFC consists of two parts: AFD and AFC.
AFD performs real - time attack detection and abnormal traffic analysis on user traffic that is replicated through mirroring or optical splitting.
AFC uses the method of publishing BGP routes to divert user traffic that experiences attacks, filter attack packets, and then inject the "cleaned" traffic back to users. Regarding the route - publishing method, one is to statically publish BGP routes manually, and the other is to dynamically publish detailed routes of attacked hosts in coordination with AFD.
Both AFD and AFC can be deployed independently and can provide users with detailed traffic log analysis reports, attack event handling reports, etc.
Feature Usage
This document does not strictly correspond to specific software and hardware versions. If there are differences from the actual product situation during use, please refer to the actual device situation.
All configurations in this document are configured and verified in a laboratory environment, and all parameters of the device before configuration adopt the default factory - settings. If you have already configured the device, in order to ensure the configuration effect, please confirm that the existing configuration does not conflict with the configurations in the following examples.
This document assumes that you are already familiar with data - communication features such as VLAN and BGP.
Configuration Guide
Configuration system configuration includes basic configuration and business - related configuration of AFD devices and AFC devices, all of which use the WEB interface for configuration. The basic configuration of switches is carried out through the command - line interface. This configuration takes the deployment of AFC bypassing BGP three - layer Source Port Reinjection mode in coordination with AFD to achieve the diversion and cleaning of attack traffic as an example.
AFC Business Configuration Guide
· Configure port mirroring on the core switch to mirror the traffic of the protected host or network to the AFD device;
· Deploy AFC and AFD, and enable the cluster configuration of AFC and AFD. The function is for AFD to traction IPs through cluster communication;
· AFC establishes a BGP neighbor with the core device and publishes the 32 - bit static route of the protected IP to the core device to divert the traffic to AFC.
· AFC cleans the traffic diverted to AFC by the core device, and at the same time re - injects the cleaned normal user traffic into the lower - layer network and further into the normal destination devices.
· When AFC re - injects the cleaned traffic into the lower - layer network through a three - layer routing method, there are two ways: one is Source Port Reinjection, and the other is Reinjection Port.
· AFD continues to monitor the traffic of the protected host. After a period of time without anomalies, it notifies AFC to cancel the traction of the host traffic. AFC notifies the core device to cancel the protection of the host through BGP.
Precautions
Different manufacturers and models of switches or routers have different configuration commands. Please follow the equipment operation manuals for configuration operations.
Configuration Examples of Typical AFC Bypass Deployment, BGP Route Steering and AFD Linkage
Introduction
This chapter describes the use of the BGP routing protocol for traffic diversion when the AFC is deployed in a bypass mode. Subsequently, the Source Port Reinjection mode is employed to forward traffic through policy - based routing.
Usage Restrictions
The joint deployment of AFC and AFD meets the customer's need to automatically divert and clean the traffic of protected hosts in the event of a manual attack, without the need for 24 - hour personnel on - duty.
Example of linkage configuration between AFC bypass deployment and AFD in BGP three-layer reflux mode
Applicable Products and Versions
· AFC
AFC This configuration is applicable to H3C SecPath AFC devices.
This document provides an example on the H3C i - Ware Software, Version 7.1, ESS 6401.
· AFD
AFD This configuration is applicable to H3C SecPath AFD devices.
This document provides an example on a certain version. Other software versions are also applicable.
Networking Requirements
To achieve automatic diversion and cleaning of the traffic of the protected host 171.0.3.21, connect an AFD in bypass mode to the core - switching device, and enable port mirroring or turn on netflow/sflow detection. Send the traffic mirrored or detected from the G1/0/17 port of the core device to the lower - level network to the AFD channel port XGE1/0.
Deploy an AFC in bypass mode at the core - switching device. The core - switching machine R2 establishes a BGP neighbor relationship with the AFC device through the G1/0/18 interface of R2 and the GE1/0 interface of the AFC device.
After cleaning, the AFC sends the traffic back to the network through the Source Port Reinjection method. Configure and apply policy routing on the inbound direction of the G1/0/18 interface of the core - switching machine R2 to realize the forwarding of the cleaned traffic back - injection.
