Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-Flowspec configuration | 437.87 KB |
Contents
Prerequisites for Flowspec configuration
Restrictions and guidelines: Flowspec configuration
IPv4 Flowspec tasks at a glance
Creating and activating an IPv4 Flowspec rule
Configuring a Flowspec interface group
Applying an IPv4 Flowspec rule
Enabling BGP to distribute IPv4 Flowspec rules
Using the destination address in an IPv4 Flowspec rule to match routing policies
Disabling the actions in IPv4 Flowspec rules
Configuring BGP Flowspec route reflection
Limiting the number of IPv4 Flowspec rules from a peer or peer group
Advertising the COMMUNITY attribute to a peer or peer group
Preferring routes learned from the specified peer or peer group during optimal route selection
Disabling IPv4 Flowspec on an interface
Configuring an interface as the input interface for cleaned traffic
IPv6 Flowspec tasks at a glance
Creating and activating an IPv6 Flowspec rule
Configuring a Flowspec interface group
Applying an IPv6 Flowspec rule
Enabling BGP to distribute IPv6 Flowspec rules
Using the destination address in an IPv6 Flowspec rule to match routing policies
Disabling the actions in IPv6 Flowspec rules
Configuring BGP Flowspec route reflection
Limiting the number of IPv6 Flowspec rules from a peer or peer group
Advertising the COMMUNITY attribute to a peer or peer group
Preferring routes learned from the specified peer or peer group during optimal route selection
Disabling IPv6 Flowspec on an interface
Configuring an interface as the input interface for cleaned traffic
Display and maintenance commands for Flowspec
Flowspec configuration examples
Example: Configuring IPv4 Flowspec
Configuring Flowspec
About Flowspec
The flow specification (Flowspec) feature allows you to filter and manage illegal traffic in BGP networks, therefore mitigating the effects of DoS and DDoS attacks. Flowspec classifies attack traffic and takes action on classified traffic, such as drop, redirect, or rate limit.
Flowspec device roles
The following Flowspec device roles are involved in a Flowspec network:
· Flowspec router—A BGP router in a BGP network, also called a Flowspec controller. A Flowspec router distributes Flowspec rules (match criteria and actions) to Flowspec edge routers through BGP updates.
· Flowspec edge router—A BGP router in a BGP network, also called a Flowspec client. A Flowspec edge router receives Flowspec rules from a Flowspec router and applies the match criteria and actions to its forwarding plane.
When configuring Flowspec, select one BGP router as the Flowspec router and all other BGP routers as Flowspec edge routers.
How Flowspec works
To support Flowspec, MP-BGP defines the Flowspec IPv4 address family, Flowspec VPNv4 address family, Flowspec IPv6 address family, and Flowspec VPNv6 address family, and introduces Flowspec Network Layer Reachability Information (NLRI), called Flowspec routes. Flowspec can distribute Flowspec rules (match criteria and actions) to the public network and VPN instances through the defined address families.
As shown in Figure 1, the Flowspec router distributes Flowspec rules to Flowspec edge routers. After receiving Flowspec rules, a Flowspec edge router applies the criteria and actions to its forwarding plane. A Flowspec router can also distribute Flowspec rules to other ASs. This enables you to filter and control attack traffic on the device closest to the attack source.
Protocols and standards
· RFC 5575, Dissemination of Flow Specification Rules
· RFC 7674, Clarification of the Flowspec Redirect Extended Community
· draft-ietf-idr-bgp-prefix-sid
· draft-ietf-idr-flowspec-path-redirect
· draft-ietf-spring-segment-routing-policy
Prerequisites for Flowspec configuration
Before you configure Flowspec, you must configure basic BGP functions on the Flowspec router and Flowspec edge routers. For information about configuring basic BGP functions, see Layer 3—IP Routing Configuration Guide.
Restrictions and guidelines: Flowspec configuration
As a best practice, do not use the applyextcommunity color command when apply a routing policy to Flowspec rules received from or sent to peers or peer groups. The color extended community attribute takes effect only if the traffic is redirected to an SR-MPLS TE policy or SRv6 TE policy.
For the color extended community attribute to take effect, you must also configure the action of redirecting traffic to a next hop. Additionally, make sure the next-hop address and the SR-MPLS TE policy or SRv6 TE policy exist on the Flowspec edge router.
This feature is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200, RX-SPE200-E |
Configuring IPv4 Flowspec
IPv4 Flowspec tasks at a glance
To configure IPv4 Flowspec, perform the following tasks:
1. Creating and activating an IPv4 Flowspec rule
Perform this task only on the Flowspec router.
2. (Optional.) Configuring a Flowspec interface group
3. Applying an IPv4 Flowspec rule
¡ Applying an IPv4 Flowspec rule to the public network
¡ Applying an IPv4 Flowspec rule to a VPN instance
Perform this task only on the Flowspec router.
4. Enabling BGP to distribute IPv4 Flowspec rules
¡ Enabling BGP to distribute public network IPv4 Flowspec rules
¡ Enabling BGP to distribute private network IPv4 Flowspec rules
¡ Enabling BGP to distribute VPNv4 Flowspec rules
Perform this task on both the Flowspec router and Flowspec edge routers.
5. (Optional.) Using the destination address in an IPv4 Flowspec rule to match routing policies
Perform this task on both the Flowspec router and Flowspec edge routers.
6. (Optional.) Disabling the actions in IPv4 Flowspec rules
Perform this task on Flowspec edge routers.
7. (Optional.) Configuring BGP Flowspec route reflection
Perform this task only on the Flowspec router.
8. (Optional.) Limiting the number of IPv4 Flowspec rules from a peer or peer group
Perform this task on Flowspec edge routers.
9. (Optional.) Advertising the COMMUNITY attribute to a peer or peer group
Perform this task on Flowspec routers.
10. (Optional.) Preferring routes learned from the specified peer or peer group during optimal route selection
11. (Optional.) Disabling IPv4 Flowspec on an interface
12. (Optional.) Configuring an interface as the input interface for cleaned traffic
Creating and activating an IPv4 Flowspec rule
1. Enter system view.
system-view
2. Create an IPv4 Flowspec rule and enter IPv4 Flowspec rule view.
flow-route flowroute-name
3. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
4. Configure an action. Choose one option as needed:
¡ Drop packets.
apply action
¡ Redirect packets to a next hop.
apply redirect next-hop { ipv4-address [ copy-mode ] | ipv6-address }
¡ Redirect packets to an SR-MPLS TE policy.
apply redirect next-hop ipv4-address color color
¡ Redirect packets to an SRv6 TE policy.
apply redirect next-hop ipv6-address color color [ sid sid-value ]
In standard system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200-E |
In SDN-WAN system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200, RX-SPE200-E |
¡ Redirect packets to an SRv6 BE tunnel.
apply redirect next-hop ipv6-address sid sid-value [ prefix-length prefix-length ]
In standard system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200-E |
In SDN-WAN system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200, RX-SPE200-E |
¡ Redirect packets to a tunnel interface.
apply redirect tunnel-id tunnel-id
¡ Redirect packets to a route target.
apply redirect vpn-target import-vpn-target
¡ Mark packets with a DSCP value.
apply remark-dscp dscp-value
¡ Rate limit packets.
apply traffic-rate rate
¡ Sample packets.
apply traffic-sampling
By default, no action is configured.
