Configuring UNR Route Injection

In UNR route injection, cleaned traffic is injected from the cleaning device to the router along the UNR route, and is finally to the Zone.

Implementation Mechanism

This function is configured on the AntiDDoS.

As shown in Figure 1, Router1 is a traffic-diversion router. A traffic-diversion channel is established between GE1/0/1 on Router1 and GE2/0/1 on the cleaning device. Inbound traffic is diverted to GE2/0/1 on the cleaning device through Router1 GE1/0/1 for cleaning. After the cleaning is complete, the cleaning device injects the cleaned traffic to GE1/0/2 on Router1 along the UNR route. Subsequently, Router1 forwards the traffic to the Zone.

In practice, the traffic-injection router can be either Router1 or another downstream router (such as Router2).

Figure 1 UNR route injection

In BGP traffic diversion, Router1 learns the UNR route advertised by the cleaning device and uses the cleaning device as the next hop of the route to the Zone. In this way, after cleaned traffic is injected to Router1, Router1 forwards the traffic to the cleaning device according to the routing table. This arises a loop. To avoid such a loop, configure a policy-based route on inbound interface GE1/0/2 of Router1 to send injected traffic to downstream Router2 for forwarding.

When BGP traffic diversion is employed, you need to only specify an IP address for the Zone whose traffic is to be diverted on the ATIC Management center. Then the setting is delivered to the cleaning device. In this way, a UNR route is automatically generated on the cleaning device. For details on the implementation mechanism, see Configuring BGP Traffic Diversion (CLI). Configuring BGP Traffic Diversion (ATIC) shows the configuration procedure.

NOTE:

UNR route injection applies only to the scenario where a cleaning device monitors one router.

Configuring the Router

The following uses Huawei NE80E as an example for describing how to configure the policy-based route on the traffic-injection router. Routers of each version have different configurations. The following configuration is used only as an example for reference.

  1. Run the system-view command to access the system view.
  2. Configure the ACL to define the data flow matching the policy-based route.

  3. Run the following commands to define a traffic classifier.

    1. Run the traffic classifier classifier-name command in the system view to define a traffic classifier and access the traffic classifier view.

      classifier-name specifies the name of a traffic classifier. It is a string of 1 to 31 characters, case sensitive.

    2. Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to define an ACL rule.

      acl-number specifies the number of the ACL. The value is an integer.

      For IPv4 packets, the value ranges from 2000 to 4099.

      • A value ranging from 2000 to 3999 indicates a basic or an advanced ACL.
      • A value ranging from 4000 to 4099 indicates an ACL based on the Layer-2 Ethernet frame header.

      For IPv6 packets, the value ranges from 2000 to 3999.

      • A value ranging from 2000 to 2999 indicates a basic ACL.
      • A value ranging from 3000 to 3999 indicates an advanced ACL.

      acl-name specifies the name of a naming ACL. The value is a string of 1 to 32 case-sensitive characters and cannot contain a space. It must start with a letter from a to z or A to Z, and can be a combination of letters, digits, hyphens (-), or underscores (_).

  4. Run the following commands to define a traffic behavior and set an action accordingly.

    1. Run the traffic behavior behavior-name command in the system view to define a traffic behavior and access the traffic behavior view.

      behavior-name: specifies the name of a traffic behavior. The value is a string of 1 to 31 characters.

    2. Run the redirect ip-nexthop ip-address [ interface interface-type interface-number ] command to redirect to the next hop.

      ip-address specifies the IP address of the redirected next hop.

      interface-type interface-number specifies the type and number of the outbound interface. The number is in the slot number/card number/port number format.

  5. Run the following commands to define a traffic policy and specify a behavior for the classifier in the policy.

    1. Run the traffic policy policy-name command in the system view to define a traffic policy and access the policy view.

      policy-name: specifies the name of a traffic policy. The value is a string of 1 to 31 characters.

    2. Run the classifier classifier-name behavior behavior-name [ precedence precedence ] command to specify a behavior for the traffic classifier in the policy.

      classifier-name specifies the name of a traffic classifier. It must be already defined.

      behavior-name specifies the name of a traffic behavior. It must be already defined.

      precedence indicates the priority of the associated traffic classifier and behavior. The value is an integer ranging from 1 to 255. The smaller the precedence value, the higher the priority. The associated traffic classifier and behavior are preferentially processed. If precedence is not specified, the system searches for associations by configuration sequence.

  6. Run the following commands to apply the policy-based route to the interface.

    1. Run the interface interface-type interface-number commands in the system view to access the interface view.

      The interface indicates inbound interface GE1/0/2 on traffic-injection Router1, as shown in Figure 1.

    2. Run the traffic-policy policy-name inbound command to apply the policy-based route.

      inbound applies the traffic policy to the inbound direction.

Parent topic: Configuring Traffic Injection
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.