Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-OSPF-Based Three-Layer Return Injection Configuration Example | 353.83 KB |
Traffic Cleaning Service Configuration Guide
Typical Configuration Example of AFC Bypass OSPF Layer 3 Re-injection
Configuration Example of OSPF Layer 3 Reinjection Mode
Applicable Products and Versions
Feature Introduction
The H3C SecPath is typically deployed in bypass mode alongside core network devices. While ensuring uninterrupted normal business operations, it filters out DDoS attack traffic emerging from the underlying network, thereby safeguarding both the underlying network and high-priority customer network services.
The H3C SecPath consists of two main components: the H3C SecPath AFC (AFC) and the H3C SecPath AFD (AFD), which is a specialized abnormal traffic cleaning device.
The H3C SecPath AFD performs real-time attack detection and abnormal traffic analysis on user traffic replicated via mirroring or optical splitting methods
The H3C SecPath AFC tows attack traffic through OSPF route advertisement, filters attack packets, and performs reinjection of the cleaned "clean" traffic back to users. For route advertisement methods, one is to statically advertise OSPF routes manually, and the other is to dynamically advertise detailed routes of attacked hosts through linkage with the H3C SecPath AFD.
The H3C SecPath AFD and H3C SecPath AFC can both be deployed independently, and both can provide users with detailed traffic log analysis reports, attack incident handling reports, and more.
Feature Usage
This document is not strictly version-specific to any particular software or hardware release. If discrepancies arise between the document and the actual product behavior during use, the device's actual status shall prevail.
All configurations presented in this document were performed and verified in a laboratory environment, with all device parameters initialized to factory default settings prior to configuration. If you have already configured the device, to ensure configuration effectiveness, please verify that your existing configuration does not conflict with the examples provided herein.
This document assumes that you have prior knowledge of data communication features including VLAN, OSPF, policy-based routing, and ACLs.
Configuration Guide
The SecPath AFC and SecPath AFD system consists of AFD devices, AFC devices, and switching devices. The basic configuration of switching devices is performed via the command line interface (CLI).For the SecPath AFC ( AFC), both basic configuration and service-related configurations are performed through the Web interface.This configuration example demonstrates traffic cleaning using the SecPath AFC in standalone deployment mode, with OSPF-based traffic redirection and Layer 3 reinjection.
Traffic Cleaning Service Configuration Guide
· The AFC establishes an OSPF neighbor relationship with core devices, then advertises 32-bit static routes for protected IPs to these core devices. This enables traffic redirection to the AFC
· The AFC cleans the attack traffic redirected from core devices while reinjecting the cleaned legitimate traffic back to the downstream network, ultimately forwarding it to the original destination devices.
· When reinjecting cleaned traffic to the downstream network via Layer 3 routing, there are two methods: Single-arm Re-injection Interface and Traffic Diversion Interface、Traffic Re-injection Interface .
Precautions
Configuration commands vary across switches and routers from different vendors and models. Please refer to the respective device operation manuals for specific configuration procedures.
Typical Configuration Example of AFC Bypass OSPF Layer 3 Re-injection
Introduction
This chapter describes the traffic forwarding method using policy-based routing in a Layer 3 reinjection mode after traffic redirection via the OSPF routing protocol in an AFC bypass deployment scenario.
Usage Restrictions
The Layer 3 reinjection mode is applicable in scenarios where the network devices directly connected to the core devices performing route redirection with the AFC are Layer 3 switches or routers.
Configuration Example of OSPF Layer 3 Reinjection Mode
Applicable Products and Versions
This configuration is applicable to H3C
SecPath AFC.
Software version: H3C i-Ware Software, Version 7.1, ESS 6401.
Networking Requirements
To clean traffic targeting the protected IP 171.0.3.21, an AFC device is deployed in bypass mode on the core switch.
The core switch R2 establishes an OSPF neighbor relationship with the AFC device through interface G1/0/18 (connected to the AFC's GE1/0 interface) for traffic redirection and cleaning.
On the inbound direction of interface G1/0/18 of core switch R2, policy-based routing is configured to forward the cleaned traffic back into the network.
Figure 3-1 shows the networking.
figure 0-1 Networking diagram for AFC to deploy a three-layer back-injection mode
The specific implementation is as follows.:
· Host Route Advertisement: The AFC establishes an OSPF neighbor relationship with the core switch R2 through the GE1/0 interface, and advertises a 32-bit route for the protected IP to the core switch R2.
· Host Traffic Cleaning: The core switch R2 forwards the traffic from the protected host to the AFC, which then cleans abnormal traffic from the host traffic based on cleaning policies.
· Traffic Redirection: The core switch R2 configures policy-based routing and applies it to the inbound direction of the interface connecting to the AFC, ensuring that the cleaned traffic is forwarded to the designated network after reinjection.
table 0-1 VLAN Allocation List
|
VLAN ID |
Function Description |
IP Address |
|
1710 |
· The core switch R2 establishes an OSPF neighbor relationship with the AFC; · The AFC reinjects the cleaned traffic back to the core switch R2 |
171.0.0.1/24 |
|
1711 |
· The Layer 3 VLAN interface on the core switch R2 that connects to the downstream network.; · The Layer 3 VLAN interface on the downstream switch R3 that connects to the core switch R2. |
171.0.1.1/24 171.0.1.2/24 |
|
1713 |
· The VLAN where the protected host resides; · The gateway address of the protected host. |
171.0.3.1/24 |
table 0-2 AFC Interface IP Assignment Table
|
接口 |
Function Description |
IP Address |
|
GE1/0 |
The core switch R2 establishes an OSPF neighbor relationship with the AFC; |
171.0.0.2/24 |
|
GE0/0 |
AFC Management Port |
192.168.0.1/24 |
Configuration Approach
To achieve the configuration of the AFC bypass deployment with OSPF Layer 3 re-injection mode, follow the configuration approach below:
Table 1 Core Switch R2 Basic Network Configuration
Configure interconnection between the G1/0/17 interface of Core Switch R2 and the G1/0/17 interface of Downstream Switch R3;
Table 2 OSPF Neighbor Configuration on Core Switch R2
Enable the OSPF process on both the AFC and Core Switch R2 to establish a neighbor relationship;
Table 3 Re-injection Policy Configuration on Core Switch R2
Configure policy-based routing on the inbound direction of the interconnection port (GE1/0/18) between the core and AFC devices, redirecting traffic with destination addresses in the user service address segment (171.0.3.0/24) back to Downstream Switch R3. This prevents routing loops caused by return traffic from the AFC device being sent back to the AFC, ensuring the re-injection of cleaned traffic;
Table 4 Downstream Switch R3 Basic Network Configuration
Configure interconnection between the G1/0/17 interface of Downstream Switch R3 and the G1/0/17 interface of Core Switch R2;
Table 5 AFC Device Service Interface Configuration
Configure the IP address and port type for the AFC device's interface connected to Core Switch R2, ensuring connectivity with R2. Set the service port type to "Single-arm Re-injection Interface" mode (the same physical port is used for both diversion and re-injection).
Table 6 AFC Device OSPF Routing Configuration
Configure OSPF on the AFC device to establish a neighbor relationship with the core device, completing the mutual OSPF neighbor setup;
Table 7 AFC Device Traffic Diversion and Cleaning
The AFC device performs traffic diversion for user service addresses, cleans user traffic according to defense policies, and re-injects the cleaned traffic back to the core device.
Configuration Steps for AFC Device to Divert User Service Address Traffic, Clean User Traffic Based on Defense Policies, and Re-inject the Cleaned Traffic Back to the Core Device
Basic Network Configuration of Core Switch R2
Create VLAN1710 and VLAN1711, where VLAN 1710 corresponds to the 171.0.0.0/24 network segment, serving as the routing diversion for direct communication between R2's Layer 3 switch and the AFC channel ingress GE1/0, and VLAN 1711 corresponds to the 171.0.1.0/24 network segment, used for interconnection with the downstream R3.
# Create VLAN
[R2]vlan 1710
[R2-vlan1710]quit
[R2]vlan 1711
[R2-vlan1711]quit
# Configure VLAN IP
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]ip address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]quit
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0
# Configure G1/0/17 interface
[R2]int GigabitEthernet 1/0/17
[R2-GigabitEthernet1/0/17] port link-mode bridge
[R2-GigabitEthernet1/0/17] port access vlan 1711
#Check G1/0/17 interface configuration
[R2-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure G1/0/18 interface
[R2]int GigabitEthernet 1/0/18
[R2-GigabitEthernet1/0/18] port link-mode bridge
[R2-GigabitEthernet1/0/18] port access vlan 1710
#Check G1/0/18 interface configuration
[R2-GigabitEthernet1/0/18] dis this
interface GigabitEthernet1/0/18
port link-mode bridge
port access vlan 1710
Configure OSPF neighbor on Core Switch R2
# Configure OSPF process
[R2]ospf 2
#Since the Layer 3 switch already has OSPF process 1 in use, a new OSPF process 2 is enabled here.
