Using the firewall ddos traffic-diversion command, you can configure the traffic diversion policy.
Using the undo firewall ddos traffic-diversion command, you can cancel the traffic diversion policy.
firewall ddos traffic-diversion [ vpn-instance vpn-instance-name ] ip ip-address [ mask | mask-length1 ] [ ip-link name ]
firewall ddos traffic-diversion [ vpn6-instance vpn6-instance-name ] ipv6 ipv6-address [ mask-length2 ]
undo firewall ddos traffic-diversion [ vpn-instance vpn-instance-name ] ip { all | ip-address [ mask | mask-length1 ] }
undo firewall ddos traffic-diversion [ vpn6-instance vpn6-instance-name ] ipv6 { all | ipv6-address [ mask-length1 ]
undo firewall ddos traffic-diversion ipv6 { all | ipv6-address [ mask-length2 ] }
| Parameter | Description | Value |
|---|---|---|
| vpn-instance-name | Specifies the name of a VPN instance of IPv4. | The value is a string of 1 to 31 characters. |
| vpn6-instance-name | Specifies the name of a VPN instance of IPv6. | The value is a string of 1 to 31 characters. |
| ip-address | Specifies the destination IPv4 address that requires traffic cleaning. | It is in dotted decimal notation. |
| ipv6-address | Specifies the destination IPv6 address that requires traffic cleaning. | The value is in colon hexadecimal notation. |
| mask | Specifies the mask of the IPv4 address. | It is in dotted decimal notation. |
| mask-length1 | Specifies the mask length of the IPv4 address. | It is an integer ranging from 8 to 32. |
| mask-length2 | Specifies the mask length of the IPv6 address. | It is an integer ranging from 8 to 128. |
| all | Indicates all IP addresses. | - |
| name | Indicates name of IP-link. | The value is a string of 1 to 31 characters. |
After firewall ddos bgp-next-hop and firewall ddos traffic-diversion are configured, a UNR route is generated by the system. For example, after the firewall ddos bgp-next-hop 2.2.2.2 and firewall ddos traffic-diversion ip 1.1.1.1 32 commands are executed, a UNR route whose destination IP address is 1.1.1.1/32 and next hop IP address is 2.2.2.2 is generated. The generated UNR route has the following applications:
Traffic diversion
The generated route is advertised to the core routing device through External BGP (EBGP). Due to the attributes of BGP next hops, when the cleaning device advertises a certain route to a BGP peer, the next hop attribute of the route is specified to the IP address of the interface (that is connected to the interface at the peer end) at the local end. Therefore, the core routing device learns the route whose destination IP address is 1.1.1.1/32 and the next hop IP address is the IP address of the interface for traffic diversion on the cleaning device. In this manner, the traffic diversion function is realized.
Traffic injection
For the traffic after cleaning, the cleaning device forwards the traffic to the core routing device according to the generated UNR routes or others. Therefore, the traffic injection function is realized.
When using the command, binding IP-link enhancing link reliability. If the IP-Link state is Down when IP-Link is associated with a diversion task, the task cannot be configured.