Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-Bypass BGP Layer 2 Return Traffic Configuration Example | 449.45 KB |
Traffic Cleaning Service Configuration Guide
Typical Configuration Example: AFC Bypass Deployment with BGP and Layer 2 Traffic Re-injection
Configuration Example: BGP-Based Layer 2 Re-injection Mode
Applicable Products and Versions
Feature Overview
The AFC (Anti-DDoS Flow Cleaner) is typically deployed in bypass mode alongside core network devices. Without affecting normal business operations, it filters out DDoS attack traffic at the lower-layer network, thereby protecting both the lower-layer network and high-priority customer services.
The abnormal traffic cleaning device diverts user traffic affected by attacks to itself via BGP route advertisement, filters out malicious packets, and then injects the cleaned "clean" traffic back to the user. For route advertisement methods, one approach is manual static BGP route configuration, while the other involves dynamic advertisement of detailed routes for attacked hosts in coordination with the AFD (Anti-DDoS Flow Detector).
Both the AFD and AFC can be deployed independently and provide users with detailed traffic log analysis reports and attack incident handling reports.
Feature Usage
This document is not strictly tied to specific software or hardware versions. If any discrepancies are found between the described content and the actual product behavior during use, please refer to the actual device status as the standard.
All configurations in this document were performed and validated in a laboratory environment, with all device parameters reset to their factory default settings before configuration. If you have already modified the device configuration, to ensure the expected results of subsequent configurations, please verify that your existing configuration does not conflict with the example configurations provided in this document.
This document assumes that you already have a basic understanding of data communication features such as VLAN and BGP.
Configuration Guide
The basic configuration of the AFC device and service-related configurations are performed through the WEB interface. The basic configuration of the switch is conducted via the command line. This configuration example demonstrates a deployment scenario where the abnormal traffic cleaning device is deployed in bypass mode, utilizing BGP-based traffic redirection for DDoS mitigation.
Traffic Cleaning Service Configuration Guide
· Establish a BGP neighbor relationship between the AFC and core network devices, advertising 32-bit static routes for protected IP addresses to the core devices to redirect traffic to the AFC.
· The AFC cleans the traffic redirected from the core devices, then reinjects the cleaned legitimate user traffic back into the lower-layer network and ultimately to the intended destination devices.
· The AFC reinjects the cleaned traffic into the lower-layer network using VLAN tagging for traffic segregation.
Precautions
· Configuration commands vary across switches/routers from different vendors and models. Always refer to the official device operation manual for specific configuration procedures.
Typical Configuration Example: AFC Bypass Deployment with BGP and Layer 2 Traffic Re-injection
Introduction
This chapter describes the traffic forwarding method using Layer 2 VLAN tagging for re-injection after traffic redirection via BGP routing protocol when the AFC is deployed in bypass mode.
Usage Limitations
The Layer 2 re-injection mode is applicable in scenarios where the core device (Layer 3 switch) performing route redirection with the AFC is connected downstream to Layer 2 managed switches.
Configuration Example: BGP-Based Layer 2 Re-injection Mode
Applicable Products and Versions
This configuration is applicable to H3C
SecPath AFC deployed in bypass mode.
Software version: H3C i-Ware Software, Version 7.1, ESS 6401.
Network Requirements
To enable traffic cleaning for the protected IP address 171.0.3.21, one AFC device is deployed in bypass mode on the core switching device. The core switch R2 establishes a BGP neighbor relationship with the AFC device through interface G1/0/18 (on R2) and interface GE1/0 (on AFC), facilitating traffic redirection and cleaning. The AFC device's interface GE1/1 and the downstream switch R3 are connected via interface G1/0/18 (on R3) to enable traffic re-injection. The networking topology is illustrated in Figure 3-1.
Figure 3-1 Configuration Networking Diagram for AFC Bypass Deployment with Layer 2 Re-injection Mode
The specific implementation is as follows:
· Host Route Advertisement: The AFC establishes a BGP neighbor relationship with core switch R2 through interface GE1/0, and advertises a 32-bit route for the protected IP to core switch R2.
· Host Traffic Cleaning: Core switch R2 redirects traffic from the protected host to the AFC, which then cleans anomalous traffic from the host traffic based on cleaning policies.
