This section describes how to configure BGP traffic diversion.
Implementation Mechanism
As shown in Figure 1, a traffic-diversion channel is established between GE1/0/1 on Router1 and GE2/0/1 of the cleaning device, on which GE2/0/1 serves as the cleaning interface and GE2/0/2 as the traffic-injection interface. After a traffic-diversion task is configured, a 32-bit static host route is generated on the cleaning device. In this case, configure BGP on both the cleaning device and the Router1 to import the UNR route to BGP. Then BGP advertises the UNR route to Router1.
The following uses automatic traffic diversion and Zone 1.1.1.1/32 as an example for illustrating the implementation mechanism of BGP traffic diversion:
- When the traffic destined for Zone 1.1.1.1/32 becomes abnormal, the ATIC Management center automatically delivers a traffic-diversion task to the cleaning device. Subsequently, a 32-bit static host route is generated on the cleaning device. The destination IP address of the UNR route is 1.1.1.1/32 and the next hop is GE1/0/2 on Router1 directly connected to the traffic-diversion interface on the cleaning device.
- A BGP peer is established between GE2/0/1 on the cleaning device and GE1/0/1 on Router1. The cleaning device advertises the generated UNR route to Router1 through BGP.
- After a UNR route reaches Router1, the destination IP address is still 1.1.1.1/32 but the outbound interface points to GE2/0/1 on the cleaning device.
- After receiving packets destined for 1.1.1.1/32, Router1 searches the routing table to send packets to the GE2/0/1 interface on the cleaning device by using its GE1/0/1 according to the longest mask match to implement traffic diversion.
NOTE: - The User Network Route (UNR) is a type of private route. Like public routes, such as IGP, BGP, OSPF, static, and direct routes, UNRs can be added to the routing table for packet forwarding.
- To prevent traffic diversion failures, ensure that the traffic diversion route has the highest priority on the router.
- Run the firewall ddos bgp-next-hop { ip-address | ipv6 ipv6-address } command on the cleaning device to configure the next-hop address, that is, the IP of GE1/0/2 on Router1 directly connected to the traffic-injection interface on the cleaning device, for generating a route.
On the ATIC Management center GUI, select a traffic-diversion mode for the Zone to dynamically generate a traffic-diversion task. For details, see Configuring a Defense Mode. Alternatively, create a static traffic-diversion task. For details, see Configuring BGP Traffic Diversion (ATIC).
After the generated traffic-diversion task is delivered to the cleaning device, the system displays the corresponding command, that is, firewall ddos traffic-diversion [ vpn-instance vpn-instance-name ] ip ip-address [ mask | mask-length ] [ ip-link name ] or firewall ddos traffic-diversion [ vpn6-instance vpn6-instance-name ] ipv6 ipv6-address [ mask-length ].
After previous two steps are complete, a UNR route is generated on the cleaning device. For example, the automatic traffic-diversion mode is configured for Zone 1.1.1.1/32 in the ATIC Management center and the firewall ddos bgp-next-hop 2.2.2.2 command is configured on the cleaning device. When the detecting device detects abnormal upon 1.1.1.1/32, a UNR route with destination IP address 1.1.1.1/32 and next hop 2.2.2.2 is generated on the cleaning device.
The generated UNR route delivers the traffic injection function. With this UNR route, the cleaned traffic is injected to GE1/0/2 on Router1. To avoid loops, that is, the cleaned traffic is sent to the cleaning device through Router1, configure a policy-based route on GE1/0/2. With the policy-based route, traffic is sent to downstream Router2 and then the Zone.
In certain scenarios such as multiple traffic-diversion links, you need to filter the UNR route generated by the cleaning device to prevent the route from being delivered to the FIB and interfering with injected traffic. Meanwhile, configure other traffic-injection policy to inject the traffic to the original link.
Run the following command on the cleaning device to filter the UNR route:
[sysname] firewall ddos bgp-next-hop fib-filter [ ipv6 ]
Determine whether to configure this command according to the actual deployment:
- When static traffic injection is adopted, and the cleaning device forwards traffic to the access router based on the generated UNR route, do not configure the command.
- When static route traffic injection is adopted, to prevent the generated UNR route from affecting static route forwarding, configure the command.
- When GRE traffic injection is adopted, to prevent the generated UNR route from affecting GRE forwarding, configure the command.
- When MPLS LSP traffic injection is adopted, to prevent the generated UNR route from affecting MPLS forwarding, configure the command.
- When MPLS VPN traffic injection is adopted, to prevent the generated UNR route from affecting MPLS forwarding, configure the command.
- When multiple traffic-injection links exist and the cleaning device learns the route to the Zone through routing protocols such as OSPF, to prevent the generated UNR route from affecting OSPF forwarding, configure the command.
Configuring the Cleaning Device
Perform the following on the cleaning device to implement BGP traffic diversion:
- Run the system-view command in the user view to access the system view.
Run the firewall ddos bgp-next-hop { ip-address | ipv6 ipv6-address } command to configure the next-hop address for dynamically generating a route.
ip-address specifies the next-hop address of the traffic-injection interface on the cleaning device, that is, the IP address of the router interface directly connected to the traffic-injection interface on the cleaning device, not that of the interface on the cleaning device.
The cleaning device can be configured with only one next-hop address. If this command is configured for multiple times, the new IP address will overwrite the existing one.
(Optional) Run the firewall ddos bgp-next-hop fib-filter [ ipv6 ] command to perform FIB filtering over the generated UNR route.
After this command is configured, the dynamically generated UNR route cannot be delivered to the FIB.
(Optional) Run the following commands to configure the BGP group attribute.
NOTE: Configure the BGP group attribute according to the networking. In normal cases, to avoid loops, you are advised to configure the filtering policy.
- Run the route-policy route-policy-name { permit | deny } node node command in the system view to create a routing policy and access the policy view.
- Run the apply community no-advertise command to advertise no matched route to any peers.
- Run the quit command to return to the system view.
Run the bgp { as-number-plain | as-number-dot } command to enable BGP (by specifying the local AS number) and access the BGP view.
as-number specifies an AS number. The value ranges from 1 to 65,535.
- Run the ipv4-family unicast command to access the IPv4 unicast address family view.
- Run the peer { ipv4-address | group-name } advertise-community command to advertise the standard group attribute to the peer or peer group.
- Run the peer { ipv4-address | group-name } route-policy route-policy-name export command to configure a routing policy in the outbound direction.
Run the following commands to configure BGP to advertise the dynamically generated route.
- Run the bgp { as-number-plain | as-number-dot } command to access the BGP view.
(Optional) Run the ipv4-family vpn-instance vpn-instance-name command to access the BGP-VPN instance view.
When the MPLS VPN traffic-injection mode is adopted and the cleaning device serves as a PE, you need to bind a VPN instance to the traffic-diversion interface. In BGP traffic-diversion mode, configure the BGP peer in the BGP-VPN instance view.
Run the peer ipv4-address as-number { as-number-plain | as-number-dot } command to set an IP address for the BGP peer and the number of the AS to which the BGP peer belongs.
The specified as-number must be the same as the local AS number.
ipv4-address specifies the IP address of the interface directly connected to the BGP peer, that is, that of GE1/0/1 directly connected Router1.
Run the import-route unr [ med med | route-policy route-policy-name ] * command to configure BGP to import the UNR route.
After this command is configured, the system imports the generated UNR route to BGP and advertises the route to the router through BGP, implementing traffic diversion.
Task Example
As shown in Figure 2, the detecting device and cleaning device are deployed on the network in off-line mode to detect and clean the traffic destined for the Zone. BGP traffic diversion is configured on the cleaning device. When identifying anomalies, the detecting device reports exception logs to the ATIC management center, who then automatically delivers a traffic-diversion policy to the cleaning device to divert all traffic to the cleaning device. Consequently, the cleaning device cleans diverted traffic and injects normal traffic to the original link.
Assume that a Zone is at 2.2.2.0/24. When the traffic destined for 2.2.2.2/32 is abnormal, perform the following to automatically divert such traffic to the cleaning device for cleaning:
On the cleaning device, configure the next-hop address for dynamically generating a route.
<sysname> system-view [sysname] firewall ddos bgp-next-hop 7.7.2.2
7.7.2.2 indicates the IP address of GE1/0/2 on the router directly connected to the traffic-injection interface on the cleaning device.
- In the ATIC Management center, Choose and set the IP address of the Zone to 2.2.2.0/24.
- In the ATIC Management center, Choose and set the traffic-diversion mode for the Zone to Automatic.
- When the traffic destined for Zone 2.2.2.2/32 becomes abnormal,
the ATIC management center automatically delivers a traffic-diversion
task to the cleaning device. Then the cleaning device generates a
UNR route with next hop 7.7.2.2 to 2.2.2.2 and delivers the route
to the FIB. Cleaned traffic is forwarded to GE1/0/2 on Router1 after
matching the entry.
When you employ the MPLS or GRE traffic-diversion mode, run the firewall ddos bgp-next-hop fib-filter command to disable the generated UNR route from being delivered to the FIB, ensuring in-service MPLS or GRE forwarding.
Configure the BGP community attribute and advertise the dynamically generated route.
[sysname] route-policy 1 permit node 1 [sysname-route-policy] apply community no-advertise [sysname-route-policy] quit [sysname] bgp 100 [sysname-bgp] peer 7.7.1.2 as-number 100 [sysname-bgp] import-route unr [sysname-bgp] ipv4-family unicast [sysname-bgp-af-ipv4] peer 7.7.1.2 route-policy 1 export [sysname-bgp-af-ipv4] peer 7.7.1.2 advertise-community [sysname-bgp-af-ipv4] quit [sysname-bgp] quit
After previous configurations are complete, the system imports the generated UNR route to BGP and advertises the route to Router1 through BGP, implementing traffic diversion.
Configuring the Router
The following uses Huawei NE80E as an example for describing the BGP-related configurations of the router. Perform the following on Router1 to perform BGP traffic diversion, together with the cleaning device.
- Run the system-view command to access the system view.
- Run the bgp as-number command to access the BGP view.
Run the peer ipv4-address as-number as-number command to set an IP address for the BGP peer and the number of the AS to which the BGP peer belongs.
The specified as-number AS number can be EBGP or IBGP.
ipv4-address specifies the IP address of the interface directly connected to the BGP peer, that is, that of GE2/0/1 on the cleaning device.