Figure 0‑1AFC Configuration and Networking Diagram of AFC Bypass Deployment in Three - Layer Return Mode
Currently, in the networking environment, one AFC device and one AFD device are required.
The specific implementation is as follows:
· Traffic Mirroring: Configure port - mirroring on the core switch R2 to mirror the bidirectional traffic of interface G1/0/17 to the Ten - G1/0/49 port. The Ten - G1/0/49 port of the switch is connected to the XGE1/0 port of the AFD.
· BGP Neighbor Establishment between Core Equipment and AFC: The AFC establishes a BGP neighbor with the core switch R2 through the GE1/0 interface.
· Host Route Advertisement: After the AFD detects an attack, it sends a host IP traction message to the AFC. The AFC advertises the protected host IP through BGP routes. After the core switch R2 receives the route advertisement from the AFC, it sends the host traction to the AFC.
· Host Traffic Cleaning: The AFC cleans the abnormal traffic in the host traffic through cleaning policies.
· Traffic Redirection: Configure policy - based routing on the core switch R2 and apply it to the input direction of the interface connecting the core switch R2 and the AFC to realize that the re - injected traffic after cleaning is forwarded to the specified network.
Table 0‑1VLAN Allocation List
|
VLAN ID |
Description |
IP Address |
|
1710 |
The core switch R2 establishes a BGP neighbor with the AFC: |
171.0.0.1/24 |
|
1711 |
· The Layer 3 VLAN interface connected to the lower - layer network by the core switch R2; · The Layer 3 VLAN interface connected to the core switch R2 by the lower - layer switch; |
171.0.1.1/24 171.0.1.2/24 |
|
1713 |
· The VLAN where the protected host is located; · The gateway address of the protected host. |
171.0.3.1/24 |
Table 0‑2 AFC Interface IP Allocation List
|
Interface |
Description |
IP Address |
|
GE1/0 |
The core switch R2 establishes a BGP neighbor relationship with the AFC. |
171.0.0.2/24 |
|
GE0/0 |
AFC management port |
192.168.0.1/24 |
Table 0‑3 AFD Interface IP Allocation List
|
Interface |
Description |
IP Address |
|
GE1/0 |
· Receive mirrored traffic sent by lower - layer devices; · In mirror mode, no IP configuration is required. If configured, it should not conflict with the network address. |
|
|
GE0/0 |
AFD Management Port |
192.168.0.2/24 |
Configuration Ideas
To implement the AFC bypass deployment and BGP three - layer Source Port Reinjection mode linkage configuration with AFD, the configuration can be carried out according to the following ideas:
Configure Traffic Mirroring
monitor interface,monitor interface接AFD的monitor interface;Enable port mirroring on the core switch R2, using the port connected to the upper-layer network of the protected host or network as the mirroring port. At the same time, configure the monitor interface, with the monitor interface connected to the monitor interface of the AFD.
Establish BGP Routing
Enable BGP processes on AFC and core switch R2 respectively, and establish neighbor relationships between them.
Configure Traffic Forwarding Policy on Core Switch R2
Implement traffic forwarding for the protected host by establishing policy-based routing on core switch R2, and apply the policy-based routing to the inbound direction of the interface connecting R2 and AFC.
Host Route Steering and Traffic Cleaning
Upon receiving host IP steering messages from AFD, AFC advertises the route of the protected host to core switch R2 with the next hop pointing to itself. AFC then performs traffic cleaning on the host traffic according to defense policies, and reinjects the cleaned traffic back into the lower-layer network.
Configuration Steps
Configure Basic Network on Core Switch R2
Create VLAN1710 and VLAN1711. Among them, VLAN1710 corresponds to the 171.0.0.0/24 network segment and is used for route - pulling in the direct - connection communication between the core switch R2 and [AFC] GE1/0. VLAN1711 corresponds to the 171.0.1.0/24 network segment and is used for routing with the lower - layer devices.
# Create VLAN
[R2]vlan 1710 to 1711
# Configure VLAN IP
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]ip address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]quit
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0
# Add the corresponding ports to their respective VLANs. Add G1/0/18 to VLAN 1710 and G1/0/17 to VLAN 1711.
[R2]interface GigabitEthernet1/0/17
[R2-GigabitEthernet1/0/17]port link-mode bridge
[R2-GigabitEthernet1/0/17]port access vlan 1711
[R2-GigabitEthernet1/0/17]quit
interface GigabitEthernet1/0/18
[R2-GigabitEthernet1/0/18]port link-mode bridge
[R2-GigabitEthernet1/0/18]port access vlan 1710
[R2-GigabitEthernet1/0/18]quit
# Configure BGP process
[R2]#bgp 65535
// Configure BGP, AS number is 65535
[R2-bgp]router-id 171.0.0.1
// Configure the router ID
[R2-bgp]undo synchronization
[R2-bgp] address-family ipv4
[R2-bgp-ipv4]peer 171.0.0.2 enable
//Enable IPv4 unicast with the peer, allowing the local router to exchange IPv4 unicast routing information with specified peers. H3C devices are not allowed to exchange IPv4 unicast routing information with peers by default
[R2-bgp]peer 171.0.0.2 as-number 65534
// Configure the opposite neighbor, with the opposite AS number 65534
[R2-bgp]peer 171.0.0.2 description afc2100
// Configure the opposite end description, with afc2100 as the opposite end
[R2-bgp]peer 171.0.0.2 preferred-value 1
// Assign preferred values for routes received from peers, with smaller values giving priority
[R2-bgp]peer 171.0.0.2 keep-all-routes
// Save all raw routing information from peers/peer groups, even if these routes have not passed the configured ingress policy
If BGP IPv6 protocol is configured, you need to enter BGP IPv6 unicast view.
# Check the BGP peer status (Note: BGP must also be configured on AFC to verify the BGP establishment status).
[R2] display bgp peer
BGP local router ID : 171.0.0.1
Local AS number : 65535
Total number of peers : 1 Peers in established state : 1
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
171.0.0.2 65534 5 3 0 0 00:01:59 Established
# Configure return traffic forwarding policy to forward the cleaned normal traffic from AFC to the lower-layer network.
# Configure ACL to match the traction IP address range.
[R2]acl number 3003
[R2-acl-adv-3003]rule 1 permit ip destination 171.0.3.0 0.0.0.255
[R2-acl-adv-3003]quit
# Configure Access Control List (ACL) 3003 to match destination IP addresses in the 171.0.3.0/24 subnet.
# Create policy-based routing.
[R2]policy-based-route p_afc_out permit node 5
[R2]if-match acl 3003
[R2]apply ip-address next-hop 171.0.1.2
# Configure policy-based routing p_afc_out with next hop 171.0.1.2 (the direct connection IP between upper and lower networks). Adjust the address according to your actual deployment environment.
# Apply the policy-based routing on the Layer 3 interface.
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]ip address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]ip policy-based-route p_afc_out
# When applying policy - based routing, if the interface is in route mode, apply the policy - based routing directly on the interface. If the interface is in bridge mode, configure the policy - based routing on the Layer 3 VLAN interface to which the interface belongs, as described above.
Configure port mirroring to mirror the bidirectional traffic of port G1/0/17 of the core switch R2 to Ten - G1/0/49. Ten - G1/0/49 is connected to the channel port of AFD.
# Create a port mirroring group, the mirroring port, and the monitor interface.
[R2]mirroring-group 2 local
[R2]mirroring-group 2 mirroring-port GigabitEthernet 1/0/17 both
[R2]mirroring-group 2 monitor-port Ten-GigabitEthernet 1/0/49
To ensure the inter - communication between the upper - layer network and the lower - layer network, it is necessary to configure a routing protocol for implementation. In this experiment, the OSPF routing process is configured directly on the core switch R2 and the lower - layer switch to achieve inter - communication.
# Enable the OSPF process on the core switch R2 to exchange route information with the lower - layer network.
[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 171.0.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]quit
# In order to ensure route - interconnection between the core switch R2 and the lower - level switch R3, OSPF protocol is configured on both R2 and R3, with the area ID being 0. Other routing protocols can also be adopted to achieve interconnection between the two layer - 3 switches and the upper - level routing.
Configure the lower - level switch R3
Create VLAN 1711 and VLAN 1713. Among them, VLAN 1711 corresponds to the 171.0.1.0/24 network segment and serves as the directly - connected route between the core switch R2 and the lower - level network. VLAN 1713 corresponds to the 171.0.3.0/24 network segment and is the network segment where the lower - level network is located.
# Create VLAN
[R3]vlan 1711
[R3-vlan1711]quit
[R3]vlan 1713
[R3-vlan1713]quit
# Configure VLAN IP
[R3]int Vlan-interface 1711
[R3-Vlan-interface1711]ip address 171.0.1.2 24
[R3-Vlan-interface1711]quit
[R3]int Vlan-interface 1713
[R3-Vlan-interface1711]ip address 171.0.3.1 24
[R3-Vlan-interface1711]quit
# Add interfaces to VLAN, add G1/0/13 to VLAN 1713, and add G1/0/17 to VLAN 1711
[R3]interface GigabitEthernet1/0/13
// Connect to the protected host
[R3-GigabitEthernet1/0/13]port link-mode bridge
[R3-GigabitEthernet1/0/13]port access vlan 1713
[R3-GigabitEthernet1/0/13]quit
[R3]interface GigabitEthernet1/0/17
// Connect the upper layer three-layer switch
[R3-GigabitEthernet1/0/17]port link-mode bridge
[R3-GigabitEthernet1/0/17]port access vlan 1711
[R3-GigabitEthernet1/0/17]quit
To ensure communication between the upper - layer network and the lower - layer network, routing protocols need to be configured for implementation. In this experiment, the OSPF routing process is directly configured on the core switch R2 and the lower - layer switches to achieve intercommunication.
# Enable the OSPF process on the lower - layer switch to exchange routing information with the lower - layer network
[R3]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 171.0.1.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 171.0.3.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]quit
// In order to ensure route inter - communication between the core switch R2 and the lower - layer switch R3, OSPF protocol is configured on both R2 and R3, with the area ID being 0. Other routing protocols can also be used to achieve inter - communication between two layer - 3 switches and upper - layer routers.
Configure AFC
To implement the bypass BGP three - layer return mode configuration of AFC, the configuration can be carried out according to the following steps:
Note! For the steps in the configuration that have an 【Apply Config】 button, you need to click this button to make the configuration take effect. This will not be mentioned again below.
Log in to the AFC System Page
Access and log in through a browser: https://192.168.0.1. The account is "admin" and the password is "admin".
Figure 0‑2 Log in to the AFC system page
AFC Address and Port - type Configuration
Enter [System]-[Device]-[Device Management], click [Setup] on the right - hand side of the device, select [Port Settings] in the left navigation bar, and click the [Modify] button to modify the IP, subnet mask, port binding and other information of GE1/0.
The IP of GE1/0 is 171.0.0.2, the port type is Single-arm Re-injection Interface, and the IPv4 next - hop is the port address of the inbound inter - connecting switch (i.e., the IP of port G1/0/18 of the core switch is 171.0.0.1).
Figure 0‑3 Configure GE1/0
AFC device BGP routing configuration
After completing the address and port - type configurations, click the [Route Configure] menu at the bottom, select [Bgp Configure], check the option to enable BGP, and click [Apply Configure]. Follow the steps below for the configuration.
Local BGP Configuration:
Enter [System] - [Device Manage], click the [Setup] operation word in the row of the device with the IP address 127.0.0.1, enter [Route Configure] - [Bgp Configure], and perform the following operations: Check the [Enable BGP] option.
Check the [Enable BGP] option
· Local AS: 65534 // AS number for the AFC device side
· Local Port: 179 // Default port 179
Click [Save],
AFC device local BGP configuration
Figure 0‑4 Starting BGP
Peer BGP Configuration
Click the [Add] button to configure BGP peer information:
· Peer AS: 65535 // Enter the core switch's AS number when BGP is already running on the core switch
· Peer Port: 179 // Default port 179
· LocalPref/MED: 100 // Default value 100
· Peer IP: 171.0.0.1 (IPv4 next-hop address of GE1/0 interface)
Click [Save] to complete the neighbor address addition.
Figure 0‑5 AFC Neighbor BGP Configuration
Apply BGP Configuration:
Click [Apply Configure] to make the BGP configuration take effect.
Figure 0‑6 Apply BGP configuration
Click the [Add] button to add BGP information,
The AS number for the opposite end is 65535,
The default port for the opposite end is 179,
LocalPref/MED defaults to 100,
The upstream address of IPv4 on the GE1/0 port is 171.0.0.1.
Check the BGP Neighbor Status between AFC and R2
Log in to switch R2 and use the "display BGP peer" command to view the establishment status of BGP. [R2] display bgp peer
BGP local router ID : 171.0.0.1
Local AS number : 65535
Total number of peers : 1 Peers in established state : 1
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
171.0.0.2 65534 5 3 0 0 00:01:59 Established
Configure AFD
Log in to the AFD System Page
Access and log in through a browser: https://192.168.0.1. The account is "admin" and the password is "admin".
Figure 0‑7 Log in to the AFD system page
AFD Address and Port - type Configuration
Enter [System]-[Device]-[Device Management], click the [Setup] button to enter the network - card device. Configure GE0/0 as the Management Port, and fill in the IP address, subnet mask, and gateway. Since the AFC management address is 192.168.0.1, now change the AFD management address to 192.168.0.2, and set the XGE1/0 port as the monitor interface.
Figure 0‑8 AFD Address and Port - type Configurationage
Adding Monitoring IP Ranges in AFD
Log in to the AFD management page. Navigate to [System] - [Device] - [Device Management]. Select the cleaning device in the row of "127.0.0.1", click [Setup], enter the [Scan IP Range] settings page, and then click the [Add] button:
Figure 0‑9 Add detection address range
In the pop-up page, select the type as IPv4, enter the start IP 171.0.3.1 and end IP 171.0.3.255, then click [Ensure].
Figure 0‑10 Add Scan IP Range
Adding AFC Traction Equipment to AFD
Enter 【Detection Configuration】 - 【Steer Config】 - 【Steer Device】 to add a Telnet device. The IP is the cleaning management address 192.168.0.1, the port is 16020, and the name is "AFC - Diversion", which can be customized according to preference. Figure 0‑11 Traction equipment addition
Figure 0‑12 Add AFC traction equipment
Enter the 'Traction Equipment Operation List' to configure the traction operation, find the factory preset traction operation '127.0.0.1', click the 'Copy' operation, enter the edit traction operation page, and configure the traction command as follows on this page
Figure 0‑13 Add AFC drainage traction operation
AFD configuration automatic drainage and traction rules
Enter [Detection Configuration] - [Traction] - [Traffic - Diversion Traction Rules], add a rule to automatically divert traffic within the IP address range of 171.0.3.1 - 171.0.3.255 to AFC cleaning when the traffic of a single IP reaches 100M.
Figure 0‑14 AFD configuration automatic drainage and traction rules
Configuration Verification
(1) Check the routing table of the core switch and confirm the environment
Log in to the R2 router and view the BGP routing table for R2
#View the R2 routing table of the core switch
[R2]display bgp routing-table
Total Number of Routes: 0
#There are currently no addresses being redirected
(2) Automatic drainage test
Send DNS Flood attack on the protected host (171.0.3.21) on the aircraft, with attack traffic greater than 100M (greater than the traffic threshold in the automatic drainage rule set by AFD).
#View BGP routing on core switch R2
[R2]display bgp routing-table
Total Number of Routes: 2
BGP Local router ID is 171.0.0.1
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* > 171.0.3.21/32 171.0.0.2 0 1 65534i
* > 171.0.4.2 0 1 65534i
It has been received that the host route of 171.0.3.21 is published by the AFC equipment, and the next - hop is 171.0.0.2 (the traction port address of the AFC)
The automatic traffic diversion is successful.
Business connectivity verification Ping the protected server 171.0.3.21 from the client 184.0.0.76, and it can be pinged through; and the address 171.0.3.21 can be seen in the [Protection Configuration] - [Global Status] - [Server List] of the AFC, indicating that the joint cleaning between AFD and AFC is normal.
Figure 0‑15 Traffic of the protected object passing through the AFC