5. (Optional.) Display the match criteria and actions that are not committed.
check flow-route-configuration
6. Commit match criteria and actions.
commit
By default, match criteria and actions are not committed.
Configuring a Flowspec interface group
About this task
By default, a Flowspec router applies a received Flowspec rule to all interfaces on the device. To apply a received Flowspec rule to only some interfaces, create a Flowspec interface group and add those interfaces to it.
Restrictions and guidelines
An interface can belong to only one Flowspec interface group.
Procedure
1. Enter system view.
system-view
2. Create a Flowspec interface group and enter its view.
flowspec flow-interface-group group-id
3. (Optional.) Configure a description for the Flowspec interface group.
description text
4. Add an interface to the Flowspec interface group.
interface interface-type interface-number
By default, a Flowspec interface group does not contain any interfaces.
Applying an IPv4 Flowspec rule
Restrictions and guidelines
To associate a Flowspec rule already applied in Flowspec IPv4 address family view with a Flowspec interface group, first execute the undo flow-route command to remove the Flowspec rule from the Flowspec IPv4 address family.
A Flowspec rule can be associated with more than one Flowspec interface group, and vice versa.
Applying an IPv4 Flowspec rule to the public network
1. Enter system view.
system-view
2. Enter Flowspec view.
flowspec
3. Create a Flowspec IPv4 address family for the public network and enter its view.
address-family ipv4
4. Apply an IPv4 Flowspec rule to the public network. Choose one option as needed:
¡ Apply an IPv4 Flowspec rule.
flow-route flowroute-name
By default, no IPv4 Flowspec rule is applied to the public network.
¡ Apply an IPv4 Flowspec rule and associate it with a Flowspec interface group.
flow-route flowroute-name flow-interface-group group-id
By default, no IPv4 Flowspec rule is applied to the public network, and no Flowspec interface group is associated with an IPv4 Flowspec rule.
Applying an IPv4 Flowspec rule to a VPN instance
1. Enter system view.
system-view
2. Configure a VPN instance.
a. Create a VPN instance and enter VPN instance view.
ip vpn-instance vpn-instance-name
b. Configure an RD for the VPN instance.
route-distinguisher route-distinguisher
By default, no RD is configured for a VPN instance.
c. Configure route targets for the VPN instance.
vpn-target { vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ] }
By default, no route targets are configured.
For more information about the ip vpn-instance, route-distinguisher, and vpn-target commands, see MPLS L3VPN commands in MPLS Command Reference.
3. Enter the IPv4 Flowspec address family view of the VPN instance.
address-family ipv4 flowspec
4. Configure an RD for the IPv4 Flowspec address family.
route-distinguisher route-distinguisher
By default, no RD is configured for the IPv4 Flowspec address family.
5. Configure route targets for the IPv4 Flowspec address family.
vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]
By default, no route targets are configured for the IPv4 Flowspec address family.
The route targets configured must be the same as the route targets configured previously for the VPN instance.
6. Execute the quit command twice to return to system view.
7. Enter Flowspec view.
flowspec
8. Create a Flowspec IPv4 address family and associate the address family with the VPN instance.
address-family ipv4 vpn-instance vpn-instance-name
9. Apply an IPv4 Flowspec rule to the Flowspec IPv4 VPN instance address family. Choose one option as needed:
¡ Apply an IPv4 Flowspec rule.
flow-route flowroute-name
By default, no IPv4 Flowspec rule is applied to a Flowspec IPv4 VPN instance address family.
¡ Apply an IPv4 Flowspec rule and associate it with a Flowspec interface group.
flow-route flowroute-name flow-interface-group group-id
By default, no IPv4 Flowspec rule is applied to the public network, and no Flowspec interface group is associated with an IPv4 Flowspec rule.
Enabling BGP to distribute IPv4 Flowspec rules
About BGP Flowspec rule distribution
By default, the device validates received IPv4 Flowspec rules and their redirection next hops (if present).
An IPv4 Flowspec rule is valid if the following conditions exist:
· The Flowspec rule contains a destination address match criterion.
· The device that receives the rule has routes with the destination address for matching as their destination address.
If addresses in an AS are trusted and do not require validation, you can configure destination match criterion validation only for IPv4 Flowspec rules that contain the AS_SET or AS_SEQ AS_Path attribute.
For the device to take the action on matching traffic without validation, disable validation of IPv4 Flowspec rules.
A redirection next hop is valid if the following conditions exist:
· A route exists on the device with the redirection next hop as the route's next hop.
· The next hop IP address and the device are in the same AS.
For the device to take the action of redirecting traffic to a next hop without validation, disable validation of the redirection next hops.
The BGP Flowspec rule distribution feature not only distributes IPv4 Flowspec rules in BGP routes to Flowspec edge routers but also makes those IPv4 Flowspec rules take effect on the Flowspec router itself.
Restrictions and guidelines for enabling BGP to distribute Flowspec rules
For more information about the bgp and peer enable commands, see Layer 3—IP Routing Command Reference.
Enabling BGP to distribute public network IPv4 Flowspec rules
1. Enter system view.
system-view
2. Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
3. Enable BGP Flowspec peers to exchange routing information.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } enable
By default, BGP Flowspec peers cannot exchange routing information.
4. (Optional.) Validate destination address match criteria for only IPv4 Flowspec routes that contain the AS_SET or AS_SEQ AS_Path attribute.
route validation-mode include-as
By default, destination address match criteria are validated for all IPv4 Flowspec routes.
5. (Optional.) Disable validation of IPv4 Flowspec rules from BGP Flowspec peers.
peer { group-name | ip-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-disable
By default, IPv4 Flowspec rules from BGP Flowspec peers will be validated.
6. (Optional.) Disable validation of the redirection next hops in IPv4 Flowspec rules from BGP Flowspec peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-redirect-disable
By default, the redirection next hops in IPv4 Flowspec rules from BGP Flowspec peers will be validated.
