11-ACL and QoS Configuration Guide

HomeSupportResource CenterConfigure & DeployConfiguration GuidesH3C MSR1000[2600][3600] Routers Configuration Guides(V9)-R9119-6W10011-ACL and QoS Configuration Guide
06-Flowspec configuration
Title Size Download
06-Flowspec configuration 139.25 KB

Configuring Flowspec

About Flowspec

The flow specification (Flowspec) feature allows you to filter and manage illegal traffic in BGP networks, therefore mitigating the effects of DoS and DDoS attacks. Flowspec classifies attack traffic and takes action on classified traffic, such as drop, redirect, or rate limit.

Flowspec device roles

The following Flowspec device roles are involved in a Flowspec network:

·     Flowspec router—A BGP router in a BGP network, also called a Flowspec controller. A Flowspec router distributes Flowspec rules (match criteria and actions) to Flowspec edge routers through BGP updates.

·     Flowspec edge router—A BGP router in a BGP network, also called a Flowspec client. A Flowspec edge router receives Flowspec rules from a Flowspec router and applies the match criteria and actions to its forwarding plane.

When configuring Flowspec, select one BGP router as the Flowspec router and all other BGP routers as Flowspec edge routers.

Protocols and standards

RFC 5575: Dissemination of Flow Specification Rules

RFC 7674: Clarification of the Flowspec Redirect Extended Community

How Flowspec works

To support Flowspec, MP-BGP defines the Flowspec IPv4 address family and the Flowspec VPNv4 address family and introduces Flowspec Network Layer Reachability Information (NLRI), called Flowspec routes. Flowspec can distribute Flowspec rules (match criteria and actions) to the public network and VPN instances through the Flowspec IPv4 address family and the Flowspec VPNv4 address family.

As shown in Figure 1, the Flowspec router distributes Flowspec rules to Flowspec edge routers. After receiving Flowspec rules, a Flowspec edge router applies the criteria and actions to its forwarding plane. A Flowspec router can also distribute Flowspec rules to other ASs. This enables you to filter and control attack traffic on the device closest to the attack source.

Figure 1 How Flowspec works

 

Flowspec tasks at a glance

To configure Flowspec, perform the following tasks:

1.     Creating and activating a Flowspec rule

Perform this task only on the Flowspec router.

2.     Applying a Flowspec rule

¡     Applying a Flowspec rule to the public network

¡     Applying a Flowspec rule to a VPN instance

Perform this task only on the Flowspec router.

3.     Enabling BGP to distribute Flowspec rules

¡     Enabling BGP to distribute public network IPv4 Flowspec rules

¡     Enabling BGP to distribute private network Flowspec rules

¡     Enabling BGP to distribute VPNv4 Flowspec rules

Perform this task on both the Flowspec router and Flowspec edge routers.

4.     (Optional.) Configuring BGP Flowspec route reflection

Perform this task only on the Flowspec router.

Prerequisites for Flowspec configuration

Before you configure Flowspec, you must configure basic BGP functions on the Flowspec router and Flowspec edge routers. For information about configuring basic BGP functions, see Layer 3—IP Routing Configuration Guide.

Creating and activating a Flowspec rule

1.     Enter system view.

system-view

2.     Create a Flowspec rule and enter Flowspec rule view.

flow-route flowroute-name

3.     Configure a match criterion.

if-match match-criteria

By default, no match criterion is configured.

4.     Apply an action.

apply action

5.     (Optional.) Display the match criteria and actions that are not committed.

check flow-route-configuration

6.     Commit match criteria and actions.

commit

By default, match criteria and actions are not committed.

Applying a Flowspec rule

Applying a Flowspec rule to the public network

1.     Enter system view.

system-view

2.     Enter Flowspec view.

flowspec

3.     Create a Flowspec IPv4 address family for the public network and enter its view.

address-family ipv4

4.     Apply a Flowspec rule to the public network.

flow-route flowroute-name

By default, no Flowspec rule is applied to the public network.

Applying a Flowspec rule to a VPN instance

1.     Enter system view.

system-view

2.     Configure a VPN instance.

a.     Create a VPN instance and enter VPN instance view.

ip vpn-instance vpn-instance-name

b.     Configure an RD for the VPN instance.

route-distinguisher route-distinguisher

By default, no RD is configured for a VPN instance.

c.     Configure route targets for the VPN instance.

vpn-target { vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ] }

By default, no route targets are configured.