# Configure OSPF neighbor
[R2-ospf-2]peer 171.0.0.2
# Assign preference values to routes received from peers, where a smaller value indicates higher priority. By default, the OSPF protocol assigns a preference value of 10 to intra-autonomous system routes and 150 to inter-autonomous system routes.
[R2-ospf-2] preference 1
# Configure the area ID, which must match the area ID of the AFC.
[R2-ospf-2] area 0.0.0.1
# To ensure interoperability between the upper-layer and lower-layer networks, a routing protocol needs to be configured. In this experiment, OSPF routing process is configured directly between the core switch R2 and the downstream switch R3 to achieve interconnection.
# Enable the OSPF process on the core switch R2 to exchange routing information with the downstream network.
[R2]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 171.0.1.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]quit
# To ensure routing interoperability between the core switch R2 and the downstream switch R3, OSPF is configured on both R2 and R3 with area ID 0. Alternatively, other routing protocols can be used to achieve interconnection between the two Layer 3 switches and the upper-layer router.
If configuring OSPF for IPv6, you need to enter the OSPF IPv6 unicast view.
Configure return traffic policy on Core Switch R2
# Configure ACL to match the redirected IP address range
[R2]acl number 3003
[R2-acl-adv-3003]rule 1 permit ip destination 171.0.3.0 0.0.0.255
[R2-acl-adv-3003]quit
# Configure Access Control List 3003 to match destination IP address range 171.0.3.0/24
# Create Policy-Based Routing
[R2]policy-based-route p_afc_out permit node 5
[R2]if-match acl 3003
[R2]apply ip-address next-hop 171.0.1.2
# Configure Policy-Based Routing action p_afc_out, with the next hop set to 171.0.1.2 (the directly connected IP address between the upper-layer and lower-layer networks). Adjust the address according to your actual deployment environment.
# Apply the Policy-Based Routing (PBR) to the Layer 3 interface.
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]ip address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]ip policy-based-route p_afc_out
# If the interface is in route mode, directly apply the PBR to the interface.If the interface is in bridge mode, configure the PBR on the corresponding Layer 3 VLAN interface.
Configure basic network settings on the downstream switch R3
Create VLAN 1711 and VLAN 1713,VLAN 1711 corresponds to the 171.0.1.0/24 subnet, serving as the direct routing connection between downstream switch R3 and core switch R2.VLAN 1713 corresponds to the 171.0.3.0/24 subnet, designated for the downstream network.
# Create VLAN
[R3]vlan 1711
[R3-vlan1711]quit
[R3]vlan 1713
[R3-vlan1713]quit
# Configure VLAN IP
[R3]int Vlan-interface 1711
[R3-Vlan-interface1711]ip address 171.0.1.2 24
[R3-Vlan-interface1711]quit
[R3]int Vlan-interface 1713
[R3-Vlan-interface1711]ip address 171.0.3.1 24
[R3-Vlan-interface1711]quit
# Configure G1/0/17 interface
[R2]int GigabitEthernet 1/0/17
[R2-GigabitEthernet1/0/17] port link-mode bridge
[R2-GigabitEthernet1/0/17] port access vlan 1711
#Check G1/0/17 interface configuration
[R2-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure G1/0/18 interface
[R2]int GigabitEthernet 1/0/13
[R2-GigabitEthernet1/0/13] port link-mode bridge
[R2-GigabitEthernet1/0/13] port access vlan 1713
#Check G1/0/18 interface configuration
[R2-GigabitEthernet1/0/13] dis this
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 1713
To ensure interoperability between the upper-layer and lower-layer networks, it is necessary to configure a routing protocol. In this experiment, the OSPF routing process is configured directly between the core switch R2 and the downstream switch R3 to achieve network connectivity.
# Enable the OSPF process on the downstream switch R3 to exchange routing information with the downstream network.
[R3]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 171.0.1.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 171.0.3.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]quit
# To ensure routing interoperability between the core switch R2 and the downstream switch R3, configure the OSPF protocol on both R2 and R3 with area ID 0. Alternatively, other routing protocols can be used to achieve interconnection between the Layer 3 switches and the upper-layer router.
Configure service ports on the AFC device
To implement OSPF three-layer return injection mode configuration for AFC bypass standalone deployment, follow the configuration steps below:
Note: For configuration steps containing the [Apply Config] button, click this button to activate the configuration. This will not be reiterated in subsequent steps.
Table 8 Log in to the AFC system web interface
Access the login page via web browser: https://192.168.0.1:16010/ (Username: admin, Password: admin)
Figure 0-2 Log in to the AFC system web interface
Table 9 Configure AFC IP address and port type
Navigate to [System] → [Device] → [Device Management], click [Setup] on the right side of the target device, select [Port Settings] in the left navigation bar, then click [Modify] to configure the IP address, subnet mask, and port binding for GE1/0 (initial deployment requires updating configuration to obtain current network interface settings).
Configure XGE3/1 with IP 171.0.0.2, set port type as "Single-arm Re-injection Interface". For IPv4 upstream, configure the next-hop as the interconnection switch port address (Core Switch G1/0/18 with IP 171.0.0.1).
Figure 0-3 Configure XGE3/1
Configure OSPF routing on the AFC device
Navigate to [System] → [Device Management], click the [Setup] button in the row corresponding to device 127.0.0.1, then access [Route Configuration] → [OSPF Configuration] to perform the following operations:
Table 10 Launch OSPF和Configure OSPF
Check【Launch OSPF】
· Area::0.0.0.1 //Area ID
· Cost::100 //Default100
· Metric: 100 //Default100
Figure 0-4 Launch OSPF和Configure OSPF
Table 11 Apply OSPF configuration:
Click the [Apply Config] button to activate the OSPF configuration.
Configure AFC device route diversion and traffic cleaning
Log in to the AFC device, navigate to [Steer Config] → [Traffic Steering Status], click [Hand Tow], and perform diversion operations on the user's internal test address. In this example, the diversion address is 171.0.3.21; select the diversion operation "Diversion Traction" (literal: "Traction Traction"), and click [Ensure] to complete the diversion operation.
Figure 0-5 As shown in Figure 3-5, divert the user service address 171.0.3.21.
After traffic is diverted to the AFC device, DDoS attack traffic can be automatically cleaned and mitigated using the default policy.
Verify the configuration
Table 12 Verify connectivity between core switch R2 and the AFC device's input port
Test whether core switch R2 can communicate with the AFC device via ping.
[R2]ping -a 171.0.0.1 171.0.0.2
PING 171.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 171.0.0.2: bytes=56 Sequence=1 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=2 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=3 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=4 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=5 ttl=64 time=3 ms
--- 171.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/3/3 ms
Table 13 Check whether the OSPF neighbor relationship between the AFC device and R2 is established
Log in to switch R2 and execute the display ospf 2 peer command to verify the OSPF neighbor status.
[R2]display ospf 2 peer
OSPF Process 2 with Router ID 110.1.0.1
Neighbor Brief Information
Area: 0.0.0.1
Router ID Address Pri Dead-Time Interface State
171.0.0.2 171.0.0.2 1 35 Vlan1710 Full/BDR
Table 14 Verify whether the traffic steering from core switch R2 to the AFC device is successful. Successful steering will result in a 32-bit route for the target host.
View the routing table of core switch R2
[R2]display ospf 2 routing
OSPF Process 2 with Router ID 110.1.0.1
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
171.0.0.0/24 1 Transit 171.0.0.1 171.0.0.2 0.0.0.1
171.0.3.21/32 11 Stub 171.0.0.2 171.0.0.2 0.0.0.1
Total Nets: 2
Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0
Table 15 Verify connectivity between the client and server
Test whether the client can communicate with the server via ping.
[root@AFCTest_Client ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A
inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257120 errors:0 dropped:0 overruns:0 frame:0
TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)
[root@AFCTest_Client ~]# ping -c 5 171.0.3.21
PING 171.0.3.21 (171.0.3.21) 56(84) bytes of data.
64 bytes from 171.0.3.21: icmp_seq=1 ttl=124 time=0.799 ms
64 bytes from 171.0.3.21: icmp_seq=2 ttl=124 time=0.736 ms
64 bytes from 171.0.3.21: icmp_seq=3 ttl=124 time=0.862 ms
64 bytes from 171.0.3.21: icmp_seq=4 ttl=124 time=1.47 ms
64 bytes from 171.0.3.21: icmp_seq=5 ttl=124 time=1.02 ms
--- 171.0.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms