Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-OSPF Layer 2 Reintroduction Configuration Example | 435.47 KB |
Configuration Guide for Traffic Cleaning Services
Example Configuration for AFC Bypass OSPF Layer 2 Injection
Example Configuration for OSPF Layer 2 Injection Mode
Applicable Products and Versions
Feature Overview
The AFC (Abnormal Flow Cleaner) is typically deployed in bypass mode on core network devices. This deployment architecture enables it to filter DDoS attack traffic in lower-layer networks while ensuring uninterrupted normal services, thereby providing robust protection for both the underlying network infrastructure and high-priority customer services.
The abnormal traffic cleaning device employs OSPF route advertisement to redirect user traffic affected by attacks to the cleaning device for malicious packet filtering, and subsequently reinjects the cleaned "clean" traffic back to users. Currently, OSPF routes are statically configured and published manually.
The AFC can be deployed independently, providing users with detailed traffic log analysis reports and attack incident handling reports.
Feature Usage
This document is not strictly version-bound to specific software or hardware releases. If discrepancies arise between the document and the actual product behavior during use, always refer to the device's real-time status as the authoritative reference.
All configurations demonstrated in this document were performed and validated in a laboratory environment, with all device parameters initialized to factory-default settings prior to configuration. If you have already configured the device, to ensure configuration effectiveness, please verify that your existing configuration does not conflict with the examples provided below.
This document assumes that you possess prior knowledge of data communication features such as VLAN and OSPF.
Configuration Guide
The basic configuration of the AFC device and service-related configurations are performed through the WEB interface, while the switch's fundamental settings are configured via the command line. This configuration example demonstrates the abnormal traffic cleaning device deployed independently, utilizing OSPF-based traffic redirection for attack mitigation.
Configuration Guide for Traffic Cleaning Services
· The AFC establishes an OSPF neighbor relationship with core devices, advertises 32-bit static routes for protected IPs to the core devices, and redirects traffic to the AFC.
· The AFC cleanses the traffic redirected from core devices, then reinjects the sanitized user traffic back to the lower-layer network and ultimately to the intended destination devices.
· The AFC reinjects the cleaned traffic into the lower-layer network using VLAN tagging for traffic segregation.
Precautions
· Configuration commands vary across switches/routers from different vendors and models. Always refer to the device-specific operation manual for configuration procedures.
Example Configuration for AFC Bypass OSPF Layer 2 Injection
Introduction
This chapter describes the traffic forwarding method where the AFC, when deployed in bypass mode, uses the OSPF routing protocol for traffic redirection and employs a Layer 2 VLAN tagging-based injection mode to forward traffic.
Usage Limitations
The Layer 2 injection mode is applicable in scenarios where the core devices (Layer 3 switches) performing route redirection with the AFC are connected to Layer 2 managed switches in the underlying network.
Example Configuration for OSPF Layer 2 Injection Mode
Applicable Products and Versions
This configuration is applicable to H3C
SecPath AFC deployed in bypass mode.
Software Version: H3C i-Ware Software, Version 7.1, ESS 6401
Network Topology Requirements
To enable traffic scrubbing for the protected IP 171.0.3.21 against attacks, deploy an abnormal traffic cleaning system (AFC) in bypass mode on the core switching device. The core switch R2 establishes an OSPF neighbor relationship with the AFC device through interface G1/0/18 (connected to the AFC's GE1/0 interface) to redirect traffic for cleaning. The AFC injects the cleaned traffic back into the downstream switch R3 via its injection port GE1/1. The network diagram is shown below.
Figure 3-1 Configuration Networking Diagram for AFC Bypass Deployment with Layer 2 Injection Mode
Detailed Implementation:
· Host Route Advertisement: The AFC establishes an OSPF neighbor relationship with core switch R2 through interface GE1/0, advertising a 32-bit static route for the protected IP to R2.
· Host Traffic Cleansing: Core switch R2 redirects traffic destined for the protected host to the AFC. The AFC applies cleansing policies to filter abnormal traffic, then reinjects the sanitized traffic with VLAN 1713 tagging as per reinjection parameters.
· Traffic Redirection: The interface G1/0/18 on downstream switch R3, which connects to the AFC's reinjection port, is configured in VLAN Trunk mode to permit traffic from the protected host's VLAN 1713. The switch then forwards traffic to the downstream network based on VLAN tagging.
Table 3-1 VLAN Allocation List
|
VLAN ID |
Function Description |
IP Address |
|
1710 |
The core switch R2 establishes an OSPF neighbor relationship with the AFC. |
171.0.0.1/24 |
|
1711 |
The core switch R2's Layer 3 VLAN 1711 interface, which connects to the downstream network, serves as the gateway for the downstream network. |
171.0.1.1/24 |
|
1713 |
The VLAN 1711 on downstream switch R3 where the protected host resides |
171.0.3.1/24 |
Table 3-2 AFC Interface IP Address Allocation List
|
Interface |
Function Description |
IP Address |
|
GE1/0 |
The core switch R2 establishes an OSPF adjacency with the AFC. |
171.0.0.2/24 |
|
GE1/1 |
The downstream switch R3 establishes a VLAN Trunk link with the AFC. |
|
|
GE0/0 or GE0/7 |
The management interface of the AFC |
192.168.0.1/24 |
Configuration Approach
To implement the OSPF Layer 2 Injection Mode configuration for AFC bypass deployment, follow the configuration approach below:
(1) Core Switch R2 Basic Network Configuration
Configure the interconnection between Core Switch R2's interface G1/0/17 and
Downstream Switch R3's interface G1/0/17 to ensure network connectivity.
