BGP FlowSpec VRF에서 VRF로의 리디렉션 구성

소개

이 문서에서는 BGP Flowspec VRF에서 VRF로의 리디렉션을 구성하는 방법에 대해 설명합니다.

요구 사항

• 작동하는 MPLS 지원 IGP 구현
• 작동하는 VPNv4 구현

사용되는 구성 요소

이 테스트는 Cisco IOS XR 버전 7.8.2를 실행하는 Cisco ASR 9000 Series Aggregation Services Router에서 수행되었습니다

이 문서의 정보는 특정 랩 환경의 디바이스를 토대로 작성되었습니다. 이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다. 현재 네트워크가 작동 중인 경우 모든 명령의 잠재적인 영향을 미리 숙지하시기 바랍니다.

BGP 흐름 사양(Flowspec) 기능을 사용하면 수많은 BGP 피어 라우터 간에 필터링 및 폴리싱 기능을 신속하게 배포하고 전파하여 네트워크를 통한 DDoS(Distributed Denial-of-Service) 공격의 영향을 완화할 수 있습니다.

구성

네트워크 다이어그램

그림 1 관련 IP 주소의 네트워크 다이어그램. 

설정

FlowSpec 클라이언트 PE3 구성

vrf 64501_internet
address-family ipv4 unicast
  import route-target
   64501:100
  !
  export route-target
   64501:100
  !
!
address-family ipv4 flowspec   <<<<<  Since traffic ingresses on a VRF interface we need to enable VPNV4 flowspec RTs
  import route-target
   64501:100
  !
  export route-target
   64501:100
  !
!
vrf 64501_flowspec       <<<< The honeypot VRF to redirect dirty traffic to
address-family ipv4 unicast
  import route-target
   64501:200
  !
  export route-target
   64501:200
  !
!
interface Bundle-Ether1.100
vrf 64501_internet
ipv4 address 198.51.100.1 255.255.255.0
encapsulation dot1q 100
!
flowspec
vrf 64501_internet
  address-family ipv4
   local-install interface-all   <<<< To install VPNV4 flowspec policies on the vrf interface
  !
!
router bgp 64501
bgp router-id 10.3.3.3
address-family vpnv4 unicast
 !
address-family vpnv4 flowspec   <<<< Enable VPNV4 flowspec on global BGP
!
neighbor 10.51.51.51
  remote-as 64501
  update-source Loopback0
  address-family vpnv4 unicast
   soft-reconfiguration inbound always
  !
  address-family vpnv4 flowspec  <<<<
   soft-reconfiguration inbound always
  !
vrf 64501_internet
  rd 64501:103
  address-family ipv4 unicast
   redistribute connected
  !
  address-family ipv4 flowspec   <<<< Enable VPNV4 on the VRF for which we are going to receive policies
  !
!
vrf 64501_flowspec     <<<< This is just the honeypot VRF to redirect the dirty traffic to
  rd 64501:203
  address-family ipv4 unicast
  !
!
router static
vrf 64501_flowspec
  address-family ipv4 unicast
   0.0.0.0/0 192.168.0.1    <<<< We need a default route on the honeypot VRF to be able to forward the redirected traffic
  !
!

Flowspec 서버 PE4 구성

vrf 64501_internet
address-family ipv4 unicast
  import route-target
   64501:100
  !
  export route-target
   64501:100
  !
!
address-family ipv4 flowspec    <<<<<< We are going to advertise VPNV4 flowspec policies for this VRF we need RTs
  import route-target
   64501:100
  !
  export route-target
   64501:100
  !
!
vrf 64501_flowspec    <<<< The honeypot VRF to redirect dirty traffic to
address-family ipv4 unicast
  import route-target
   64501:200
  !
  export route-target
   64501:200
  !
!
interface Loopback100   <<<< Traffic destination prefix for testing
vrf 64501_internet
ipv4 address 203.0.113.1 255.255.255.0
!
interface Loopback200   <<<< Just for testing purposes, this is where we are redirecting the traffic to in the honeypot vrf
vrf 64501_flowspec
ipv4 address 192.168.0.1 255.255.255.255
!
class-map type traffic match-all 64501_flow
match source-address ipv4 198.51.100.2 255.255.255.255
end-class-map
!
policy-map type pbr 64501_flow
class type traffic 64501_flow
  redirect nexthop route-target 64501:200   <<<< honeypot vrf 64501_flowspec  RT
!
 class type traffic class-default
 !
 end-policy-map
!
flowspec
vrf 64501_internet
  address-family ipv4
   service-policy type pbr 64501_flow       <<<< Advertise the policy within the VRF context in the server
  !
!
router bgp 64501
bgp router-id 10.4.4.4
address-family vpnv4 unicast
!
address-family vpnv4 flowspec    <<<< Enable VPNV4 flowspec on global BGP
!
neighbor 10.51.51.51
  address-family vpnv4 unicast
   soft-reconfiguration inbound always
  !
  address-family vpnv4 flowspec    <<<<
   soft-reconfiguration inbound always
  !
!
vrf 64501_internet
  rd 64501:104
  address-family ipv4 unicast
   redistribute connected
  !
  address-family ipv4 flowspec  <<<< Enable VPNV4 on the VRF for which we are going to advertise policies
  !
!
vrf 64501_flowspec <<<< This is just the honeypot VRF to redirect the dirty traffic to
  rd 64501:204
  address-family ipv4 unicast
   redistribute connected
  !
!

RR P51 컨피그레이션

router bgp 64501
bgp router-id 10.51.51.51
address-family vpnv4 unicast
!
address-family vpnv4 flowspec
!
neighbor 10.3.3.3
  remote-as 64501
  update-source Loopback0
  address-family vpnv4 unicast
   route-reflector-client
   soft-reconfiguration inbound always
  !
  address-family vpnv4 flowspec
   route-reflector-client
   soft-reconfiguration inbound
  !
!
neighbor 10.4.4.4
  remote-as 64501
  update-source Loopback0
  address-family vpnv4 unicast
   route-reflector-client
   soft-reconfiguration inbound always
  !
  address-family vpnv4 flowspec
   route-reflector-client
   soft-reconfiguration inbound
  !
!

다음을 확인합니다.

RP/0/RP0/CPU0:PE3#show flowspec vrf 64501_internet ipv4 detail                    
Tue Oct  1 16:54:51.990 CDT
VRF: 64501_internet     AFI: IPv4
  Flow           :Source:198.51.100.2/32
    Actions      :Redirect: VRF 64501_flowspec Route-target: ASN2-64501:200  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :                   5/610 <<<<<<<               
      Dropped             :                   0/0   

RP/0/RP0/CPU0:PE3#show bgp vpnv4 flowspec                                        
Tue Oct  1 16:54:57.352 CDT
BGP router identifier 10.3.3.3, local AS number 64501
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0
BGP main routing table version 7
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 64501:103 (default for vrf 64501_internet)
Route Distinguisher Version: 7
*>iSource:198.51.100.2/32/48
                      0.0.0.0                       100      0 i
Route Distinguisher: 64501:104
Route Distinguisher Version: 6
*>iSource:198.51.100.2/32/48
                      0.0.0.0                       100      0 i
Processed 2 prefixes, 2 paths

RP/0/RP0/CPU0:PE3#show bgp vpnv4 flowspec vrf 64501_internet Source:198.51.100.2/32/48
BGP routing table entry for Source:198.51.100.2/32/48, Route Distinguisher: 64501:103
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker                   7            7
Last Modified: Oct  1 16:52:12.083 for 00:02:55
Paths: (1 available, best #1)
  Not advertised to any peer
  Path #1: Received by speaker 0
  Not advertised to any peer
  Local, (received & used
    0.0.0.0 from 10.51.51.51 (10.4.4.4)
      Origin IGP, localpref 100, valid, internal, best, group-best, import-candidate, imported
      Received Path ID 0, Local Path ID 1, version 7
      Extended community: FLOWSPEC Redirect-RT:64501:200 RT:64501:100    <<<<<<
      Originator: 10.4.4.4, Cluster list: 0.0.253.233
      Source AFI: VPNv4 Flowspec, Source VRF: default, Source Route Distinguisher: 64501:104

패킷 캡처를 통해 서비스 MPLS 레이블을 관찰하여 패킷이 리디렉션되고 있음을 확인할 수 있습니다

RP/0/RP0/CPU0:PE4#show mpls forwarding labels 24005
Tue Oct  1 16:45:21.743 CST
Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes      
Label  Label       or ID              Interface                    Switched   
------ ----------- ------------------ ------------ --------------- ------------
24005  Aggregate   64501_flowspec: Per-VRF Aggr[V]   \
                                      64501_flowspec                1500

그림 2 트래픽 리디렉션의 증거를 보여주는 PCAP는 서비스 MPLS 레이블 24005.

정책과 일치하는 Flowspec 클라이언트의 VRF 64501_internet Ingress 트래픽이 64501_flowspec VRF로 리디렉션됩니다.

관련 정보

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-8/routing/configuration/guide/b-routing-cg-asr9000-78x/implementing-bgp-flowspec.html