7. (Optional.) Configure the device to not change the next hop of routes advertised to EBGP peers.
peer { group-name | ip-address [ mask-length ] | ipv6-address [ prefix-length ] } next-hop-invariable
By default, the device uses its own IP address as the next hop of IPv4 routes advertised to EBGP peers.
8. (Optional.) Enable recursion to tunnels for IPv4 Flowspec rules with an action of redirecting to a next hop.
redirect ip recursive-lookup tunnel [ tunnel-selector tunnel-selector-name ]
By default, recursion to tunnels is disabled for IPv4 Flowspec rules with an action of redirecting to a next hop.
9. (Optional.) Configure the attribute ID for the redirection next hop in IPv4 Flowspec rules as the RFC-specified 0x010C.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible
By default, the attribute ID for the redirection next hop in static IPv4 Flowspec rules is 0x0800.
10. (Optional.) Configure the attribute ID for the redirection VPN target in IPv4 Flowspec rules as the RFC-specified 0x000D.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible
By default, the attribute ID for the redirection VPN target in static IPv4 Flowspec rules is 0x800B.
11. (Optional.) Disable the actions of redirection to next hops in IPv4 Flowspec rules.
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect-nexthop
By default, the actions of redirection to next hops in IPv4 Flowspec rules are applied.
Enabling BGP to distribute private network IPv4 Flowspec rules
1. Enter system view.
system-view
2. Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
3. Enable BGP Flowspec peers to exchange routing information.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } enable
By default, BGP Flowspec peers cannot exchange routing information.
4. (Optional.) Validate destination address match criteria for only IPv4 Flowspec rules that contain the AS_SET or AS_SEQ AS_Path attribute.
route validation-mode include-as
By default, destination address match criteria are validated for all IPv4 Flowspec rules.
5. (Optional.) Disable validation of IPv4 Flowspec rules from BGP Flowspec peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-disable
By default, IPv4 Flowspec rules from BGP Flowspec peers are validated.
6. (Optional.) Disable validation of the redirection next hops in IPv4 Flowspec rules from BGP Flowspec peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-redirect-disable
7. (Optional.) Configure the device to not change the next hop of routes advertised to EBGP peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } next-hop-invariable
By default, the device uses its own IP address as the next hop of IPv4 routes advertised to EBGP peers.
8. (Optional.) Configure the attribute ID for the redirection next hop in IPv4 Flowspec rules as the RFC-specified 0x010C.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible
By default, the attribute ID for the redirection next hop in static IPv4 Flowspec rules is 0x0800.
9. (Optional.) Configure the attribute ID for the redirection VPN target in IPv4 Flowspec rules as the RFC-specified 0x000D.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible
By default, the attribute ID for the redirection VPN target in static IPv4 Flowspec rules is 0x800B.
10. (Optional.) Disable the actions of redirection to next hops in IPv4 Flowspec rules.
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect-nexthop
By default, the actions of redirection to next hops in IPv4 Flowspec rules are applied.
Enabling BGP to distribute VPNv4 Flowspec rules
1. Enter system view.
system-view
2. Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Enable BGP Flowspec peers to exchange routing information.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } enable
By default, BGP Flowspec peers cannot exchange routing information.
4. (Optional.) Configure the device to not change the next hop of VPNv4 routes advertised to EBGP peers.
peer { group-name | ip-address [ mask-length ] | ipv6-address [ prefix-length ] } next-hop-invariable
By default, the device uses its own IP address as the next hop of VPNv4 routes advertised to EBGP peers.
5. (Optional.) Configure the attribute ID for the redirection next hop in IPv4 Flowspec rules as the RFC-specified 0x010C.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible
By default, the attribute ID for the redirection next hop in static IPv4 Flowspec rules is 0x0800.
6. (Optional.) Configure the attribute ID for the redirection VPN target in IPv4 Flowspec rules as the RFC-specified 0x000D.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible
By default, the attribute ID for the redirection VPN target in static IPv4 Flowspec rules is 0x800B.
Using the destination address in an IPv4 Flowspec rule to match routing policies
About this task
An IPv4 Flowspec rule does not carry route prefix information. By default, the device uses the routing policy that matches the destination in an IPv4 Flowspec rule to filter or modify the Flowspec rule. The device uses route prefix 0.0.0.0/0 to match the destination address in a routing policy for all IPv4 Flowspec rules. Therefore, the device cannot perform accurate filtering and route attribute control on IPv4 Flowspec rules.
Perform this task to use the destination address in an IPv4 Flowspec rule as the route prefix to match routing policies. Therefore, you can flexibly filter or modify IPv4 Flowspec rules.
Restrictions and guidelines
Configure a destination address match criterion in IPv4 Flowspec rules before configuring this function.
This function must be used with the peer route-policy command, and a destination address match criterion must be configured in the routing policy. For more information about the peer route-policy command, see BGP commands in Layer 3—IP Routing Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Apply a routing policy to routes incoming from or outgoing to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } route-policy route-policy-name { export | import }
By default, no routing policy is applied to routes incoming from or outgoing to a peer or peer group.
4. Use the destination address in Flowspec rules to match routing policies.
route match-destination
By default, route prefix 0.0.0.0/0 is used to match routing policies.
Disabling the actions in IPv4 Flowspec rules
About this task
If you perform this task, BGP will not notify the QoS module to take the actions in matching IPv4 Flowspec rules.
If a routing policy containing a destination address match criterion, BGP will filter IPv4 Flowspec rules as follows:
· If the route match-destination command is not executed, BGP uses route prefix 0.0.0.0/0 to match the destination address match criterion in the routing policy, and all IPv4 Flowspec rules are matched.
· If the route match-destination command is executed, BGP uses the destination address in IPv4 Flowspec rules to match the destination address match criterion in the routing policy.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Disable the actions in IPv4 Flowspec rules.
routing-table bgp-rib-only [ route-policy route-policy-name ]
By default, actions in Flowspec rules are executed.
Configuring BGP Flowspec route reflection
About this task
Route reflection reduces the number of IBGP connections in an AS. In an AS, you can configure a BGP route reflector and its clients. The route reflector and its clients automatically form a cluster identified by the router ID of the route reflector. The route reflector forwards route updates among its clients, which do not need to establish connections with one another.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Configure the router as a route reflector and specify a peer or peer group as its client.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } reflect-client
By default, no route reflector or client is configured.
4. (Optional.) Disable route target filtering for received BGP VPNv4 Flowspec routes.
undo policy vpn-target
By default, route target filtering is enabled for received VPNv4 routes. The VPNv4 routes whose export route target attribute matches the local import route target attribute are added to the routing table.
This command is available only in BGP VPNv4 Flowspec address family view.
5. (Optional.) Enable route reflection between clients.
reflect between-clients
By default, route reflection between clients is enabled.
6. (Optional.) Configure the cluster ID of the route reflector.
reflector cluster-id { cluster-id | ipv4-address }
By default, a route reflector uses its own router ID as the cluster ID.
Limiting the number of IPv4 Flowspec rules from a peer or peer group
About this task
Perform this task to prevent attackers from launching attacks by sending a large number of Flowspec rules.
When the device receives Flowspec rules that exceeds the maximum number, it can take the
· Disconnects BGP sessions with the peer or peer group and do not re-establish BGP sessions.
· Keeps BGP sessions with the peer or peer group to continue to receive Flowspec rules and generate logs.
· Keeps BGP sessions with the peer or peer group, drops subsequent Flowspec rules, and generate logs.
· Disconnects BGP sessions with the peer or peer group, and re-establish BGP sessions with it after a period of time.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Configure the maximum number of IPv4 Flowspec rules from a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } route-limit prefix-number [ { alert-only | discard | reconnect reconnect-time } | percentage-value ] *
By default, the number of IPv4 Flowspec rules from a peer or peer group is not limited.
Advertising the COMMUNITY attribute to a peer or peer group
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Advertise the COMMUNITY attribute to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } advertise-community
By default, the COMMUNITY attribute is not advertised.
Preferring routes learned from the specified peer or peer group during optimal route selection
About this task
Routes learned from the specified peer or peer group take precedence over routes learned from other peers or peer groups if these routes have the same prefix. BGP uses this rule to continue route selection if it fails to select an optimal route by using the peer type selection rule. If BGP still fails route selection, it uses the IGP metric selection rule to select an optimal route.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Prefer routes learned from the specified peer or peer group during optimal route selection.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } high-priority
By default, BGP does not prefer routes learned from any peer or peer groups during optimal route selection.
Disabling IPv4 Flowspec on an interface
Restrictions and guidelines
In standard system operating mode, the system does not support this feature.
In SDN-WAN system operating mode, this feature is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X |
|
SPE |
RX-SPE200 |
Procedure
1. Enter system view.
system-view
2. Enter interface view
interface interface-type interface-number
3. Disable IPv4 Flowspec on the interface.
flowspec disable
By default, IPv4 Flowspec is enabled on an interface.
Configuring an interface as the input interface for cleaned traffic
About this task
To prevent DoS/DDoS attacks, you can redirect suspect traffic to a traffic cleaning device through Flowspec. After the traffic cleaning device identifies and drops attack packets, it returns the legitimate packets to the network. To prevent returned legitimate packets from being redirected to the traffic cleaning device again, perform this task on the interface that receives the legitimate packets.
After you configure an interface as the input interface for cleaned traffic, the interface forwards the cleaned traffic in the public network no matter whether the interface is bound to a VPN instance.
Restrictions and guidelines
In standard system operating mode, the system does not support this feature.
In SDN-WAN system operating mode, this feature is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X |
|
SPE |
RX-SPE200 |
Procedure
1. Enter system view.
system-view
2. Enter interface view
interface interface-type interface-number
3. Configure the interface as the input interface for cleaned traffic.
flowspec refluence
By default, an interface is not the input interface for cleaned traffic.
Configuring IPv6 Flowspec
IPv6 Flowspec tasks at a glance
To configure IPv6 Flowspec, perform the following tasks:
1. Creating and activating an IPv6 Flowspec rule
Perform this task only on the Flowspec router.
2. (Optional.) Configuring a Flowspec interface group
3. Applying an IPv6 Flowspec rule
¡ Applying an IPv6 Flowspec rule to the public network
¡ Applying an IPv6 Flowspec rule to a VPN instance
Perform this task only on the Flowspec router.
4. Enabling BGP to distribute IPv6 Flowspec rules
¡ Enabling BGP to distribute public network IPv6 Flowspec rules
¡ Enabling BGP to distribute private network IPv6 Flowspec rules
¡ Enabling BGP to distribute VPNv6 Flowspec rules
Perform this task on both the Flowspec router and Flowspec edge routers.
5. (Optional.) Using the destination address in an IPv6 Flowspec rule to match routing policies
Perform this task on both the Flowspec router and Flowspec edge routers.
6. (Optional.) Disabling the actions in IPv6 Flowspec rules
Perform this task on Flowspec edge routers.
7. (Optional.) Configuring BGP Flowspec route reflection
Perform this task only on the Flowspec router.
8. (Optional.) Limiting the number of IPv6 Flowspec rules from a peer or peer group
Perform this task on Flowspec edge routers.
9. (Optional.) Advertising the COMMUNITY attribute to a peer or peer group
Perform this task on Flowspec routers.
10. (Optional.) Preferring routes learned from the specified peer or peer group during optimal route selection
11. (Optional.) Disabling IPv6 Flowspec on an interface
12. (Optional.) Configuring an interface as the input interface for cleaned traffic
Creating and activating an IPv6 Flowspec rule
1. Enter system view.
system-view
2. Create an IPv6 Flowspec rule and enter IPv6 Flowspec rule view.
flow-route flowroute-name ipv6
3. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
4. Configure an action. Choose one option as needed:
¡ Drop packets.
apply action
¡ Redirect packets to a next hop.
apply redirect next-hop { ipv4-address | ipv6-address [ copy-mode ] }
¡ Redirect packets to an SR-MPLS TE policy.
apply redirect next-hop ipv4-address color color
¡ Redirect packets to an SRv6 TE policy.
apply redirect next-hop ipv6-address color color [ sid sid-value ]
In standard system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200-E |
In SDN-WAN system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200, RX-SPE200-E |
¡ Redirect packets to an SRv6 BE tunnel.
apply redirect next-hop ipv6-address sid sid-value [ prefix-length prefix-length ]
In standard system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200-E |
In SDN-WAN system operating mode, this command is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA |
|
SPE |
RX-SPE200, RX-SPE200-E |
¡ Redirect packets to a tunnel interface.
apply redirect tunnel-id tunnel-id
¡ Redirect packets to a route target.
apply redirect vpn-target import-vpn-target
¡ Mark packets with a DSCP value.
apply remark-dscp dscp-value
¡ Rate limit packets.
apply traffic-rate rate
¡ Sample packets.
apply traffic-sampling
By default, no action is configured.
5. (Optional.) Display the match criteria and actions that are not committed.
check flow-route-configuration
6. Commit match criteria and actions.
commit
By default, match criteria and actions are not committed.
Configuring a Flowspec interface group
About this task
By default, a Flowspec router applies a received Flowspec rule to all interfaces on the device. To apply a received Flowspec rule to only some interfaces, create a Flowspec interface group and add those interfaces to it.
Restrictions and guidelines
An interface can belong to only one Flowspec interface group.
Procedure
1. Enter system view.
system-view
2. Create a Flowspec interface group and enter its view.
flowspec flow-interface-group group-id
3. (Optional.) Configure a description for the Flowspec interface group.
description text
4. Add an interface to the Flowspec interface group.
interface interface-type interface-number
By default, a Flowspec interface group does not contain any interfaces.
Applying an IPv6 Flowspec rule
Restrictions and guidelines
To associate a Flowspec rule already applied in Flowspec IPv6 address family view with a Flowspec interface group, first execute the undo flow-route command to remove the Flowspec rule from the Flowspec IPv6 address family.
A Flowspec rule can be associated with more than one Flowspec interface group, and vice versa.
Applying an IPv6 Flowspec rule to the public network
1. Enter system view.
system-view
2. Enter Flowspec view.
flowspec
3. Create a Flowspec IPv6 address family for the public network and enter its view.
address-family ipv6
4. Apply an IPv6 Flowspec rule to the public network. Choose one option as needed:
¡ Apply an IPv6 Flowspec rule.
flow-route flowroute-name
By default, no IPv6 Flowspec rule is applied to the public network.
¡ Apply an IPv6 Flowspec rule and associate it with a Flowspec interface group.
flow-route flowroute-name flow-interface-group group-id
By default, no IPv6 Flowspec rule is applied to the public network, and no Flowspec interface group is associated with an IPv6 Flowspec rule.
Applying an IPv6 Flowspec rule to a VPN instance
1. Enter system view.
system-view
2. Configure a VPN instance.
a. Create a VPN instance and enter VPN instance view.
ip vpn-instance vpn-instance-name
b. Configure an RD for the VPN instance.
route-distinguisher route-distinguisher
By default, no RD is configured for a VPN instance.
c. Configure route targets for the VPN instance.
vpn-target { vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ] }
By default, no route targets are configured.
For more information about the ip vpn-instance, route-distinguisher, and vpn-target commands, see MPLS L3VPN commands in MPLS Command Reference.
3. Enter the IPv6 Flowspec address family view of the VPN instance.
address-family ipv6 flowspec
4. Configure an RD for the IPv6 Flowspec address family.
route-distinguisher route-distinguisher
By default, no RD is configured for the IPv6 Flowspec address family.
5. Configure route targets for the IPv6 Flowspec address family.
vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]
By default, no route targets are configured for the IPv6 Flowspec address family.
The route targets configured must be the same as the route targets configured previously for the VPN instance.
6. Execute the quit command twice to return to system view.
7. Enter Flowspec view.
flowspec
8. Create a Flowspec IPv6 address family and associate the address family with the VPN instance.
address-family ipv6 vpn-instance vpn-instance-name
9. Apply an IPv6 Flowspec rule to the Flowspec IPv6 VPN instance address family. Choose one option as needed:
¡ Apply an IPv4 Flowspec rule.
flow-route flowroute-name
By default, no IPv6 Flowspec rule is applied to a Flowspec IPv6 VPN instance address family.
¡ Apply an IPv6 Flowspec rule and associate it with a Flowspec interface group.
flow-route flowroute-name flow-interface-group group-id
By default, no IPv6 Flowspec rule is applied to the public network, and no Flowspec interface group is associated with an IPv6 Flowspec rule.
Enabling BGP to distribute IPv6 Flowspec rules
About BGP Flowspec rule distribution
By default, the device validates received IPv6 Flowspec rules and their redirection next hops (if present). The validation conditions and rules are the same as for IPv4 Flowspec rules. For more information, see "Enabling BGP to distribute IPv4 Flowspec rules."
Restrictions and guidelines
For more information about the bgp and peer enable commands, see BGP commands in Layer 3—IP Routing Command Reference.
Enabling BGP to distribute public network IPv6 Flowspec rules
1. Enter system view.
system-view
2. Execute the following commands in sequence to enter BGP IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv6 flowspec
3. Enable BGP Flowspec peers to exchange routing information.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } enable
By default, BGP Flowspec peers cannot exchange routing information.
4. (Optional.) Validate destination address match criteria for only IPv6 Flowspec rules that contain the AS_SET or AS_SEQ AS_Path attribute.
route validation-mode include-as
By default, destination address match criteria are validated for all IPv6 Flowspec rules.
5. (Optional.) Disable validation of IPv6 Flowspec rules from BGP Flowspec peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-disable
By default, IPv6 Flowspec rules from BGP Flowspec peers are validated.
6. (Optional.) Disable validation of the redirection next hops in IPv6 Flowspec rules from BGP Flowspec peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-redirect-disable
By default, the redirection next hops in IPv6 Flowspec rules from BGP Flowspec peers are validated.
7. (Optional.) Configure the device to not change the next hop of routes advertised to EBGP peers.
peer { group-name | | ipv4-address [ mask-length ] ipv6-address [ prefix-length ] } next-hop-invariable
By default, the device uses its own IP address as the next hop of IPv6 routes advertised to EBGP peers.
8. (Optional.) Enable recursion to tunnels for IPv6 Flowspec rules with an action of redirecting to a next hop.
redirect ip recursive-lookup tunnel [ tunnel-selector tunnel-selector-name ]
By default, recursion to tunnels is disabled for IPv6 Flowspec rules with an action of redirecting to a next hop.
9. (Optional.) Configure the attribute ID for the redirection next hop in IPv6 Flowspec rules as the RFC-specified 0x000C.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible
By default, the attribute ID for the redirection next hop in static IPv6 Flowspec rules is 0x0800.
10. (Optional.) Configure the attribute ID for the redirection VPN target in IPv6 Flowspec rules as the RFC-specified 0x000D.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible
By default, the attribute ID for the redirection VPN target in static IPv6 Flowspec rules is 0x800B.
11. (Optional.) Disable the actions of redirection to next hops in IPv6 Flowspec rules.
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect-nexthop
By default, the actions of redirection to next hops in IPv6 Flowspec rules are applied.
Enabling BGP to distribute private network IPv6 Flowspec rules
1. Enter system view.
system-view
2. Execute the following commands in sequence to enter BGP-VPN IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv6 flowspec
3. Enable BGP Flowspec peers to exchange routing information.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } enable
By default, BGP Flowspec peers cannot exchange routing information.
4. (Optional.) Validate destination address match criteria for only IPv6 Flowspec rules that contain the AS_SET or AS_SEQ AS_Path attribute.
route validation-mode include-as
By default, destination address match criteria are validated for all IPv6 Flowspec rules.
5. (Optional.) Disable validation of IPv6 Flowspec rules from BGP Flowspec peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-disable
By default, IPv6 Flowspec rules from BGP Flowspec peers are validated.
6. (Optional.) Disable validation of the redirection next hops in IPv6 Flowspec rules from BGP Flowspec peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-redirect-disable
7. (Optional.) Configure the device to not change the next hop of routes advertised to EBGP peers.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } next-hop-invariable
By default, the device uses its own IP address as the next hop of IPv6 routes advertised to EBGP peers.
8. (Optional.) Configure the attribute ID for the redirection next hop in IPv6 Flowspec rules as the RFC-specified 0x000C.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible
By default, the attribute ID for the redirection next hop in static IPv6 Flowspec rules is 0x0800.
9. (Optional.) Configure the attribute ID for the redirection VPN target in IPv6 Flowspec rules as the RFC-specified 0x000D.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible
By default, the attribute ID for the redirection VPN target in static IPv6 Flowspec rules is 0x800B.
10. (Optional.) Disable the actions of redirection to next hops in IPv6 Flowspec rules.
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect-nexthop
By default, the actions of redirection to next hops in IPv6 Flowspec rules are applied.
Enabling BGP to distribute VPNv6 Flowspec rules
1. Enter system view.
system-view
2. Execute the following commands in sequence to enter BGP VPNv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv6 flowspec
3. Enable BGP Flowspec peers to exchange routing information.
peer { group-name | ipv4-address [ mask-length ] | ipv4-address [ mask-length ] } enable
By default, BGP Flowspec peers cannot exchange routing information.
4. (Optional.) Configure the device to not change the next hop of VPNv6 routes advertised to EBGP peers.
peer { group-name | ipv4-address [ mask-length ] | ipv4-address [ mask-length ] } next-hop-invariable
By default, the device uses its own IP address as the next hop of VPNv6 routes advertised to EBGP peers.
5. (Optional.) Configure the attribute ID for the redirection next hop in IPv6 Flowspec rules as the RFC-specified 0x000C.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible
By default, the attribute ID for the redirection next hop in static IPv6 Flowspec rules is 0x0800.
6. (Optional.) Configure the attribute ID for the redirection VPN target in IPv6 Flowspec rules as the RFC-specified 0x000D.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible
By default, the attribute ID for the redirection VPN target in static IPv6 Flowspec rules is 0x800B.
Using the destination address in an IPv6 Flowspec rule to match routing policies
About this task
An IPv6 Flowspec rule does not carry route prefix information. By default, the device uses the routing policy that matches the destination in an IPv6 Flowspec rule to filter or modify the Flowspec rule. The device uses route prefix 0::0/0 to match the destination address in a routing policy for all Flowspec rules. Therefore, the device cannot perform accurate filtering and route attribute control on Flowspec rules.
Perform this task to use the destination address in a Flowspec rule as the route prefix to match routing policies. Therefore, you can flexibly filter or modify Flowspec rules.
Restrictions and guidelines
Configure a destination address match criterion in IPv6 Flowspec rules before configuring this function.
This function must be used with the peer route-policy command, and a destination address match criterion must be configured in the routing policy. For more information about the peer route-policy command, see BGP commands in Layer 3—IP Routing Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv4 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv4 flowspec
3. Apply a routing policy to routes incoming from or outgoing to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } route-policy route-policy-name { export | import }
By default, no routing policy is applied to routes incoming from or outgoing to a peer or peer group.
4. Use the destination address in Flowspec rules to match routing policies.
route match-destination
By default, route prefix 0::0/0 is used to match routing policies.
Disabling the actions in IPv6 Flowspec rules
About this task
If you perform this task, BGP will not notify the QoS module to take the actions in matching IPv6 Flowspec rules.
If a routing policy containing a destination address match criterion, BGP will filter IPv6 Flowspec rules as follows:
· If the route match-destination command is not executed, BGP uses route prefix 0::0/0 to match the destination address match criterion in the routing policy, and all IPv6 Flowspec rules are matched.
· If the route match-destination command is executed, BGP uses the destination address in IPv6 Flowspec rules to match the destination address match criterion in the routing policy.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv6 flowspec
3. Disable the actions in IPv6 Flowspec rules.
routing-table bgp-rib-only [ route-policy route-policy-name ]
By default, actions in IPv6 Flowspec rules are executed.
Configuring BGP Flowspec route reflection
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv6 flowspec
3. Configure the router as a route reflector and specify a peer or peer group as its client.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } reflect-client
By default, no route reflector or client is configured.
4. (Optional.) Disable route target filtering for received BGP VPNv6 Flowspec routes.
undo policy vpn-target
By default, route target filtering is enabled for received VPNv6 routes. The VPNv6 routes whose export route target attribute matches the local import route target attribute are added to the routing table.
This command is available only in BGP VPNv6 Flowspec address family view.
5. (Optional.) Enable route reflection between clients.
reflect between-clients
By default, route reflection between clients is enabled.
6. (Optional.) Configure the cluster ID of the route reflector.
reflector cluster-id { cluster-id | ip-address }
By default, a route reflector uses its own router ID as the cluster ID.
In BGP IPv6 Flowspec address family view or BGP-VPN IPv6 Flowspec address family view, specify an IPv6 address for the ip-address argument.
In BGP VPNv6 Flowspec address family view, specify an IPv4 address for the ip-address argument.
Limiting the number of IPv6 Flowspec rules from a peer or peer group
About this task
Perform this task to prevent attackers from launching attacks by sending a large number of IPv6 Flowspec rules.
When the device receives IPv6 Flowspec rules that exceeds the maximum number, it can take the following actions:
· Disconnects BGP sessions with the peer or peer group and do not re-establish BGP sessions.
· Keeps BGP sessions with the peer or peer group to continue to receive Flowspec rules and generate logs.
· Keeps BGP sessions with the peer or peer group, drops subsequent Flowspec rules, and generate logs.
· Disconnects BGP sessions with the peer or peer group, and re-establish BGP sessions with it after a period of time.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv6 flowspec
3. Configure the maximum number of Flowspec rules from a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } route-limit prefix-number [ { alert-only | discard | reconnect reconnect-time } | percentage-value ] *
By default, the number of IPv6 Flowspec rules from a peer or peer group is not limited.
Advertising the COMMUNITY attribute to a peer or peer group
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv6 flowspec
3. Advertise the COMMUNITY attribute to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } advertise-community
By default, the COMMUNITY attribute is not advertised.
Preferring routes learned from the specified peer or peer group during optimal route selection
About this task
Routes learned from the specified peer or peer group take precedence over routes learned from other peers or peer groups if these routes have the same prefix. BGP uses this rule to continue route selection if it fails to select an optimal route by using the peer type selection rule. If BGP still fails route selection, it uses the IGP metric selection rule to select an optimal route.
Procedure
1. Enter system view.
system-view
2. Enter one of the following views:
¡ Execute the following commands in sequence to enter BGP IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP-VPN IPv6 Flowspec address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv6 flowspec
¡ Execute the following commands in sequence to enter BGP VPNv4 Flowspec address family view:
bgp as-number [ instance instance-name ]
address-family vpnv6 flowspec
3. Prefer routes learned from the specified peer or peer group during optimal route selection.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } high-priority
By default, BGP does not prefer routes learned from any peer or peer groups during optimal route selection.
Disabling IPv6 Flowspec on an interface
Restrictions and guidelines
In standard system operating mode, the system does not support this feature.
In SDN-WAN system operating mode, this feature is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X |
|
SPE |
RX-SPE200 |
Procedure
1. Enter system view.
system-view
2. Enter interface view
interface interface-type interface-number
3. Disable IPv6 Flowspec on the interface.
flowspec disable
By default, IPv6 Flowspec is enabled on an interface.
Configuring an interface as the input interface for cleaned traffic
About this task
To prevent DoS/DDoS attacks, you can redirect suspect traffic to a traffic cleaning device through Flowspec. After the traffic cleaning device identifies and drops attack packets, it returns the legitimate packets to the network. To prevent returned legitimate packets from being redirected to the traffic cleaning device again, perform this task on the interface that receives the legitimate packets.
After you configure an interface as the input interface for cleaned traffic, the interface forwards the cleaned traffic in the public network no matter whether the interface is bound to a VPN instance.
Restrictions and guidelines
In standard system operating mode, the system does not support this feature.
In SDN-WAN system operating mode, this feature is available only for the following cards:
|
Card category |
Cards |
|
CEPC |
CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L |
|
CSPEX |
CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X |
|
SPE |
RX-SPE200 |
Procedure
1. Enter system view.
system-view
2. Enter interface view
interface interface-type interface-number
3. Configure the interface as the input interface for cleaned traffic.
flowspec refluence
By default, an interface is not the input interface for cleaned traffic.
Display and maintenance commands for Flowspec
For more information about the BGP commands not covered in this feature, see Layer 3—IP Routing Command Reference.
For more information about the display bgp route-target l3vpn command, see MPLS L3VPN commands in MPLS Command Reference.
Execute the display commands in any view and the reset and refresh commands in user view.
|
Task |
Command |
|
Display IPv4 BGP Flowspec peer information. |
display bgp [ instance instance-name ] peer ipv4 flowspec [ vpn-instance vpn-instance-name ] [ ipv4-address mask-length | ipv6-address prefix-length | { ipv4-address | ipv6-address | group-name group-name } log-info | [ ipv4-address | ipv6-address ] verbose ] |
|
Display IPv6 BGP Flowspec peer information. |
display bgp [ instance instance-name ] peer ipv6 flowspec [ vpn-instance vpn-instance-name ] ] [ ipv4-address mask-length | ipv6-address prefix-length | { ipv4-address | ipv6-address | group-name group-name } log-info | [ ipv4-address | ipv6-address ] verbose ] |
|
Display BGP VPNv4 Flowspec peer information. |
display bgp [ instance instance-name ] peer vpnv4 flowspec [ ipv4-address mask-length | ipv6-address prefix-length | { ipv4-address | ipv6-address | group-name group-name } log-info | [ ipv4-address | ipv6-address ] verbose ] |
|
Display BGP VPNv6 Flowspec peer information. |
display bgp [ instance instance-name ] peer vpnv6 flowspec [ ipv4-address mask-length | ipv6-address prefix-length | { ipv4-address | ipv6-address | group-name group-name } log-info | [ ipv4-address | ipv6-address ] verbose ] |
|
Display IPv4 BGP Flowspec peer group information. |
display bgp [ instance instance-name ] group ipv4 flowspec [ vpn-instance vpn-instance-name ] [ group-name group-name ] |
|
Display IPv6 BGP Flowspec peer group information. |
display bgp [ instance instance-name ] group ipv6 flowspec [ vpn-instance vpn-instance-name ] [ group-name group-name ] |
|
Display BGP VPNv4 Flowspec peer group information. |
display bgp [ instance instance-name ] group vpnv4 flowspec [ vpn-instance vpn-instance-name ] [ group-name group-name ] |
|
Display BGP VPNv6 Flowspec peer group information. |
display bgp [ instance instance-name ] group vpnv6 flowspec [ vpn-instance vpn-instance-name ] [ group-name group-name ] |
|
Display BGP IPv4 Flowspec routing information. |
display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] [ as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression | flowspec-prefix [ advertise-info ] | statistics ] display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ] display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes } |
|
Display BGP IPv6 Flowspec routing information. |
display bgp [ instance instance-name ] routing-table ipv6 flowspec [ vpn-instance vpn-instance-name ] [ as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression | flowspec-prefix [ advertise-info ] | statistics ] display bgp [ instance instance-name ] routing-table ipv6 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ] ] display bgp [ instance instance-name ] routing-table ipv6 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes } |
|
Display BGP VPNv4 Flowspec routing information. |
display bgp [ instance instance-name ] routing-table vpnv4 flowspec [ as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression | peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ] | [ route-distinguisher route-distinguisher ] [ flowspec-prefix [ advertise-info ] ] | statistics ] display bgp [ instance instance-name ] routing-table vpnv4 flowspec peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes } |
|
Display BGP VPNv6 Flowspec update group information. |
display bgp [ instance instance-name ] routing-table vpnv6 flowspec [ as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression | peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ] | [ route-distinguisher route-distinguisher ] [ flowspec-prefix [ advertise-info ] ] | statistics ] display bgp [ instance instance-name ] routing-table vpnv6 flowspec peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes } |
|
Display BGP IPv4 Flowspec update group information. |
display bgp [ instance instance-name ] update-group ipv4 flowspec [ ipv4-address | ipv6-address ] |
|
Display BGP IPv6 Flowspec update group information. |
display bgp [ instance instance-name ] update-group ipv6 flowspec [ ipv4-address | ipv6-address ] |
|
Display BGP VPNv4 Flowspec update group information. |
display bgp [ instance instance-name ] update-group vpnv4 flowspec [ ipv4-address | ipv6-address ] |
|
Display BGP VPNv6 Flowspec update group information. |
display bgp [ instance instance-name ] update-group vpnv6 flowspec [ ipv4-address | ipv6-address ] |
|
Display BGP route targets from VPN instances. |
display bgp [ instance instance-name ] route-target l3vpn [ ipv4 flowspec | ipv6 flowspec ] [ vpn-instance vpn-instance-name ] |
|
Display Flowspec rule information. |
In standalone mode: display flow-route { { ipv4 | ipv6 } all | flow-route-id } [ slot slot-number [ cpu cpu-number ] ] display flow-route { { ipv4 | ipv6 } [ instance instance-name ] [ vpn-instance vpn-instance-name | public-instance ] | flow-route-id } [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display flow-route { { ipv4 | ipv6 } all | flow-route-id } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] display flow-route { { ipv4 | ipv6 } [ instance instance-name ] [ vpn-instance vpn-instance-name | public-instance ] | flow-route-id } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display Flowspec interface group configuration. |
display flowspec flow-interface-group [ group-id ] |
|
Display traffic statistics for a Flowspec rule. |
display flowspec statistics flow-route-id [ flow-interface-group group-id ] |
|
Manually soft-reset BGP sessions for an IPv4 Flowspec address family. |
refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } { export | import } ipv4 flowspec [ vpn-instance vpn-instance-name ] |
|
Manually soft-reset BGP sessions for an IPv6 Flowspec address family. |
refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } { export | import } ipv6 flowspec [ vpn-instance vpn-instance-name ] |
|
Manually soft-reset BGP sessions for a VPNv4 Flowspec address family. |
refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } { export | import } vpnv4 flowspec |
|
Manually soft-reset BGP sessions for a VPNv6 Flowspec address family. |
refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } { export | import } vpnv6 flowspec |
|
Reset BGP sessions for a BGP IPv4 Flowspec address family. |
reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } ipv4 flowspec [ vpn-instance vpn-instance-name ] |
|
Reset BGP sessions for a BGP IPv6 Flowspec address family. |
reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } ipv6 flowspec [ vpn-instance vpn-instance-name ] |
|
Reset BGP sessions for a BGP VPNv4 Flowspec address family. |
reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | internal | group group-name } vpnv4 flowspec |
|
Reset BGP sessions for a BGP VPNv6 Flowspec address family. |
reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | internal | group group-name } vpnv6 flowspec |
|
Clear traffic statistics for Flowspec rules. |
reset flowspec statistics flow-route-id [ flow-interface-group group-id ] |
Flowspec configuration examples
Example: Configuring IPv4 Flowspec
Network configuration
As shown in Figure 2, all routers run BGP. Device A is a Flowspec router, and Device B is a Flowspec edge router.
Configure Flowspec to limit the rate of incoming packets with destination IP address 1.1.1.0/24 and port 10 on Device B.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure Device A:
# Configure a BGP connection.
<DeviceA> system-view
[DeviceA] bgp 100
[DeviceA-bgp-default] peer 10.1.1.2 as-number 200
[DeviceA-bgp-default] address-family ipv4 flowspec
[DeviceA-bgp-default-flowspec-ipv4] peer 10.1.1.2 enable
[DeviceA-bgp-default-flowspec-ipv4] peer 10.1.1.2 validation-disable
[DeviceA-bgp-flowspec-ipv4] quit
[DeviceA-bgp-default] quit
# Configure a Flowspec rule.
[DeviceA] flow-route route1
[DeviceA-flow-route-route1] if-match destination-ip 1.1.1.0 24
[DeviceA-flow-route-route1] if-match destination-port 10
[DeviceA-flow-route-route1] apply traffic-rate 20
[DeviceA-flow-route-route1] check flow-route-configuration
Traffic filtering rules:
Destination ip : 1.1.1.0 255.255.255.0
Destination port : 10
Traffic filtering actions:
Traffic rate : 20(kbps)
[DeviceA-flow-route-route1] commit
[DeviceA-flow-route-route1] quit
# Apply the Flowspec rule to the public network.
[DeviceA] flowspec
[DeviceA-flowspec] address-family ipv4
[DeviceA-flowspec-ipv4] flow-route route1
[DeviceA-flowspec-ipv4] quit
3. Configure Device B:
# Configure a BGP connection.
<DeviceB> system-view
[DeviceB] bgp 200
[DeviceB-bgp-default] peer 10.1.1.1 as-number 100
[DeviceB-bgp-default] address-family ipv4 flowspec
[DeviceB-bgp-default-flowspec-ipv4] peer 10.1.1.1 enable
[DeviceB-bgp-default-flowspec-ipv4] peer 10.1.1.1 validation-disable
[DeviceB-bgp-default-flowspec-ipv4] quit
[DeviceB-bgp-default] quit
Verifying the configuration
# On Device A, display BGP IPv4 Flowspec peer information.
[DeviceA] display bgp peer ipv4 flowspec
BGP local router ID: 192.168.150.1
Local AS number: 100
Total number of peers: 1 Peers in established state: 1
* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
10.1.1.2 200 10 12 0 0 00:06:40 Established
# On Device B, display BGP IPv4 Flowspec peer information.
[DeviceB] display bgp peer ipv4 flowspec
BGP local router ID: 192.168.150.2
Local AS number: 200
Total number of peers: 1 Peers in established state: 1
* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
10.1.1.1 100 10 12 0 0 00:06:40 Established
# On Device B, display BGP IPv4 Flowspec routing information.
[DeviceB] display bgp routing-table ipv4 flowspec
Total number of routes: 1
BGP local router ID is 192.168.150.2
Status codes: * - valid, > - best, d - dampened, h - history
s - suppressed, S - stale, i - internal, e - external
a - additional-path
Origin: i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* >e DEST:1.1.1.0/24/40
0.0.0.0 100 0 ?
# On Device B, display information about all Flowspec rules.
<DeviceB> display flow-route ipv4 all
Total number of flow-routes: 1
Flow-Route (ID 0x0)
BGP instance : default
Traffic filtering rules:
Destination IP : 1.1.1.0 255.255.255.0
Destination port : 10
Traffic filtering actions:
Traffic rate : 20(kbps)
