In GRE traffic injection, a tunnel is established between the cleaning device and the traffic-injection router to directly issue the traffic to the router and finally to the Zone.
Implementation Mechanism
This function is configured on the AntiDDoS.
As shown in Figure 1, Router1 is a traffic-diversion router. A traffic-diversion channel is established between GE1/0/1 on Router1 and GE2/0/1 on the cleaning device. Inbound traffic is diverted to GE2/0/1 through Router1 GE1/0/1 for cleaning.
Router2 is a traffic-injection router. A GRE tunnel is established between the cleaning device and Router2. Tunnel interfaces are created on them respectively, and the source and destination IP addresses of tunnel interfaces are specified. The source IP address of the tunnel interface is the IP address of the actual interface for sending packets, and the destination IP address is the IP address of the actual interface for receiving packets. Cleaned traffic is forwarded to Router2 over the GRE tunnel and is finally to the Zone.
The source IP address and destination IP address must be routable.
In practice, the traffic-injection router can be either Router2 or another downstream router.
In the BGP traffic-diversion scenario, GRE traffic injection directly issues injected traffic to the downstream router that cannot learn the traffic-diversion route, avoiding loops.
Because GRE traffic injection demands the router to be equipped with GRE and basic route forwarding functions, it is applicable to the scenario where few traffic-injection routers are available. In the scenario where multiple GRE tunnels need to be established between the cleaning device and traffic-injection routers, you are advised to configure dynamic route injection, because configuring static routes are complex.
NOTE: Traffic injection is applied unidirectionally to post-cleaning traffic. Therefore, it does not support the TCP proxy.
When you configure GRE injection, do not configure the keepalive command at both ends of the tunnel.
Configuring the Cleaning Device
The following describes how to configure a GRE tunnel on the cleaning device to issue cleaned traffic to the traffic-injection router over the GRE tunnel.
- Run the system-view command in the user view to access the system view.
- Run the interface tunnel tunnel-number command to create a tunnel interface and access the tunnel interface view.
- Run the tunnel-protocol gre command to set the encapsulation mode of the tunnel interface to GRE.
Run the source { interface-type interface-number | source-ip-address } command to set the source IP address of the tunnel interface.
The value can be the name or IP address of an interface. If the interface name is employed, the value can be GigabitEthernet, POS, Eth-Trunk, or IP-Trunk.
If the interface IP address is specified, it can be either the IP address of the traffic-injection interface or the loopback address of the cleaning device.
Run the destination dest-ip-address command to set the destination IP address of the tunnel interface.
The destination IP address of the tunnel interface must be different from its source IP address.
The specified destination IP address is the IP address of the interface on Router2.
Run the ip address ip-address { mask | mask-length } command to set the IP address of the tunnel interface.
The IP address of the tunnel interface can be specified as any IP address. When the route that marks packets forwarded by the tunnel interface is generated through the dynamic routing protocol, the IP addresses of the interfaces at both ends of the GRE tunnel must reside on the same network segment.
- Run the firewall zone [ name ] zone-name command in the system view to access the security zone view.
Run the add interface tunnel tunnel-number command to add the tunnel interface to the security zone.
The tunnel interface can be added to any security zone. When the tunnel interface and the interface to which the source IP address belongs are not in the same security zone, configure interzone packet filtering to enable communication between two security zones.
Run the following command to configure policy-based routing (PBR).
policy-based-route rule name rule-name ingress-interface { interface-type interface-number } destination-address { ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-prefix-length } action pbr egress-interface interface-type interface-number
Configure PBR on the cleaning device and sent the diversion traffic to the tunnel interface for forwarding. In this way, cleaned traffic can enter the GRE tunnel and be forwarded to the correct GRE tunnel destination.
NOTE: Configuring the Router
The following uses Huawei NE80E as an example for describing how to configure the router in GRE traffic injection.
- Run the system-view command in the user view to access the system view.
- Run the interface tunnel tunnel-number command to create a tunnel interface and access the tunnel interface view.
- Run the tunnel-protocol gre command to set the encapsulation mode of the tunnel interface to GRE.
Run the source { source-ip-address | loopback interface-number } command to set the source IP address of the tunnel interface or source interface.
Run the destination dest-ip-address command to set the destination IP address of the tunnel interface.
The destination IP address of the tunnel interface must be different from its source IP address.
The specified destination IP address can be the IP address or loopback address of the traffic-injection interface on the cleaning device.
Run the ip address ip-address { mask | mask-length } command to set the IP address of the tunnel interface.
The IP address of the tunnel interface can be specified as any IP address. When the route that marks packets forwarded by the tunnel interface is generated through the dynamic routing protocol, the IP addresses of the interfaces at both ends of the GRE tunnel must reside on the same network segment.