For more information about the ip vpn-instance, route-distinguisher, and vpn-target commands, see MPLS L3VPN commands in MPLS Command Reference.

3.     Enter the IPv4 Flowspec address family view of the VPN instance.

address-family ipv4 flowspec

4.     Configure route targets for the IPv4 Flowspec address family.

vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]

By default, no route targets are configured for the IPv4 Flowspec address family.

The route targets configured must be the same as the route targets configured previously for the VPN instance.

5.     Execute the quit command twice to return to system view.

6.     Enter Flowspec view.

flowspec

7.     Create a Flowspec IPv4 address family and associate the address family with the VPN instance.

address-family ipv4 vpn-instance vpn-instance-name

8.     Apply a Flowspec rule to the Flowspec IPv4 VPN instance address family.

flow-route flowroute-name

By default, no Flowspec rule is applied to a Flowspec IPv4 VPN instance address family.

Enabling BGP to distribute Flowspec rules

About BGP Flowspec rule distribution

By default, the device validates received Flowspec rules and their redirection next hops (if present).

A Flowspec rule is valid if the following conditions exist:

·     The Flowspec rule contains a destination address match criterion.

·     The device that receives the rule has routes with the destination address for matching as their destination address.

For the device to take the action on matching traffic without validation, disable validation of Flowspec rules.

A redirection next hop is valid if the following conditions exist:

·     A route exists on the device with the redirection next hop as the route's next hop.

·     The next hop IP address and the device are in the same AS.

For the device to take the action of redirecting traffic to a next hop without validation, disable validation of the redirection next hops.

The BGP Flowspec rule distribution feature not only distributes Flowspec rules in BGP routes to Flowspec edge routers but also makes those Flowspec rules take effect on the Flowspec router itself.

Restrictions and guidelines for enabling BGP to distribute Flowspec rules

For more information about the bgp and peer enable commands, see Layer 3—IP Routing Command Reference.

Enabling BGP to distribute public network IPv4 Flowspec rules

1.     Enter system view.

system-view

2.     Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:

bgp as-number [ instance instance-name ]

address-family ipv4 flowspec

3.     Enable BGP Flowspec peers to exchange routing information.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP Flowspec peers cannot exchange routing information.

4.     (Optional.) Disable validation of Flowspec rules from BGP Flowspec peers.

peer { group-name | ip-address [ mask-length ] } validation-disable

By default, Flowspec rules from BGP Flowspec peers are validated.

5.     (Optional.) Disable validation of the redirection next hops in Flowspec rules from BGP Flowspec peers.

peer { group-name | ip-address [ mask-length ] } validation-redirect-disable

By default, the redirection next hops in Flowspec rules from BGP Flowspec peers are validated.

6.     (Optional.) Configure the device to not change the next hop of routes advertised to EBGP peers.

peer { group-name | ip-address [ mask-length ] } next-hop-invariable

By default, the device uses its own IP address as the next hop of routes advertised to EBGP peers.

Enabling BGP to distribute private network Flowspec rules

1.     Enter system view.

system-view

2.     Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:

bgp as-number [ instance instance-name ]

ip vpn-instance vpn-instance-name

address-family ipv4 flowspec

3.     Enable BGP Flowspec peers to exchange routing information.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP Flowspec peers cannot exchange routing information.

4.     (Optional.) Disable validation of Flowspec rules from BGP Flowspec peers.

peer { group-name | ip-address [ mask-length ] } validation-disable

By default, Flowspec rules from BGP Flowspec peers are validated.

5.     (Optional.) Disable validation of the redirection next hops in Flowspec rules from BGP Flowspec peers.

peer { group-name | ip-address [ mask-length ] } validation-redirect-disable

6.     (Optional.) Configure the device to not change the next hop of routes advertised to EBGP peers.

peer { group-name | ip-address [ mask-length ] } next-hop-invariable

By default, the device uses its own IP address as the next hop of routes advertised to EBGP peers.

Enabling BGP to distribute VPNv4 Flowspec rules

1.     Enter system view.

system-view

2.     Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:

bgp as-number [ instance instance-name ]

address-family vpnv4 flowspec

3.     Enable BGP Flowspec peers to exchange routing information.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP Flowspec peers cannot exchange routing information.

4.     (Optional.) Configure the device to not change the next hop of routes advertised to EBGP peers.

peer { group-name | ip-address [ mask-length ] } next-hop-invariable

By default, the device uses its own IP address as the next hop of routes advertised to EBGP peers.

Configuring BGP Flowspec route reflection

About Flowspec route reflection

Route reflection reduces the number of IBGP connections in an AS. In an AS, you can configure a BGP route reflector and its clients. The route reflector and its clients automatically form a cluster identified by the router ID of the route reflector. The route reflector forwards route updates among its clients, which do not need to establish connections with one another.

Procedure

1.     Enter system view.

system-view

2.     Enter one of the following views:

¡     Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:

bgp as-number [ instance instance-name ]

address-family ipv4 flowspec

¡     Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:

bgp as-number [ instance instance-name ]

ip vpn-instance vpn-instance-name

address-family ipv4 flowspec

¡     Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:

bgp as-number [ instance instance-name ]

address-family vpnv4 flowspec

3.     Configure the router as a route reflector and specify a peer or peer group as its client.

peer { group-name | ipv4-address [ mask-length ] } reflect-client

By default, no route reflector or client is configured.

4.     (Optional.) Disable route target filtering for received BGP VPNv4 Flowspec routes.

undo policy vpn-target

By default, route target filtering is enabled for received VPNv4 routes. The VPNv4 routes whose export route target attribute matches the local import route target attribute are added to the routing table.

This command is available only in BGP VPNv4 Flowspec address family view.

5.     (Optional.) Enable route reflection between clients.

reflect between-clients

By default, route reflection between clients is enabled.

6.     (Optional.) Configure the cluster ID of the route reflector.

reflector cluster-id { cluster-id | ipv4-address }

By default, a route reflector uses its own router ID as the cluster ID.

Display and maintenance commands for Flowspec

For more information about the commands not covered in this feature, see Layer 3—IP Routing Command Reference.

Execute the display commands in any view and the reset and refresh commands in user view.

 

Task

Command

Display BGP Flowspec peer information.

display bgp [ instance instance-name ] peer ipv4 flowspec [ vpn-instance vpn-instance-name ] [ ipv4-address mask-length | { ipv4-address | group-name group-name } log-info | [ ipv4-address ] verbose ]

Display BGP Flowspec peer group information.

display bgp [ instance instance-name ] group ipv4  flowspec [ vpn-instance vpn-instance-name ] [ group-name group-name ]

Display BGP VPNv4 Flowspec peer information.

display bgp [ instance instance-name ] peer vpnv4 flowspec [ ipv4-address mask-length | { ipv4-address | group-name group-name } log-info | [ ipv4-address ] verbose ]

Display BGP IPv4 Flowspec routing information.

display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] [ flowspec-prefix [ advertise-info ] | statistics ]

display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] peer ipv4-address { advertised-routes | received-routes } [ flowspec-prefix | statistics ]

Display BGP VPNv4 Flowspec routing information.

display bgp [ instance instance-name ] routing-table vpnv4 flowspec [ peer ipv4-address { advertised-routes | received-routes } [ flowspec-prefix | statistics ] | [ route-distinguisher route-distinguisher ] [ flowspec-prefix [ advertise-info ] ] | statistics ]

Display BGP IPv4 Flowspec update group information.

display bgp [ instance instance-name ] update-group ipv4 flowspec [ ipv4-address ]

Display BGP VPNv4 Flowspec update group information.

display bgp [ instance instance-name ] update-group vpnv4 flowspec [ ipv4-address ]

Display Flowspec rule information.

In standalone mode:

display flow-route { all | flow-route-id | ip [ vpn-instance vpn-instance-name ] }

In IRF mode:

display flow-route { all | flow-route-id | ip [ vpn-instance vpn-instance-name ] } [ slot slot-number ]

Reset all BGP sessions.

refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | all | external | group group-name | internal } { export | import } ipv4 flowspec [ vpn-instance vpn-instance-name ]

Reset BGP sessions for a VPNv4 address family.

refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | all | external | group group-name | internal } { export | import } vpnv4 flowspec [ vpn-instance vpn-instance-name ]

Reset BGP sessions for a BGP IPv4 Flowspec address family.

reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | all | external | group group-name | internal } ipv4 flowspec [ vpn-instance vpn-instance-name ]

Reset BGP sessions for a BGP VPNv4 Flowspec address family.

reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | all | external | internal | group group-name } vpnv4 flowspec [ vpn-instance vpn-instance-name ]

Clear Flowspec rule statistics.

reset flow-route statistics { all | flow-route-id | ip [ vpn-instance vpn-instance-name ] }

 

Flowspec configuration examples

Example: Configuring Flowspec

Network configuration

As shown in Figure 2, all routers run BGP. Device A is a Flowspec router, and Device B is a Flowspec edge router.

Configure Flowspec to limit the rate of incoming packets with destination IP address 1.1.1.0/24 and port 10 on Device B.

Figure 2 Network diagram

Procedure

1.     Assign IP addresses to interfaces. (Details not shown.)

2.     Configure Device A:

# Configure a BGP connection.

<DeviceA> system-view

[DeviceA] bgp 100

[DeviceA-bgp-default] peer 10.1.1.2 as-number 200

[DeviceA-bgp-default] address-family ipv4 flowspec

[DeviceA-bgp-default-flowspec-ipv4] peer 10.1.1.2 enable

[DeviceA-bgp-default-flowspec-ipv4] peer 10.1.1.2 validation-disable

[DeviceA-bgp-flowspec-ipv4] quit

[DeviceA-bgp-default] quit

# Configure a Flowspec rule.

[DeviceA] flow-route route1

[DeviceA-flow-route-route1] if-match destination-ip 1.1.1.0 24

[DeviceA-flow-route-route1] if-match destination-port 10

[DeviceA-flow-route-route1] apply traffic-rate 20

[DeviceA-flow-route-route1] check flow-route-configuration

Traffic filtering rules:

 Destination ip   :  1.1.1.0 255.255.255.0

 Destination port :  10

Traffic filtering actions:

 Traffic rate : 20(kbps)

[DeviceA-flow-route-route1] commit

[DeviceA-flow-route-route1] quit

# Apply the Flowspec rule to the public network.

[DeviceA] flowspec

[DeviceA-flowspec] address-family ipv4

[DeviceA-flowspec-ipv4] flow-route route1

[DeviceA-flowspec-ipv4] quit

3.     Configure Device B:

# Configure a BGP connection.

<DeviceB> system-view

[DeviceB] bgp 200

[DeviceB-bgp-default] peer 10.1.1.1 as-number 100

[DeviceB-bgp-default] address-family ipv4 flowspec

[DeviceB-bgp-default-flowspec-ipv4] peer 10.1.1.1 enable

[DeviceB-bgp-default-flowspec-ipv4] peer 10.1.1.1 validation-disable

[DeviceB-bgp-default-flowspec-ipv4] quit

[DeviceB-bgp-default] quit

Verifying the configuration

# On Device A, display BGP IPv4 Flowspec peer information.

[DeviceA] display bgp peer ipv4 flowspec

 BGP local router ID: 192.168.150.1

 Local AS number: 100

 Total number of peers: 1                 Peers in established state: 1

  * - Dynamically created peer

  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  State

  10.1.1.2               200       10       12    0       0 00:06:40 Established

# On Device B, display BGP IPv4 Flowspec peer information.

[DeviceB] display bgp peer ipv4 flowspec

BGP local router ID: 192.168.150.2

 Local AS number: 200

 Total number of peers: 1                 Peers in established state: 1

  * - Dynamically created peer

  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  State

  10.1.1.1               100       10       12    0       0 00:06:40 Established

# On Device B, display BGP IPv4 Flowspec routing information.

[DeviceB] display bgp routing-table ipv4 flowspec

Total number of routes: 1

 

 BGP local router ID is 192.168.150.2

 Status codes: * - valid, > - best, d - dampened, h - history

               s - suppressed, S - stale, i - internal, e - external

               a - additional-path

       Origin: i - IGP, e - EGP, ? - incomplete

 

     Network            NextHop         MED        LocPrf     PrefVal Path/Ogn

 

* >e DEST:1.1.1.0/24/40

                        0.0.0.0                    100        0       ?

# On Device B, display information about all Flowspec rules.

<DeviceB> display flow-route ipv4 all

Total number of flow-routes: 1

 

Flow-Route (ID 0x0)

  BGP instance : default

  Traffic filtering rules:

   Destination IP   : 1.1.1.0 255.255.255.0

   Destination port : 10

  Traffic filtering actions:

   Traffic rate          : 20(kbps)