(2) Core Switch R2 OSPF Neighbor Configuration
Enable the OSPF process on both the AFC and Core Switch R2, establishing a
neighbor relationship between them. Ensure that the AFC advertises the
protected host route with a higher priority than existing routes on Core Switch
R2.
(3) Downstream Switch R3 Basic Network Configuration
Configure the interconnection between Downstream Switch R3's interface G1/0/17
and Core Switch R2's interface G1/0/17 to establish network connectivity.
(4) AFC Device Service Interface Configuration
Configure the IP address and interface type for the AFC's uplink interface
connected to Core Switch R2, ensuring bidirectional communication with R2. Set
the service interface mode to "diversion and reinjection" (diversion
and reinjection must use separate physical ports).
(5) AFC Device OSPF Routing Configuration
Configure OSPF on the AFC device to establish a neighbor relationship with the
core device.
(6) AFC Device Traffic Diversion and Cleansing
Advertise the next hop of the protected host route to the AFC. The core device
then diverts traffic to the AFC cluster via OSPF equal-cost routing in
load-sharing mode. The AFC cleanses the host traffic based on defense policies
and reinjects the sanitized traffic back into the downstream network.
Configuration Procedures
Configure the basic network settings on the core switch R2.
Create VLANs 1710 and 1711, where VLAN 1710 corresponds to the 171.0.0.0/24 subnet for routing diversion between R2's Layer 3 switch and the AFC's GE1/0 direct connection channel, and VLAN 1711 corresponds to the 171.0.1.0/24 subnet to align with downstream terminal devices in the same network segment while serving as their gateway.
# Create VLAN
[R2]vlan 1710 to 1711
# Configure VLAN IP
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]ip address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]quit
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0
# Assign the corresponding ports to their respective VLANs: add port G1/0/18 to VLAN 1710 and port G1/0/17 to VLAN 1711.
[R2]interface GigabitEthernet1/0/17
[R2-GigabitEthernet1/0/17]port link-mode bridge
[R2-GigabitEthernet1/0/17]port access vlan 1711
[R2-GigabitEthernet1/0/17]quit
interface GigabitEthernet1/0/18
[R2-GigabitEthernet1/0/18]port link-mode bridge
[R2-GigabitEthernet1/0/18]port link-type acess
[R2-GigabitEthernet1/0/18]port access vlan 1710
[R2-GigabitEthernet1/0/18]quit
Configure OSPF neighbors on the core switch R2.
#Configure an OSPF process
[R2]ospf 2
# Since OSPF process 1 is already in use on the Layer 3 switch, a new OSPF process 2 is being enabled here.
[R2-ospf-2]peer 171.0.0.2
# Configure OSPF neighbors.
[R2-ospf-2] preference 1
# Assign preference values to routes received from peers - the lower the value, the higher the priority. By default, OSPF assigns an administrative distance of 10 to intra-AS (Internal) routes and 150 to inter-AS (External) routes.
[R2-ospf-2] area 0.0.0.1
# Configure the Area ID, which must match the Area ID of the AFC (Autonomous Function Cluster).
[R2-ospf-2-area-0.0.0.1]network 171.0.0.0 0.0.0.255
# Advertise directly connected networks in OSPF.
If configuring OSPF for IPv6, you need to enter the OSPF IPv6 unicast routing view.
Configure basic network settings on the access switch R3.
Create VLAN 1711 and VLAN 1713. Assign subnet 171.0.1.0/24 to VLAN 1711 for interconnecting Layer 3 switch R2 and Layer 2 switch R3. Designate subnet 171.0.3.0/24 to VLAN 1713 as the server gateway. Establish Layer 2 connectivity by linking GE1/1 (AFC Channel 1 uplink) on R2 to G1/0/18 on R3's Layer 2 switch to enable Layer 2 traffic backhaul.
# Create VLAN
[R3]vlan 1711
[R3-vlan1711]quit
[R3]vlan 1713
[R3-vlan1713]quit
# Configure IP address for VLAN 1711
[R3]interface Vlan-interface1711
[R3-Vlan-interface1711]ip address 171.0.1.2 255.255.255.0
[R3-Vlan-interface1711]quit
# Configure IP address for VLAN 1713
[R3]interface Vlan-interface1713
[R3-Vlan-interface1713]ip address 171.0.3.1 255.255.255.0
[R3-Vlan-interface1713]quit
#Assign port G1/0/13 to VLAN 1713 and port G1/0/17 to VLAN 1711 on switch R3. Configure port G1/0/18 as a trunk port with PVID set to 1712.
[R3]interface GigabitEthernet1/0/13
[R3-GigabitEthernet1/0/13]port link-mode bridge
[R3-GigabitEthernet1/0/13]port access vlan 1713
[R3-GigabitEthernet1/0/13]quit
[R3]interface GigabitEthernet1/0/17
#Connect to Upstream Layer 3 Switch
[R3-GigabitEthernet1/0/17]port link-mode bridge
[R3-GigabitEthernet1/0/17]port access vlan 1711
[R3-GigabitEthernet1/0/17]quit
[R3]interface GigabitEthernet1/0/18
# Connect to AFC Re-injection Port for Traffic Reintroduction
[R3]int GigabitEthernet 1/0/18
[R3-GigabitEthernet1/0/18] port link-type trunk
[R3-GigabitEthernet1/0/18] port trunk allow-pass vlan 1713
[R3-GigabitEthernet1/0/18]quit
AFC Device Service Interface Configuration
To implement the OSPF Layer 2
Reintroduction Mode configuration for AFC bypass single-unit multi-channel
deployment, follow the steps below:
Note: For configuration steps containing the [Apply
Configuration] button, click this button to activate the configuration. This
requirement will not be reiterated in subsequent steps.
Ø Log in to the AFC system interface
Access the login page via web browser: https://192.168.0.1/ (Username: admin, Password: admin).
Figure 3-1 Login Page of AFC System
Ø Configure AFC Address and Port Type
#Configure AFC Interface
Navigate to [System] → [Device] → [Device Management], click the Configure button on the right side of the target device, select Port Configuration from the left navigation pane, and click Modify to set GE1/0's IP to 171.0.0.2 with port type as diversion port (traffic ingress), configure its IPv4 next-hop as Core Switch G1/0/18 (IP: 171.0.0.1) in the ingress direction, and set GE1/1's port type as reinjection port (traffic egress).
Figure 3-1 Configuration of GE1/0
Figure 3-2 Configuration of GE1/1
Configure OSPF Routing for AFC Device
Access System → Device, locate the row corresponding to device 127.0.0.1, click the Setup operation button, then navigate to Route Configure → OSPF Config to perform the following operations:
Ø OSPFEnable OSPF and Configure OSPF Parameters
Check the Enable OSPF option
Area::0.0.0.1 //Area ID
Cost::100 //Default 100
Metric: 100 //Default100
Ø Apply OSPF Configuration
Click the [Apply Congig] button to activate the OSPF settings.
Configure AFC Reintroduction Rules
Navigate to System → Device → Setup → Device Config → Rejection Config, then configure the protected IP and subnet mask, set the reintroduction VLAN ID (parameter "1713" indicates the VLAN ID for the underlying protection host), and select GE1/1 as the reinjection port.
Figure 3-1 Configuration of AFC Protected IP and Reintroduction Parameters
Click Save
Configure AFC Traffic Diversion and Cleaning
Log in to the AFC device, navigate to Steer Config → Traffic Steering Status, click the Hand Tow button to initiate traffic diversion for the user's internal test IP address. In this case, set the diversion target IP to 171.0.3.21, select the operation mode "Diversion Divert" (active traffic steering), and click Ensure to confirm the diversion operation.
Figure 3-1 Configuration of Diversion IP and Validation of Diversion Functionality
After diverting traffic to the AFC device, it can automatically invoke default policies to mitigate and defend against DDoS attacks.
Verify Configuration
Verify connectivity between the core switch R2 and the AFC diversion port.
Use the ping test to verify connectivity between the core switch R2 and the AFC routing device.
[R2]ping -a 171.0.0.1 171.0.0.2
PING 171.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 171.0.0.2: bytes=56 Sequence=1 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=2 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=3 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=4 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=5 ttl=64 time=3 ms
--- 171.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/3/3 ms
Verify successful traffic diversion between the core switch R2 and the AFC routing device.
When the host configuration "Protection" is not enabled on the AFC device, check the OSPF routing table of R2.
[R2]display OSPF routing-table
Total Number of Routes: 1
OSPF Local router ID is 171.0.0.1
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* > 171.0.3.21/32 171.0.0.2 0 1 65534i
Verify connectivity between the client and the server.
Perform a ping test to verify connectivity between the client and the service router.
[root@AFCTest_Client ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A
inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257120 errors:0 dropped:0 overruns:0 frame:0
TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)
[root@AFCTest_Client ~]# ping -c 5 171.0.3.21
PING 171.0.3.21 (171.0.3.21) 56(84) bytes of data.
64 bytes from 171.0.3.21: icmp_seq=1 ttl=124 time=0.799 ms
64 bytes from 171.0.3.21: icmp_seq=2 ttl=124 time=0.736 ms
64 bytes from 171.0.3.21: icmp_seq=3 ttl=124 time=0.862 ms
64 bytes from 171.0.3.21: icmp_seq=4 ttl=124 time=1.47 ms
64 bytes from 171.0.3.21: icmp_seq=5 ttl=124 time=1.02 ms
--- 171.0.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms