Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-Bypass GRE Layer 3 Return Injection Configuration Example | 445.30 KB |
Table of Contents
Traffic Cleaning Service Configuration Guide
Example of Typical Configuration for AFC Bypass GRE Layer 3 Re-injection
Configuration Example of GRE Layer 3 Return Injection Mode
Applicable Products and Versions
Feature Introduction
The H3C SecPath AFC is typically deployed in bypass mode alongside core network devices. While ensuring uninterrupted normal operations, it filters out DDoS attack traffic emerging from the lower-layer network, thereby safeguarding both the lower-layer network and high-priority customer network services.
The H3C SecPath AFC consists of two components: the H3C SecPath AFD and the H3C SecPath AFC.
The H3C SecPath AFD performs real-time attack detection and abnormal traffic analysis on user traffic that is replicated via mirroring or optical splitting.
The H3C SecPath AFC diverts user traffic under attack by advertising routes via BGP, filters out attack packets, and then injects the "clean" traffic back to the user. For route advertisement methods, one approach is to statically advertise BGP routes manually, while the other involves dynamically advertising detailed routes of the attacked hosts in coordination with the H3C SecPath AFD.
Both the H3C SecPath AFD and the H3C SecPath AFC can be deployed independently, and both can provide users with detailed traffic log analysis reports, attack event handling reports, and more.
Feature Usage
This document is not strictly tied to specific software or hardware versions. If there are discrepancies between the document and the actual product during use, please refer to the actual device conditions.
All configurations in this document were performed and verified in a laboratory environment. Before configuration, all device parameters were set to their factory default settings. If you have already configured the device, to ensure the configuration takes effect, please confirm that your existing configuration does not conflict with the examples provided below.
This document assumes that you are already familiar with data communication features such as VLAN, BGP, GRE Tunnel, and ACL.
Configuration Guide
The H3C SecPath AFC and The H3C SecPath AFD includes the basic configuration and service-related configuration of AFD and AFC devices, all of which are configured via the WEB interface. The basic configuration of the switches is performed through the command line. This configuration example assumes that the abnormal traffic cleaning devices are deployed in bypass mode and use BGP traffic redirection for traffic detection.
Traffic Cleaning Service Configuration Guide
· The AFC establishes a BGP neighbor relationship with the core device and advertises 32-bit static routes for the protected IPs to the core device, thereby redirecting traffic to the AFC.
· The AFC cleans the traffic directed to it by the core equipment, and then injects the cleaned normal user traffic back into the lower-layer network, further forwarding it to the intended destination devices.
· When the AFC reinjects the cleaned traffic back into the lower-layer network via GRE Tunnel encapsulation, there are two modes: source-port reinjection and pull-based reinjection.
Precautions
Different switches or routers from various manufacturers and models have different configuration commands. Please follow the device operation manual for configuration procedures.
Example of Typical Configuration for AFC Bypass GRE Layer 3 Re-injection
Introduction
This chapter describes the traffic forwarding method using Layer 3 GRE Tunnel injection after traffic steering with the BGP routing protocol during AFC bypass deployment.
Usage Restrictions
The application scenario of the three-layer backhaul mode is when the network devices connected downstream to the core equipment performing route steering with the AFC are three-layer switches or routers.
Configuration Example of GRE Layer 3 Return Injection Mode
Applicable Products and Versions
Software Version: H3C i-Ware Software, Version 7.1, ESS 6401, limited to IPv4 service address return routing.
Networking Requirements
To achieve traffic scrubbing for the protected IP 171.0.3.21, an abnormal traffic scrubbing system is deployed in bypass mode at the core switching equipment. The core switch R2 establishes a BGP neighbor relationship with the AFC device's interface GE1/0 through its interface G1/0/18 to divert and scrub traffic. A GRE tunnel is configured between R3 and the AFC device, and a GRE return policy is set up on the AFC device to enable the forwarding of scrubbed traffic back into the network.
The network topology is shown in the figure below.
Figure 3-1: Configuration and Networking Diagram for Three-Tier Return Injection Mode with AFC Bypass Deployment
The specific implementation is as follows:
· Host Route Advertisement: AFC establishes a BGP neighbor relationship with the core switch R2 via the GE1/0 interface. AFC advertises the 32-bit route of the protected IP to the core switch R2.
· Host Traffic Scrubbing: The core switch R2 diverts the protected host traffic to the AFC (Anti-DDoS Facility), which then applies scrubbing policies to filter out abnormal traffic within the host traffic.
· Traffic Re-injection: Establish a GRE tunnel between the downstream switch R3 and the AFC device, and configure a re-injection policy on the AFC to achieve forwarding of cleaned traffic.
Table 3-1 VLAN Allocation List
|
VLAN ID |
Function Description |
IP Address |
|
1710 |
· Establish a BGP neighbor relationship between the core switch R2 and the AFC. · AFC injects the cleaned traffic back into the core switch R2. |
171.0.0.1/24 |
|
1711 |
· The Layer 3 VLAN interface on the core switch R2 that connects to the lower-level network. · The lower-layer switch is connected to the Layer 3 VLAN interface of the core switch R2. |
171.0.1.1/24 171.0.1.2/24 |
|
1713 |
· The VLAN where the protected host is located. · The gateway address of the protected host. |
171.0.3.1/24 |
Table 3-2 AFC Interface IP Allocation List
|
Interface |
Function Description |
IP Address |
|
GE1/0 |
· Establish a BGP neighbor relationship between the core switch R2 and AFC. |
171.0.0.2/24 |
|
GE0/0 |
· AFC management port |
192.168.0.1/24 |
Configuration Approach
To achieve the AFC bypass deployment with BGP Layer 3 return mode configuration, follow the steps below:
Configure the basic network on the core switch R2
Configure the G1/0/17 interface of core switch R2 to interconnect with the G1/0/17 interface of the downstream switch R3.
Configure BGP neighbors on the core switch R2
Enable the BGP process on both the AFC and the core switch R2, and establish a neighbor relationship between them.
Configure the basic network on the lower-layer switch R3
Configure the G1/0/17 interface of the downstream switch R3 to interconnect with the G1/0/17 interface of the core switch R2.
Configure a GRE Tunnel on the downstream switch
Create Tunnel 0 (if it already exists, proceed to the next available number):
Tunnel Protocol GRE
Tunnel IP 192.168.255.100/24 // You can use any unused address in the current network, which can be a private address.
Source IP 171.0.1.2 // G1/0/17 Interface Address
Destination IP 171.0.0.10 // You can use any unused address in the live network, which can be a private address.
Configure a static route to the Tunnel Destination address 171.0.0.10, with the next-hop address as 171.0.1.1 (the peer interconnection address on G1/0/17).
AFC Device Service Port Configuration
Configure the IP address and port type of the AFC device's service port connected to the core switch R2 to enable communication with R2. Set the service port type to Single-arm Re-injection Interface mode (where traffic redirection and return use the same physical port).
AFC Device BGP Routing Configuration
Configure the BGP adjacency relationship between the AFC device and the core device to establish a peer-to-peer BGP connection on both sides.
AFC Device GRE Tunnel Configuration
Tunnel Name:Tunnel0 // It can be customized according to preferences.
Gre tunnel IP: 192.168.255.101 // As long as it is in the same subnet as the R3 tunnel0 IP.
Local IP: 171.0.0.10 //R3 Tunnel0 destination Address
Remote IP:171.0.1.2 //R3 Tunnel0 source Address
Configure GRE backhaul rules on the AFC device
Add backhaul rules on the AFC device, specifying the server address range 171.0.3.0/24 to be associated with GRE Tunnel0 for backhaul.
Traffic steering and cleansing on the AFC device
The AFC device performs traffic steering for user service addresses and cleans the user traffic according to the defense policy, then forwards the cleansed traffic back to the core device.
Configuration Steps
Configure the core switch R2 with basic network settings
Create VLANs 1710 and 1711, where:
VLAN 1710 corresponds to the 171.0.0.0/24 subnet, serving as the direct connection between R2's Layer 3 switch port and AFC GE1/0 for routing and traffic return.
VLAN 1711 corresponds to the 171.0.1.0/24 subnet, used for routing with lower-layer devices.
# Create VLAN
[R2]vlan 1710
[R2-vlan1710]quit
[R2]vlan 1711
[R2-vlan1711]quit
# Configure VLAN IP
[R2]interface Vlan-interface1710
[R2-Vlan-interface1710]IP address 171.0.0.1 255.255.255.0
[R2-Vlan-interface1710]quit
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]IP address 171.0.1.1 255.255.255.0
[R2-Vlan-interface1710]quit
# Configure G1/0/17 Interface
[R2]int GigabitEthernet 1/0/17
[R2-GigabitEthernet1/0/17] port link-mode bridge
[R2-GigabitEthernet1/0/17] port access vlan 1711
# Check the configuration of port G1/0/17
[R2-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure G1/0/18 Interface
[R2]int GigabitEthernet 1/0/18
[R2-GigabitEthernet1/0/18] port link-mode bridge
[R2-GigabitEthernet1/0/18] port access vlan 1710
# Check the configuration of port G1/0/18
[R2-GigabitEthernet1/0/18] dis this
interface GigabitEthernet1/0/18
port link-mode bridge
port access vlan 1710
Configure BGP neighbor on the core switch R2
# Configure BGP with AS number 65535
[R2]bgp 65535
# Configure the Router ID of the router
[R2-bgp]router-id 171.0.0.1
[R2-bgp]undo synchronization
# Enable IPv4 unicast with the peer, allowing the local router to exchange IPv4 unicast routing information with the specified peer.
[R2-bgp] address-family IPv4
[R2-bgp-IPv4]peer 171.0.0.2 enable
# Configure the peer neighbor with the peer AS number 65534
[R2-bgp]peer 171.0.0.2 as-number 65534
# Configure the peer description, with the peer being AFC
[R2-bgp]peer 171.0.0.2 descrIPtion afc
# Assign a preference value to routes received from peers, where a smaller value indicates higher priority.
[R2-bgp]peer 171.0.0.2 preferred-value 1
[R2-bgp]peer 171.0.0.2 keep-all-routes
# Preserve all original routing information from peers/peer groups, even if these routes do not pass the configured inbound policies.
If the BGP IPv6 protocol is configured, you need to enter the BGP IPv6 unicast view.
Configure the basic network on the downstream switch R3
Create VLAN 1711 and VLAN 1713, where:
VLAN 1711 corresponds to the 171.0.1.0/24 subnet, serving as the directly connected routing network between the downstream switch R3 and the core switch R2.
VLAN 1713 corresponds to the 171.0.3.0/24 subnet, which is the subnet for the downstream network.
# Create VLAN
[R3]vlan 1711
[R3-vlan1711]quit
[R3]vlan 1713
[R3-vlan1713]quit
# Configure VLAN IP
[R3]int Vlan-interface 1711
[R3-Vlan-interface1711]IP address 171.0.1.2 24
[R3-Vlan-interface1711]quit
[R3]int Vlan-interface 1713
[R3-Vlan-interface1713]IP address 171.0.3.1 24
[R3-Vlan-interface1713]quit
# Configure G1/0/17Interface
[R2]int GigabitEthernet 1/0/17
[R2-GigabitEthernet1/0/17] port link-mode bridge
[R2-GigabitEthernet1/0/17] port access vlan 1711
# Check the configuration of port G1/0/17
[R2-GigabitEthernet1/0/17] dis this
interface GigabitEthernet1/0/17
port link-mode bridge
port access vlan 1711
# Configure G1/0/13 Interface
[R2]int GigabitEthernet 1/0/13
[R2-GigabitEthernet1/0/13] port link-mode bridge
[R2-GigabitEthernet1/0/13] port access vlan 1713
# Check the configuration of port G1/0/13
[R2-GigabitEthernet1/0/13] dis this
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 1713
Configure GRE Tunnel on the Downstream Switch
# Create Tunnel 0 (if Tunnel 0 already exists, proceed to the next available number)
[R3] interface Tunnel 0
# Configure Tunnel 0 with the encapsulation protocol set to GRE.
[R3] interface Tunnel 0
[R3-Tunnel0] tunnel-protocol gre
# Configure the Tunnel IP as 192.168.255.100/24 (any unused address in the current network is acceptable, including private addresses).
[R3-Tunnel0] ip address 192.168.255.100 24
# Configure the Tunnel Source IP as 171.0.1.2 (the address of interface G1/0/17).
[R3-Tunnel0] ]source 171.0.1.2
# Configure the Tunnel Destination IP as 171.0.0.10 (any unused address in the live network is acceptable, including private addresses).
[R3-Tunnel0] destination 171.0.0.10
# Configure a static route to the Tunnel Destination IP 171.0.0.10, with the next hop set to 171.0.1.1 (the peer interconnection address on G1/0/17).
[R3-Tunnel0]quit
[R3]ip route-static 171.0.0.10 32 171.0.1.1
# Check the status of Tunnel 0
[R3] display interface tunnel0
Tunnel0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2022-06-02 02:59:29
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 192.168.255.100/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 171.0.1.2 (Vlanif1711), destination 171.0.0.10
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Current system time: 2022-06-02 02:59:39
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%
Configuration of AFC Equipment Business Ports
To achieve the configuration of BGP Layer 3 backhaul mode for AFC bypass standalone deployment, follow the steps below for configuration:
Note: In the configuration steps, if there is an [Apply Config] button, you need to click it to make the configuration take effect. This will not be reiterated in the following text.
Log in to the AFC system page
Access the login page via browser: https://192.168.0.1:16010/ , with username "admin" and password "admin".
Figure 3-2: AFC System Login Page
AFC Address and Port Type Configuration
Navigate to [System] → [Device] → [Device Manage], click the [Setup] button on the right side of the device, select [Port Settings] in the left navigation bar, and click the [Modify] button to update the IP, subnet mask, port binding, and other information for GE1/0. (Initial deployment requires update Config to obtain the current device's network card settings.)
The IP address of GE1/0 is 171.0.0.2, with the port type set as Single-arm Re-injection Interface. The IPv4 last hop is the port address of the inbound interconnection switch (Core Switch G1/0/18), whose IP address is 171.0.0.1.
Figure 3-3 Configuration of GE1/0
BGP Routing Configuration for AFC Equipment
After configuring the address and port types, click the 【Route Configure】 menu at the bottom, select 【BGP Config】, check the Launch BGP, and click 【Apply Configure】. Follow the steps below to configure:
Local BGP Configuration:
Navigate to 【System】--【Device Manage】, click the 【Setup】 operation in the row corresponding to device 127.0.0.1, and enter 【Route Configure】--【BGP Config】 to perform the following operations:
Check 【Launch BGP】
· Local AS:65534 // AS number for the AFC equipment side
· Local Port:179 // Default port 179
Click 【Save】.
AFC Equipment Local BGP Configuration
Figure 3-4 Launch BGP
Neighbor BGP Configuration
Click the [Add] button to add BGP information:
· Opposite AS:65535 // When the core switch is already running BGP, enter the AS number of the core switch
· Opposite Port:179 // Default port is 179
· LocalPref/MED:100 // Default value is 100
· Opposite IP is the IPv4 last-hop address of GE1/0 port: 171.0.0.1.
Click [Save] to complete the addition of the neighbor address.
Figure 3-5: BGP Configuration for Neighbor in the H3C SecPath AFC
Apply BGP Configuration:
Click [Apply Configure] to activate the BGP settings.
Configure GRE Tunnel on AFC Device
Navigate to [Device Config] → [Gre Tunnel Config], then click [Add] to create a Gre Tunnel:
· Tunnel Name:Tunnel0 // Can be customized as preferred
· Gre tunnel IP: 192.168.255.101 //Must be in the same subnet as R3's tunnel0 IP
· Local IP: 171.0.0.10 //Destination address of R3's tunnel0
· Remote IP:171.0.1.2 //Source address of R3's tunnel0
Figure 3-6 Adding a Gre Tunnel to the AFC Device
Click [Apply Config] to save and activate the current settings.
AFC Device Configuration for GRE Return Injection Rules
Add GRE Return Injection Rule
Navigate to [Device Config] - [Rejection Config], click [Add] to create a return injection rule:
· Rule Category: Select IPv4
· Protected IP: 171.0.3.0
· Submask: 255.255.255.0
· TOS: 0 // Default value, no modification needed
· 8021P Priority: 0 // Default value, no modification needed
· Vlan ID: 0 // Default value, no modification needed
· Gre Tunnel: Select Tunnel0
· Label Distribution: Manual // Default value, no modification needed
· Mpls: 0 // Default value, no modification needed
· VPN Label: 0 // Default value, no modification needed
· Loading Balance: Source-Destination IP Load // Default value, no modification needed
· Level 2 Mac Find: Uncheck // Default value, no modification needed
· Select Traffic Re-injection Interface: Check GE1/0
Figure 3-7: Creating a GRE Return Rule
Click the [Save] button to save the current back-injection rule settings.
Apply Rejection Config
Return to the [Rejection Config] page, and click [Apply Config] to activate the return injection rule created in the previous step.
Figure 3-8: Apply Rejection Config
AFC Device Traffic Routing and Cleaning
Log in to the AFC device, navigate to [Steer Config] - [Traffic Steering Status], click [Hand Tow], and perform traffic diversion for the test address within the user's network. In this example, the diversion address is 171.0.3.21. Select the diversion operation "Traffic Steering ", then click [ensure] to complete the diversion process.
Figure 3-9 Traction user service address 171.0.3.21
After the traffic is directed to the AFC device, it can automatically use the default policy to clean and defend against DDoS attacks.
Configuration Verification
Verify whether the core switch R2 and the AFC device's cleaning service port are interconnected
Use the ping command to test whether the core switch R2 can communicate with the AFC router.
[R2]ping -a 171.0.0.1 171.0.0.2
PING 171.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 171.0.0.2: bytes=56 Sequence=1 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=2 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=3 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=4 ttl=64 time=3 ms
Reply from 171.0.0.2: bytes=56 Sequence=5 ttl=64 time=3 ms
--- 171.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trIP min/avg/max = 3/3/3 ms
Verify whether the BGP neighbor relationship between the core device and the AFC device has been established.
Log in to the core device and use the "display BGP peer" command to check the BGP establishment status.
[Sysname] display bgp peer
BGP local router ID : 171.0.0.1
Local AS number : 65535
Total number of peers : 1 Peers in established state : 1
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
171.0.0.2 65534 5 3 0 0 00:01:59 Established
Verify whether the routing redirection of the core switch R2 to the AFC is successful. If the redirection is successful, there should be a 32-bit route for this host.
Check the routing table of the core switch R2.
[R2]display bgp routing-table
Total Number of Routes: 1
BGP Local router ID is 171.0.0.1
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* > 171.0.3.21/32 171.0.0.2 0 1 65534i
Verify whether the communication between the client and the traffic diversion server is normal
Test whether the client can communicate with the service route via ping.
[root@AFCTest_Client ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A
inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257120 errors:0 dropped:0 overruns:0 frame:0
TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)
[root@AFCTest_Client ~]# ping -c 5 171.0.3.21
PING 171.0.3.21 (171.0.3.21) 56(84) bytes of data.
64 bytes from 171.0.3.21: icmp_seq=1 ttl=124 time=0.799 ms
64 bytes from 171.0.3.21: icmp_seq=2 ttl=124 time=0.736 ms
64 bytes from 171.0.3.21: icmp_seq=3 ttl=124 time=0.862 ms
64 bytes from 171.0.3.21: icmp_seq=4 ttl=124 time=1.47 ms
64 bytes from 171.0.3.21: icmp_seq=5 ttl=124 time=1.02 ms
--- 171.0.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms