Layer-2 Injection

In Layer-2 injection, the cleaning device injects the cleaned traffic to the Zone in Layer 2 mode instead of routing forwarding.

Implementation Mechanism

This function is configured on the AntiDDoS.

As shown in Figure 1, the E1/1 interface on the core switch is directly connected to interface GE1/0/1 on the cleaning device. The channel between them is for both traffic diversion and traffic injection. Two VLANs such as VLAN1 and VLAN2 are created on the switch. Two subinterfaces on the cleaning device are associated with VLAN1 and VLAN2 for traffic diversion and injection respectively. Traffic is diverted to the cleaning device for cleaning over VLAN1 of the core switch. After cleaning is complete, the cleaning device requests the MAC address of the Zone by sending an ARP request packet. Then the Zone replies with an ARP reply packet. Subsequently, the cleaning device injects traffic to the Zone based on the MAC address over layer 2.

Figure 1 Layer 2 injection

Layer 2 injection is applicable to the scenario where only the Layer 2 forwarding device exists between the core switch and the Zone.

Configuring the Cleaning Device

The VLAN function is configured on the cleaning device to forward injected traffic through the VLAN.

  1. Run the system-view command to access the system view.
  2. Run the interface interface-type interface-number.subinterface-number command to access the Ethernet sub-interface view.

  3. Run the vlan-type dot1q vlan-id command to set the encapsulation type and VLAN ID of the sub-interface.

    By default, a sub-interface is not encapsulated with 802.1Q and is not associated with any VLAN.

  4. Run the ip address ip-address { mask | mask-length } [ sub ] command to set an IP address for the VLAN interface.
NOTE:

In Layer-2 injection, if subinterfaces are used for traffic injection, anti-DDoS policies are configured on subinterfaces. If VLANIF interfaces are used for traffic injection, anti-DDoS policies are configured on corresponding physical interfaces.

Configuring the Core Switch

The following uses Huawei S9300 as an example to describe how to configure the core switch.

  1. Run the system-view command to access the system view.
  2. Run the vlan vlan-id command to create VLANs.
  3. Run the quit command to return to the system view.
  4. Run the interface interface-type interface-number command to access the Ethernet interface view.
  5. Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure the attribute of the Layer 2 Ethernet interface.
  6. Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> | all } command to configure the VLANs that are permitted by the trunk interface.
  7. Run the quit command to return to the system view.
  8. Run the interface vlanif vlan-id command to create a VLAN interface.
  9. Run the ip address ip-address { mask | mask-length } [ sub ] command to set an IP address for the VLAN interface.
Parent topic: Configuring Traffic Injection
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.