· Traffic Redirection: The AFC communicates with downstream switch R3 via VLAN on interface GE1/1, and reinjects traffic back to a port on downstream switch R3 through the MAC address of the interconnection interface. Downstream switch R3 then forwards the traffic based on VLAN tags.
Table 3-1 VLAN Allocation List
|
VLAN ID |
Function Description |
IP Address |
|
1710 |
· The core switch R2 establishes a BGP neighbor relationship with the AFC. |
171.0.0.1/24 |
|
1711 |
· The core switch R2's Layer 3 VLAN interface connected to the downstream network serves as the gateway for the downstream network. |
171.0.1.1/24 |
|
1713 |
· The VLAN where the protected host resides, and the gateway of the protected host. |
171.0.3.1/24 |
Table 3-2 AFC Interface IP Address Allocation List
|
Interface |
Function Description |
IP Address |
|
GE1/0 |
The core switch R2 establishes a BGP neighbor relationship with the AFC. |
171.0.0.2/24 |
|
GE1/1 |
The AFC reinjects the cleaned traffic back to the downstream switch R3. |
|
|
GE0/1或GE0/7 |
The management interface of the AFC |
192.168.0.1/24 |
Configuration Concept
To implement the BGP-based Layer 2 re-injection mode configuration for AFC bypass deployment, follow the configuration approach below:
Core Switch R2 Basic Network Configuration
Configure the connectivity between Core Switch R2's interface G1/0/17 and
Downstream Switch R3's interface G1/0/17.
Core Switch R2 BGP Neighbor Configuration
Enable the BGP process on both AFC and Core Switch R2 to establish a peer
relationship. Ensure that the protected host route advertised by AFC to Core
Switch R2 has a higher priority than any existing routes on Core Switch R2.
Downstream Switch R3 Basic Network
Configuration
Configure the connectivity between Downstream Switch R3's interface G1/0/17 and
Core Switch R2's interface G1/0/17.
AFC Device Service Interface Configuration
Configure the IP address and port type of AFC's interface connected to Core
Switch R2, ensuring bidirectional communication with R2. Set the service port
type to "traffic redirection and re-injection mode" (ensure the
redirection and re-injection functions are assigned to separate physical
ports).
AFC Device BGP Routing Configuration
Establish a BGP adjacency between AFC and Core Switch R2 to complete the mutual
neighbor relationship setup.
AFC Host Route Redirection and Traffic
Cleaning
Advertise the next hop of the protected host route to AFC. Core Switch R2 will
redirect traffic to the AFC cluster via BGP equal-cost multi-path (ECMP) load
balancing. AFC will then clean anomalous traffic based on defense policies and
reinject the cleaned traffic back into the downstream network.
Configuration Procedures
Configure the basic network settings on the core switch R2.
Create VLAN 1710 and VLAN 1711 to implement segmented routing: VLAN 1710 is assigned to the 171.0.0.0/24 subnet, serving as the dedicated communication channel between R2's Layer 3 switch Port Channel 8 and the AFC's input port aggregation group for route redirection; VLAN 1711 is allocated to the 171.0.1.0/24 subnet, functioning as the interconnection interface for downstream network routing.
#Create VLAN
[R2]vlan 1710
[R2-vlan1710]quit
[R2]vlan 1711
[R2-vlan1711]quit
#Configure VLAN IP
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]IP address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]quit
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]IP address 171.0.1.1 255.255.255.0
# Configure Interface G1/0/17
[R2]int GigabitEthernet 1/0/17
[R2-GigabitEthernet1/0/17] port link-mode bridge
[R2-GigabitEthernet1/0/17] port access vlan 1711
# View Configuration of Interface G1/0/17
[R2-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure Interface G1/0/18
[R2]int GigabitEthernet 1/0/18
[R2-GigabitEthernet1/0/18] port link-mode bridge
[R2-GigabitEthernet1/0/18] port access vlan 1710
# View Configuration of Interface G1/0/18
[R2-GigabitEthernet1/0/18] dis this
interface GigabitEthernet1/0/18
port link-mode bridge
port access vlan 1710
Configure BGP Peer Relationship on Core Switch R2
# Configure BGP process
[R2]#bgp 65535
# Set BGP AS number to 65535
[R2-bgp]router-id 171.0.0.1
# Configure router ID
[R2-bgp]undo synchronization
[R2-bgp] address-family IPv4
[R2-bgp-IPv4]peer 171.0.0.2 enable
#Enable IPv4 unicast to exchange IPv4 unicast routes with the specified peer
[R2-bgp]peer 171.0.0.2 as-number 65534
# Configure peer, with peer AS number 65534
[R2-bgp]peer 171.0.0.2 descrIPtion afc2100_01
# Configure peer description as "afc2100"
[R2-bgp]peer 171.0.0.2 preferred-value 1
# Set route preference value for routes received from the peer (lower values indicate higher priority)
[R2-bgp]peer 171.0.0.2 keep-all-routes
# Preserve all original route information received from the peer/peer group, even if the routes do not pass the configured inbound policies
If configuring BGP IPv6 protocol, it is necessary to enter the BGP IPv6 unicast view.
Configure Basic Network on Downstream Switch R3
Create VLAN 1711 and VLAN 1713, where VLAN 1711 corresponds to the 171.0.1.0/24 subnet for direct routing between Core Switch R2 and the downstream network, and VLAN 1713 corresponds to the 171.0.3.0/24 subnet as the server gateway, with AFC channel 1's GE1/1 port connected to R3's Layer 2 switch G1/0/18 port for Layer 2 traffic re-injection.
# Create VLAN
[R3]vlan 1711
[R3-vlan1711]quit
[R3]vlan 1713
[R3-vlan1713]quit
# Configure VLAN IP Addresses
[R3]int Vlan-interface 1711
[R3-Vlan-interface1711]IP address 171.0.1.2 24
[R3-Vlan-interface1711]quit
[R3]int Vlan-interface 1713
[R3-Vlan-interface1713]IP address 171.0.3.1 24
[R3-Vlan-interface1713]quit
# Configure Interface G1/0/17
[R3]int GigabitEthernet 1/0/17
[R3-GigabitEthernet1/0/17] port link-mode bridge
[R3-GigabitEthernet1/0/17] port access vlan 1711
# View the configuration of interface G1/0/17
[R3-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure Interface G1/0/18
[R3]int GigabitEthernet 1/0/18
[R3-GigabitEthernet1/0/18] port link-type trunk
[R3-GigabitEthernet1/0/18] port trunk allow-pass vlan 1713
# View the configuration of interface G1/0/18
[R3-GigabitEthernet1/0/18] dis this
interface GigabitEthernet1/0/18
port link-type trunk
port trunk allow-pass vlan 1713
# Configure Interface G1/0/13
[R3]int GigabitEthernet 1/0/13
[R3-GigabitEthernet1/0/13] port link-mode bridge
[R3-GigabitEthernet1/0/13] port access vlan 1713
# View the configuration of interface G1/0/13
[R3-GigabitEthernet1/0/13] dis this
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 1713
Configuration of AFC Device Service Ports
To implement the BGP Layer 2 backhaul mode configuration for AFC bypass single-machine multi-channel deployment, follow these steps:
Important Note:
For configuration steps involving an [Apply Configuration] button,
you must click it to activate the settings. This will not be repeatedly
mentioned in subsequent steps.
Ø Log in to the AFC system web page
Log in to the AFC system: Open a web browser and enter the address https://192.168.0.1/ to access the login page, then enter the default username "admin" and password "admin" to complete authentication
Figure 3-2: AFC System Login Page
Ø Configure AFC IP Address and Port Types
Navigate to [System] → [Device] → [Device Management], click the Configure button on the right side of the target device, select Port Configuration from the left navigation pane, and click Modify to set GE1/0's IP to 171.0.0.2 with port type as diversion port (traffic ingress), configure its IPv4 next-hop as Core Switch G1/0/18 (IP: 171.0.0.1) in the ingress direction, and set GE1/1's port type as reinjection port (traffic egress).
Figure 3-1 Configuration of GE1/0
GE1/1 does not require IP configuration, with the port type set as both a return port and primary link, while the data port is GE1/0.
Figure 3-2 Configuration of GE1/1
BGP Routing Configuration for AFC Equipment
After completing the address and port type configurations, click the [Route Config] menu at the bottom, select [BGP Config], check Enable BGP, and click [Apply Configure]. Then follow the steps below to complete the setup.
Ø Local BGP Configuration:
Navigate to [System] → [Device], click the [Setup] action button in the row corresponding to device 127.0.0.1, then enter [Routing Configure] → [BGP Config] to perform the following operations:
Check the [Enable BGP] option
Local AS: 65534 // AS number for AFC device
Local Port: 179 // Default port 179
Click [Save]. For configuration details, refer to Figure 3-4:
AFC Device Local BGP Configuration
Figure 3-1: Enabling BGP
Ø Neighbor BGP Configuration
Click the [Add] button to configure BGP peer information:
Peer AS: 65535 // Enter the core switch's AS number when BGP is already running on it
Peer Port: 179 // Default port 179
LocalPref/MED: 100 // Default value 100
Peer IP: Enter the IPv4 next-hop address (171.0.0.1) of GE1/0 interface
Click [Save] to complete the neighbor address
configuration.
Refer to Figure 3-5 for configuration details.
Figure 3-5: BGP Configuration for Abnormal Traffic Cleaning System Peers
Ø Apply BGP Configuration
Click [Save], then click [Apply Configure] to activate the BGP settings.
AFC Return Traffic Rule Configuration
Access [System] > [Device] > [Setup] > [Device Config] > [Regectico Config] to configure the protected IP, subnet mask, and return VLAN ID (with return parameter "1713" as the VLAN ID of the underlying protected host’s VLAN), enable [2-layer MAC Discovery], enter the probe IP 171.0.3.2 (must fall within the IP range of this rule, and cannot be a gateway or server IP), and select GE1/1 as the return port.
Figure 3-6: Configuring AFC Protected IP and Return Parameters
AFC Device Route Steering and Traffic Cleaning
Log in to the AFC device, navigate to [Steer Config] > [Traffic Steering], click [Hand Tow ] to initiate traffic redirection for the user's internal test address (in this case, the traction address is 171.0.3.21). Select the traction operation type "Drainage Traction", click [Ensure] to complete the operation. Refer to Figure 4-7 for details.
Figure 3-2: Redirecting User Service Traffic to Address 171.0.3.21
After traffic is routed to the AFC device, it can automatically employ default policies to mitigate and defend against DDoS attacks.
Verify Configuration
Table 1 Verify connectivity between Core Switch R2 and AFC's redirection port
Use ping tests to verify connectivity between Core Switch R2 and AFC routes
[R2]ping -a 171.0.0.1 171.0.0.2
PING 171.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 171.0.0.2: bytes=56 Sequence=1 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=2 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=3 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=4 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=5 ttl=64 time=3 ms
--- 171.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trIP min/avg/max = 3/3/3 ms
Table 2 Verify whether BGP route redirection from Core Switch R2 to AFC is successful – successful redirection will generate a 32-bit host route for the protected host in R2's routing table.
Check the routing table of Core Switch R2 to confirm route propagation.
[R2]display bgp routing-table
Total Number of Routes: 1
BGP Local router ID is 171.0.0.1
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* > 171.0.3.21/32 171.0.0.2 0 1 65534i
Table 3 Verify connectivity between the client and server
Use ping tests to verify connectivity between the client and the server's routing interface
[root@AFCTest_Client ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A
inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257120 errors:0 dropped:0 overruns:0 frame:0
TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)
[root@AFCTest_Client ~]# ping -c 5 171.0.3.21
PING 171.0.3.21 (171.0.3.21) 56(84) bytes of data.
64 bytes from 171.0.3.21: icmp_seq=1 ttl=124 time=0.799 ms
64 bytes from 171.0.3.21: icmp_seq=2 ttl=124 time=0.736 ms
64 bytes from 171.0.3.21: icmp_seq=3 ttl=124 time=0.862 ms
64 bytes from 171.0.3.21: icmp_seq=4 ttl=124 time=1.47 ms
64 bytes from 171.0.3.21: icmp_seq=5 ttl=124 time=1.02 ms
--- 171.0.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms