Académique Documents
Professionnel Documents
Culture Documents
V500R001
Configuration Examples
Issue
01
Date
2015-07-20
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
Contents
Contents
1 Configuration Examples for System Deployment..................................................................1
1.1 Example for Configuring Interconnection Between the AntiDDoS8000 and ATIC (Out-of-Path Deployment of an
Intermixed Device)...............................................................................................................................................................2
1.2 Example for Configuring Interconnection Between the AntiDDoS8000s and ATIC (In-Path Deployment of Active and
Standby Devices)..................................................................................................................................................................8
Issue 01 (2015-07-20)
ii
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
Optical
splitter
GE2/0/1
Router
GE1/0/1
GE3/0/0
10.1.5.1/24
GE1/0/1.100
Intermixed
device
ATIC management
center
10.1.5.2/24
Zone
This example mainly describes how to configure the intermixed device and ATIC management
center deployed on the network. Details on how to configure traffic diversion and injection, and
defense policies are omitted.
For details on the example for configuring traffic diversion and injection, see Traffic Diversion
and Injection Configuration Examples.
Service Planning
l
The ATIC management center is deployed in centralized mode. That is, both the anti-DDoS
collector and the ATIC server are deployed on the same server.
Table 1-1 shows the IP addresses of the intermixed device and ATIC management center.
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
Interface
IP Address
Description
Intermixed device
GigabitEthernet
2/0/1
Indicates a
detecting interface.
It is used for
receiving optically
split traffic on the
link and the IP
address is not
required.
GigabitEthernet
1/0/1
10.1.2.1/24
Indicates a cleaning
interface.
It is an inbound
interface for
diverted traffic. The
intermixed device
applies diversified
defense policies to
the incoming traffic
of the interface, and
analyzes and cleans
the traffic.
GigabitEthernet
1/0/1.100
10.1.3.1/24
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Interface
IP Address
Description
GigabitEthernet
3/0/0
10.1.5.1/24
Indicates an
interface through
which the cleaning
device
communicates with
the ATIC
management
center.
The intermixed
device sends logs or
captured packets to
the anti-DDoS
collector in the
ATIC management
center for further
analysis and
processing.
The IP address of
the interface and
that of the ATIC
management center
must be reachable.
In this example,
they reside on the
same network
segment.
ATIC management
center
10.1.5.2/24
Indicates the IP
address of the ATIC
management
center.
Configuration Roadmap
Perform the following on the intermixed device:
1.
Log in to the intermixed device by using the console port for the first time to upgrade the
software version.
2.
3.
Set IP addresses for interfaces, add the interfaces to security zones, and configure interzone
packet filtering.
4.
Change the default user name and password, and configure Telnet.
5.
Configure SNMP, so that the ATIC management center can obtain the status of the
intermixed device.
6.
Configure detecting and cleaning interfaces and enable traffic statistical collection on them.
7.
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
8.
2.
3.
4.
Step 4 Change the default user name and password, and configure Telnet.
Set the authentication mode of the VTY administrator page to AAA and disconnection period
for idle administrators to 5 minutes (10 minutes by default).
NOTE
Compared with STelnet, Telnet is insecure. Therefore, STelnet is recommended. This example uses Telnet
to describe the configuration procedure.
<AntiDDoS> system-view
[AntiDDoS] telnet server enable
[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] idle-timeout 5
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type telnet
[AntiDDoS-aaa-manager-user-atic] quit
[AntiDDoS-aaa] bind manager-user vtyadmin role system-admin
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
Step 6 Set the IP addresses of interfaces and add the interfaces to security zones (omitted).
Step 7 Enable default interzone packet filtering.
[AntiDDoS] security-policy
[AntiDDoS-policy-security] rule name ddos1
[AntiDDoS-policy-security-rule-ddos1] source-zone any
[AntiDDoS-policy-security-rule-ddos1] destination-zone any
[AntiDDoS-policy-security-rule-ddos1] action permit
[AntiDDoS-policy-security-rule-ddos1] quit
[AntiDDoS-policy-security] quit
Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123
----End
Enter https://10.1.5.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.
2.
Enter the user name, password, and verification code on the login page. The user name is
atic, and the password is Admin@123. Click Log In.
3.
2.
Click
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
3.
2.
HUAWEI Anti-DDoS
Configuration Examples
traffic, and report traffic and attack logs to the ATIC management center. In so doing, various
reports are generated for query.
Figure 1-3 Networking diagram of the cleaning devices in in-path mode
GE1/0/1
1.1.1.1/24
VRRP group 3
GE3/0/0
AntiDDoS_A
GE1/0/3
2.2.2.1/24
GE3/0/0
GE3/0/3
5.1.1.3/24
GE3/0/3
5.1.1.4/24
VRRP group 2
GE1/0/1
1.1.1.2/24
AntiDDoS_B
GE1/0/3
2.2.2.2/24
Service link
Backup link
This example mainly describes how to configure the cleaning devices and ATIC management
center deployed on the network. Details on how to configure defense policies are omitted.
Issue 01 (2015-07-20)
HUAWEI Anti-DDoS
Configuration Examples
Service Planning
l
The ATIC management center is deployed in centralized mode. That is, the anti-DDoS
collector and management server are deployed on one physical server.
The service interfaces on the cleaning devices work at Layer 3. Enable VRRP on upstream
and downstream switches. Use GigabitEthernet 3/0/0s to communicate with the ATIC
management center.
Table 1-2 lists the IP addresses of the cleaning devices and ATIC management center.
Table 1-2 Planning for the IP addresses of interfaces on devices
Device
Interface
IP Address
Description
Cleaning
device A
GigabitEthernet
1/0/1
1.1.1.1/24
Indicates a service
interface.
It serves as an outbound
interface for downstream
traffic and connects to the
Zone network.
GigabitEthernet
1/0/3
2.2.2.1/24
Indicates a service
interface, also named
cleaning interface.
It serves as an inbound
interface for downstream
traffic and connects to the
Internet.
GigabitEthernet
3/0/0
10.1.5.3/24
Indicates an interface
through which a cleaning
device communicates with
the ATIC management
center.
The cleaning device sends
logs or captured packets to
the anti-DDoS collector in
the ATIC management
center for further analysis
and processing.
The IP address of this
interface and the IP address
of the ATIC management
center must be reachable. In
this example, the two IP
addresses are in the same
network segment.
GigabitEthernet
3/0/3
Issue 01 (2015-07-20)
5.1.1.2/24
Indicates a heartbeat
interface.
10
HUAWEI Anti-DDoS
Configuration Examples
Device
Interface
IP Address
Description
Cleaning
device B
GigabitEthernet
1/0/1
1.1.1.2/24
Indicates a service
interface.
It serves as an outbound
interface for downstream
traffic and connects to the
Zone network.
GigabitEthernet
1/0/3
2.2.2.2/24
Indicates a service
interface, also named
cleaning interface.
It serves as an inbound
interface for downstream
traffic and connects to the
Internet.
GigabitEthernet
3/0/0
10.1.5.4/24
Indicates an interface
through which a cleaning
device communicates with
the ATIC management
center.
The cleaning device sends
logs or captured packets to
the anti-DDoS collector in
the ATIC management
center for further analysis
and processing.
The IP address of this
interface and the IP address
of the ATIC management
center must be reachable. In
this example, the two IP
addresses are in the same
network segment.
GigabitEthernet
3/0/3
5.1.1.3/24
Indicates a heartbeat
interface.
Management
center
10.1.5.2/24
Zone
2.2.2.0/24
Table 1-3 lists the VRRP virtual IP addresses planned for the cleaning devices.
NOTE
The anti-DDoS solution supports only active/standby hot standby, not load balancing hot standby. In
addition, only the active/standby backup using VRRP is supported.
Issue 01 (2015-07-20)
11
HUAWEI Anti-DDoS
Configuration Examples
Member
Interface
Virtual IP
Address
Description
VRRP group 1
Cleaning device
A:
GigabitEthernet
1/0/1
1.1.1.10/24
2.2.2.10/24
10.1.5.1/24
Cleaning device
B:
GigabitEthernet
1/0/1
VRRP group 2
Cleaning device
A:
GigabitEthernet
1/0/3
Cleaning device
B:
GigabitEthernet
1/0/3
VRRP group 3
Cleaning device
A:
GigabitEthernet
3/0/0
Cleaning device
B:
GigabitEthernet
3/0/0
Configuration Roadmap
Do as follows on the two cleaning devices:
1.
Log in to each cleaning device through the console port for the first time and upgrade the
software version.
2.
3.
Configure STelnet.
4.
Configure interfaces, add them to security zones, and enable default packet filtering.
5.
Configure SNMP, so that the ATIC management center can obtain the status of each
cleaning device.
6.
7.
8.
9.
12
HUAWEI Anti-DDoS
Configuration Examples
1.
2.
3.
4.
Step 5 Set interface IP addresses and add the interfaces to security zones (omitted).
Step 6 Configure SNMP.
NOTE
Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
Issue 01 (2015-07-20)
13
HUAWEI Anti-DDoS
Configuration Examples
Step 7 Specify GigabitEthernet 1/0/1 as a cleaning interface and enable traffic statistics on the interface.
[AntiDDoS_A] interface GigabitEthernet 1/0/1
[AntiDDoS_A-GigabitEthernet1/0/1] anti-ddos clean enable
[AntiDDoS_A-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
[AntiDDoS_A-GigabitEthernet1/0/1] quit
# Configure VRRP group 2 on the downstream service interface GigabitEthernet 1/0/3 and set
its state to Active.
[AntiDDoS_A] interface GigabitEthernet 1/0/3
[AntiDDoS_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 2.2.2.10 active
[AntiDDoS_A-GigabitEthernet1/0/3] quit
# Configure VRRP group 3 on the interface connecting to the ATIC management center and set
its state to Active.
NOTE
You must add the interfaces connecting the anti-DDoS devices to the ATIC management center to a VRRP
group and set a virtual IP address for the VRRP group, so that the interfaces use this virtual IP address to
communicate with the ATIC management center.
[AntiDDoS_A] interface GigabitEthernet 3/0/0
[AntiDDoS_A-GigabitEthernet3/0/0] vrrp vrid 3 virtual-ip 10.1.5.1 active
[AntiDDoS_A-GigabitEthernet3/0/0] quit
In hot standby networking, you must set the source IP address for the anti-DDoS devices to send logs to
the VRRP virtual IP address, so that the ATIC management center can parse the operation logs of the antiDDoS devices.
14
HUAWEI Anti-DDoS
Configuration Examples
HRP_M<AntiDDoS_A> save
----End
2.
The state of the VRRP groups of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 on
AntiDDoS_B must be set to Standby.
----End
Enter https://10.1.5.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.
2.
Enter the user name, password, and verification code on the login page. The user name is
admin, and the password is Admin@123. Click Log In.
3.
2.
Click
Issue 01 (2015-07-20)
15
HUAWEI Anti-DDoS
Configuration Examples
3.
2.
Select the check box of the active cleaning device and click
.
Issue 01 (2015-07-20)
16
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
17
HUAWEI Anti-DDoS
Configuration Examples
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Cleaning
device
ATIC
Management center
Router2
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
To meet networking requirements, plan related services as follows:
l
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
Issue 01 (2015-07-20)
18
HUAWEI Anti-DDoS
Configuration Examples
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Router1
Router2
Configuration Roadmap
1.
2.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
3.
Configure a static route on the cleaning device to point the next hop of the packet with
destination IP address 1.1.1.1/32 to 10.1.3.1/32. Then configure a PBR on Router1 GE1/0/2
to issue injected traffic to Router2, implementing traffic injection.
4.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure the PBR on
Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure a PBR on Router1 GE1/0/0 for traffic diversion.
# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip destination 1.1.1.1 0
[Router1-acl-adv-3001] quit
[Router1] traffic classifier class1
[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit
# Define a traffic policy and specify an action for the classifier in the policy.
Issue 01 (2015-07-20)
19
HUAWEI Anti-DDoS
Configuration Examples
# Define a traffic policy and specify an action for the classifier in the policy.
[Router1] traffic policy policy2
[Router1-trafficpolicy-policy2] classifier class1 behavior behavior2
[Router1-trafficpolicy-policy2] quit
----End
Step 3 Configure a static route on the cleaning device for traffic injection.
[sysname] ip route-static 1.1.1.1 32 10.1.3.1
Step 4 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
20
HUAWEI Anti-DDoS
Configuration Examples
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Cleaning
device
ATIC
Management center
Router2
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
To meet networking requirements, plan related services as follows:
l
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
Router1
Issue 01 (2015-07-20)
21
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Router2
Interface
IP Address
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Configuration Roadmap
1.
2.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
3.
Configure a PBR on GE2/0/1 of the cleaning device to inject incoming traffic to Router1
by using GE2/0/2, implementing traffic injection.
4.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure the PBR on
Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure a PBR on Router1 GE1/0/0 for traffic diversion.
# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip destination 1.1.1.1 0
[Router1-acl-adv-3001] quit
[Router1] traffic classifier class1
[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit
# Define a traffic policy and specify an action for the classifier in the policy.
[Router1] traffic policy policy1
[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit
----End
Issue 01 (2015-07-20)
22
HUAWEI Anti-DDoS
Configuration Examples
Step 3 Configure the PBR on GE2/0/1 of the cleaning device for traffic injection.
[sysname] policy-based-route
[sysname-policy-pbr] rule name huizhu
[sysname-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[sysname-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet 2/0/2
next-hop 10.1.3.1
[sysname-policy-pbr-rule-huizhu] quit
[sysname-policy-pbr] quit
Step 4 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Issue 01 (2015-07-20)
23
HUAWEI Anti-DDoS
Configuration Examples
Switch1
GE1/0/1
VLAN10
GE2/0/1.10
10.1.2.2/24
VLAN20
GE2/0/1.20
10.1.3.2/24
GE1/0/2
VLAN20
Cleaning
device
ATIC
Management center
Switch2
Switch1
Zone
10.1.3.10/24
Service Planning
To meet networking requirements, plan related services as follows:
l
Subinterfaces GE2/0/1.10 and GE2/0/1.20 on the cleaning device serve for traffic diversion
and injection respectively.
Interface
IP Address
Cleaning device
GE2/0/1.10
10.1.2.2/24
GE2/0/1.20
10.1.3.2/24
VLANIF 10
10.1.2.1/24
VLANIF 20
10.1.3.1/24
Switch1
Issue 01 (2015-07-20)
24
HUAWEI Anti-DDoS
Configuration Examples
Configuration Roadmap
1.
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
10.1.3.10/32 in real time, regardless of attacks.
2.
Create VLAN10 and VLAN20 on Switch1, configure interface attributes, and associate
them with VLANs. Then set the IP address of the Vlanif interface.
3.
Associate subinterface GE2/0/1.10 on the cleaning device with VLNA10 and subinterface
GE2/0/1.20 with VLAN20.
4.
Establish a BGP peer between VLANIF10 interface on Switch1 and GE2/0/1.10 on the
cleaning device. Configure BGP on both Switch1 and the cleaning device, import the UNR
route to the cleaning device into BGP, and advertise the route to Switch1.
5.
To perform Layer-2 injection, enable FIB filtering over the 32-bit UNR route to the cleaning
device to prevent the UNR route from being delivered to the FIB. In this way, normal traffic
injection is safeguarded.
6.
Configure a community attribute on the cleaning device. In this way, Switch1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.
7.
8.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1.10 for searching for the reverse route.
9.
After traffic diversion and injection are configured, enable the loop check function to check
the route.
# Set the IP address of subinterface GE2/0/1.20 on the cleaning device and associate GE2/0/1.20
with VLAN20.
<sysname> system-view
[sysname] interface GigabitEthernet 2/0/1.20
[sysname-GigabitEthernet2/0/1.20] vlan-type dot1q 20
[sysname-GigabitEthernet2/0/1.20] ip address 10.1.3.2 24
[sysname-GigabitEthernet2/0/1.20] quit
Step 3 On the cleaning device, set the next-hop address for dynamically generating a route.
[sysname] firewall ddos bgp-next-hop 10.1.2.1
Step 4 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter
Issue 01 (2015-07-20)
25
HUAWEI Anti-DDoS
Configuration Examples
Step 5 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 10.1.3.10 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 10.1.3.10.
Step 6 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit
After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Switch1 through BGP. In this manner, after receiving the
traffic destined for 10.1.3.10/24, Switch1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 7 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1.10
[sysname-GigabitEthernet2/0/1.10] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1.10] quit
Step 8 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1.10 10.1.2.1
----End
Configuring Switch1
The following uses Huawei S9300 as an example to describe how to configure Switch1.
Step 1 Create VLANs.
<switch1> system-view
[switch1] vlan 10
[switch1-vlan10] quit
[switch1] vlan 20
[switch1-vlan20] quit
1/0/1
link-type trunk
trunk allow-pass vlan 10 20
1/0/2
link-type trunk
trunk allow-pass vlan 20
Issue 01 (2015-07-20)
26
HUAWEI Anti-DDoS
Configuration Examples
[switch1-Vlanif10] quit
[switch1] interface vlanif 20
[switch1-Vlanif20] ip address 10.1.3.1 24
[switch1-Vlanif20] quit
----End
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
Cleaning
device
GE1/0/1
10.1.5.2/24
ATIC Management
center
Router2
Diverted traffic
Zone
1.1.1.1/32
Injected traffic
Service Planning
To meet networking requirements, plan related services as follows:
Issue 01 (2015-07-20)
27
HUAWEI Anti-DDoS
Configuration Examples
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Router1
Router2
Configuration Roadmap
1.
In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.
2.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
3.
Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.
4.
Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.
5.
Configure the PBR on Router1 GE1/0/2 to send injected traffic to downstream device
Router2. Subsequently, Router2 takes over the task to forward the traffic to the Zone.
6.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
7.
After traffic diversion and injection are configured, enable the loop check function to check
the route.
Issue 01 (2015-07-20)
28
HUAWEI Anti-DDoS
Configuration Examples
Step 3 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1 and delivers the route to the FIB. You can run the display ip
routing-table command to display the following output:
[sysname] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
1.1.1.1/32
---- More ----
Proto
Direct
Pre
0
Cost
0
Flags NextHop
D
10.1.3.1
Interface
GigabitEthernet2/0/2
Step 4 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit
After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match. After
cleaning is complete, the cleaning device injects the cleaned traffic to Router1 through GE2/0/2
along the UNR route.
The UNR route generated in step 3 is used for traffic diversion on Router1 as well as traffic
injection on the cleaning device. Therefore, traffic injection does not require configuration on
the cleaning device.
Step 5 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit
Step 6 Configure a default route for searching for the reverse route.
[sysname] ip route-UNR 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and PBR
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Issue 01 (2015-07-20)
29
HUAWEI Anti-DDoS
Configuration Examples
# Define a traffic policy and specify an action for the classifier in the policy.
[Router1] traffic policy policy1
[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit
----End
Issue 01 (2015-07-20)
30
HUAWEI Anti-DDoS
Configuration Examples
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
Cleaning
device
GE1/0/1
10.1.5.2/24
ATIC Management
center
Router2
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
To meet networking requirements, plan related services as follows:
l
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
Router1
Issue 01 (2015-07-20)
31
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Interface
IP Address
Router2
GE1/0/1
10.1.5.2/24
Configuration Roadmap
1.
In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.
2.
Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.
3.
Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.
4.
To perform PBR injection, enable FIB filtering over the 32-bit UNR route to the cleaning
device to prevent the UNR route from being delivered to the FIB. In this way, normal traffic
injection is safeguarded.
5.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
6.
Configure the PBR on Router1 GE1/0/2 to send injected traffic to downstream device
Router2. Subsequently, Router2 takes over the task to forward the traffic to the Zone.
7.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
8.
After traffic diversion and injection are configured, enable the loop check function to check
the route.
Step 3 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter
Step 4 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
Step 5 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
Issue 01 (2015-07-20)
32
HUAWEI Anti-DDoS
Configuration Examples
After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 6 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit
Step 7 Configure the PBR on GE2/0/1 of the cleaning device for traffic injection.
[sysname] policy-based-route
[sysname-policy-pbr] rule name huizhu
[sysname-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[sysname-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet 2/0/2
10.1.3.1
[sysname-policy-pbr-rule-huizhu] quit
[sysname-policy-pbr] quit
Step 8 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and PBR
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure BGP for Router1.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit
# Define a traffic policy and specify an action for the classifier in the policy.
Issue 01 (2015-07-20)
33
HUAWEI Anti-DDoS
Configuration Examples
----End
GE1/0/1
10.1.2.1/24
loopback
GE2/0/1 2.2.2.2/32
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
ne
GE1/0/1
10.1.5.2/24
un
ET
ATIC
Cleaning
Management
center
device
GR
Router2
loopback
3.3.3.3/32
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
To meet networking requirements, plan related services as follows:
Issue 01 (2015-07-20)
34
HUAWEI Anti-DDoS
Configuration Examples
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
Tunnel interface
10.1.1.1/24
Loopback interface
2.2.2.2/32
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Tunnel interface
10.1.1.2/24
Loopback interface
3.3.3.3/32
Router1
Router2
Configuration Roadmap
1.
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time.
2.
Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.
3.
Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.
4.
To perform GRE injection, enable FIB filtering over the 32-bit UNR route to the cleaning
device to prevent the UNR route from being delivered to the FIB. In this way, normal traffic
injection is safeguarded.
5.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
6.
7.
Create GRE tunnels on both the cleaning device and Router2, and set source and destination
addresses for the GRE tunnel. The loopback addresses of the cleaning device and Router2
act as the source and destination addresses of the tunnel respectively. Ensure that the
cleaning device and Router2 are routable.
Issue 01 (2015-07-20)
35
HUAWEI Anti-DDoS
Configuration Examples
8.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
9.
After traffic diversion and injection are configured, enable the loop check function to check
the route.
NOTE
When you configure GRE injection, do not configure the keepalive command at both ends of the tunnel.
# Add the tunnel interface to the security zone. Ensure that the security zone where the tunnel
interface resides is the same as that where source interface GE2/0/2 resides.
[sysname] firewall zone trust
[sysname-zone-trust] add interface Tunnel 1
[sysname-zone-trust] quit
gre1
ingress-interface GigabitEthernet 2/0/1
destination-address 1.1.1.1 32
action pbr egress-interface Tunnel 1
quit
Step 3 On the cleaning device, set the next-hop address for dynamically generating a route.
[sysname] firewall ddos bgp-next-hop 10.1.1.2
Step 4 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter
Step 5 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
Step 6 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix
[sysname] route-policy
[sysname-route-policy]
[sysname-route-policy]
[sysname-route-policy]
Issue 01 (2015-07-20)
36
HUAWEI Anti-DDoS
Configuration Examples
After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 7 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit
Step 9 Configure OSPF to notify the network segment connected to each interface.
[sysname] ospf 1
[sysname-ospf-1] area 0
[sysname-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[sysname-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[sysname-ospf-1-area-0.0.0.0] quit
[sysname-ospf-1] quit
Step 10 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure OSPF to notify the network segment connected to each interface.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.0] quit
[Router1-ospf-1] quit
----End
Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure GRE on Router2.
Issue 01 (2015-07-20)
37
HUAWEI Anti-DDoS
Configuration Examples
Step 3 # Create a tunnel interface, and set both source and destination IP addresses for it.
# Create a tunnel interface, and set both source and destination IP addresses for it.
[Router2] interface Tunnel 1
[Router2-Tunnel1] tunnel-protocol gre
[Router2-Tunnel1] ip address 10.1.1.2 255.255.255.0
[Router2-Tunnel1] source 3.3.3.3
[Router2-Tunnel1] destination 2.2.2.2
[Router2-Tunnel1] quit
Step 4 Configure OSPF to notify the network segment connected to each interface.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1] quit
----End
Issue 01 (2015-07-20)
38
HUAWEI Anti-DDoS
Configuration Examples
Figure 2-7 Networking diagram of BGP diversion and MPLS VPN injection
loopback
5.5.5.5/32
GE1/0/1
10.1.2.1/24
loopback
2.2.2.2/32
GE2/0/1
10.1.2.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1.100 GE2/0/1.100
10.1.3.1/24 10.1.3.2/24 Cleaning
device
ATIC
Management center
GE1/0/1
10.1.5.2/24
Router2
loopback
3.3.3.3/32
GE1/0/2
1.1.1.2/24
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
To meet networking requirements, plan related services as follows:
l
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
Router1 GE1/0/1 is directly connected to GE2/0/1 on the cleaning device. An MPLS VPN
traffic-injection tunnel is established between the cleaning device and Router2, and their
loopback addresses act as LSR IDs. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic over the MPLS VPN tunnel. Table 2-7 shows the
IP addresses of the interfaces.
Table 2-7 IP addresses
Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/1.100
10.1.3.2/24
Loopback interface
2.2.2.2/32
GE1/0/1
10.1.2.1/24
GE1/0/1.100
10.1.3.1/24
Router1
Issue 01 (2015-07-20)
39
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Router2
Interface
IP Address
GE1/0/3
10.1.5.1/24
Loopback interface
5.5.5.5/32
GE1/0/1
10.1.5.2/24
GE1/0/2
1.1.1.2/24
Loopback interface
3.3.3.3/32
Configuration Roadmap
1.
In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.
2.
Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.
3.
Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.
4.
To perform MPLS VPN injection, enable FIB filtering over the 32-bit UNR route to the
cleaning device to prevent the UNR route from being delivered to the FIB. In this way,
normal traffic injection is safeguarded.
5.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
6.
Set loopback addresses for the cleaning device, Router1, and Router2.
7.
Configure MPLS respectively on the cleaning device, Router1, and Router2, and configure
VPN instances on the cleaning device and Router2 to enable injected traffic to be forwarded
to Router2 through MPLS VPN.
8.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
9.
After traffic diversion and injection are configured, enable the loop check function to check
the route.
Step 3 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter
Step 4 Create a VPN instance and configure BGP and the community attribute on the cleaning device.
[sysname] ip vpn-instance ddos
[sysname-vpn-instance-ddos] ipv4-family
[sysname-vpn-instance-ddos-af-ipv4] route-distinguisher 1:1
[sysname-vpn-instance-ddos-af-ipv4] vpn-target 1:1 import-extcommunity
Issue 01 (2015-07-20)
40
HUAWEI Anti-DDoS
Configuration Examples
[sysname-vpn-instance-ddos-af-ipv4] quit
[sysname-vpn-instance-ddos] quit
[sysname] ip ip-prefix ipx index 10 permit 3.3.3.3 32
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 deny node 1
[sysname-route-policy] if-match ip next-hop ip-prefix ipx
[sysname-route-policy] quit
[sysname] route-policy 1 permit node 5
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 200
[sysname-bgp] ipv4-family vpn-instance ddos
[sysname-bgp-ddos] import-route unr
[sysname-bgp-ddos] peer 10.1.2.1 as-number 100
[sysname-bgp-ddos] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-ddos] peer 10.1.2.1 advertise-community
[sysname-bgp-ddos] quit
[sysname-bgp] quit
Step 5 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
NOTE
In this scenario, after creating a Zone and adding devices, you must bind the Zone to the VPN instance of the
cleaning device.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
The UNR route generated on the cleaning device is imported to BGP and is advertised to Router1
through BGP. In this manner, after receiving the traffic destined for 1.1.1.1/32, Router1 searches
the routing table to preferentially forward the traffic to the cleaning device by using GE1/0/1
according to the longest mask match.
Step 6 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit
Issue 01 (2015-07-20)
41
HUAWEI Anti-DDoS
Configuration Examples
# Configure MP-IBGP between the cleaning device and Router 2 to broadcast the VPNv4 route
between devices.
[sysname] bgp 200
[sysname-bgp] peer 3.3.3.3 as-number 200
[sysname-bgp] peer 3.3.3.3 connect-interface LoopBack 1
[sysname-bgp] ipv4-family vpnv4
[sysname-bgp-af-vpnv4] peer 3.3.3.3 enable
[sysname-bgp-af-vpnv4] quit
[sysname-bgp] quit
Step 9 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[sysname] ospf 1
[sysname-ospf-1] area 0
[sysname-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[sysname-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[sysname-ospf-1-area-0.0.0.0] quit
[sysname-ospf-1] quit
Step 10 Configure a default route for searching for the reverse route.
[sysname] ip route-static vpn-instance ddos 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and MPLS
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure BGP for Router1.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 200
[Router1-bgp] quit
Issue 01 (2015-07-20)
42
HUAWEI Anti-DDoS
Configuration Examples
[Router1-mpls] quit
[Router1] mpls ldp
[Router1-ldp] quit
[Router1] interface GigabitEthernet 1/0/1.100
[Router1-GigabitEthernet1/0/1.100] mpls
[Router1-GigabitEthernet1/0/1.100] mpls ldp
[Router1-GigabitEthernet1/0/1.100] quit
[Router1] interface GigabitEthernet 1/0/3
[Router1-GigabitEthernet1/0/3] mpls
[Router1-GigabitEthernet1/0/3] mpls ldp
[Router1-GigabitEthernet1/0/3] quit
Step 5 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1] quit
----End
Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure BGP and MPLS
on Router2.
Step 1 Set the interface IP address of Router2. (Omitted)
Step 2 Set a loopback address for Router2.
[Router2] interface loopback 1
[Router2-LoopBack1] ip address 3.3.3.3 32
[Router2-LoopBack1] quit
# Configure MP-IBGP between the cleaning device and Router 2 to broadcast the VPNv4 route
between devices.
Issue 01 (2015-07-20)
43
HUAWEI Anti-DDoS
Configuration Examples
Step 4 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[Router2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Router2-ospf-1-area-0.0.0.0] quit
[Router2-ospf-1] quit
----End
Issue 01 (2015-07-20)
44
HUAWEI Anti-DDoS
Configuration Examples
Figure 2-8 Networking diagram of BGP diversion and MPLS LSP injection
loopback
5.5.5.5/32
GE1/0/1
10.1.2.1/24
loopback
2.2.2.2/32
GE2/0/1
10.1.2.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1.100 GE2/0/1.100
10.1.3.1/24 10.1.3.2/24 Cleaning
ATIC
device Management center
GE1/0/1
10.1.5.2/24
Router2
loopback
3.3.3.3/32
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
To meet networking requirements, plan related services as follows:
l
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
Router1 GE1/0/1 is directly connected to GE2/0/1 on the cleaning device. An MPLS trafficinjection tunnel is established between the cleaning device and Router2, and their loopback
addresses act as LSR IDs. The cleaning device diverts the specified traffic by using GE1/0/1
and injects cleaned traffic over the MPLS tunnel. Table 2-8 shows the IP addresses of the
interfaces.
Table 2-8 IP addresses
Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/1.100
10.1.3.2/24
Loopback interface
2.2.2.2/32
GE1/0/1
10.1.2.1/24
GE1/0/1.100
10.1.3.1/24
Router1
Issue 01 (2015-07-20)
45
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Router2
Interface
IP Address
GE1/0/3
10.1.5.1/24
Loopback interface
5.5.5.5/32
GE1/0/1
10.1.5.2/24
Loopback interface
3.3.3.3/32
Configuration Roadmap
1.
In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.
2.
Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.
3.
Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.
4.
To perform MPLS LSP injection, enable FIB filtering over the 32-bit UNR route to the
cleaning device to prevent the UNR route from being delivered to the FIB. In this way,
normal traffic injection is safeguarded.
5.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
6.
Set loopback addresses for the cleaning device, Router1, and Router2.
7.
Configure MPLS respectively on the cleaning device, Router1, and Router2 to enable
injected traffic to be forwarded to Router2 through MPLS. Ensure that the cleaning device
and Router2 are routable.
8.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
9.
After traffic diversion and injection are configured, enable the loop check function to check
the route.
Step 3 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter
Step 4 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
Issue 01 (2015-07-20)
46
HUAWEI Anti-DDoS
Configuration Examples
Step 5 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit
After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 6 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit
Step 9 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[sysname] ospf 1
[sysname-ospf-1] area 0
[sysname-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[sysname-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[sysname-ospf-1-area-0.0.0.0] quit
[sysname-ospf-1] quit
Step 10 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Issue 01 (2015-07-20)
47
HUAWEI Anti-DDoS
Configuration Examples
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and MPLS
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure BGP for Router1.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit
Step 5 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1] quit
----End
Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure MPLS on
Router2.
Step 1 Set the interface IP address of Router2. (Omitted)
Step 2 Set a loopback address for Router1.
[Router1] interface loopback 1
[Router1-LoopBack1] ip address 3.3.3.3 32
[Router1-LoopBack1] quit
48
HUAWEI Anti-DDoS
Configuration Examples
Step 4 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1] quit
----End
Issue 01 (2015-07-20)
49
HUAWEI Anti-DDoS
Configuration Examples
Detecting device
Optical splitter
GE1/0/1
7.7.1.3/24
Blackhole
router
GE2/0/1
7.7.1.1/24
Traffic-diversion
router
Zone
2.2.2.0/24
Post-cleaning traffic
Implementation Mechanism
Routers are logically categorized as the traffic-diversion router and blackhole router. The trafficdiversion router diverts traffic to the cleaning device whereas the blackhole router discards all
traffic destined for an IP address. The blackhole router and traffic-diversion router can be the
same router or different routers.
1.
Set IP address 2.2.2.2/24 for blackhole traffic diversion in the ATIC management center.
A static route destined for 2.2.2.2/24 and with the NULL0 egress is generated on the
cleaning device.
2.
Configure a routing policy on the cleaning device to enable the route with the NULL0
egress to point to 3.3.3.3. Then import this route into BGP and advertise the BGP route to
the blackhole router.
3.3.3.3 indicates the destination IP address of the blackhole route. Both the route advertised
by the cleaning device and the blackhole route on the blackhole router are merged for
blackhole traffic diversion. The destination IP address can be any unreachable IP address.
3.
50
HUAWEI Anti-DDoS
Configuration Examples
3.3.3.3 indicates the destination IP address of the blackhole route. Both the route advertised by
the cleaning device and the blackhole route on the blackhole router are merged for blackhole
traffic diversion. The destination IP address can be any IP address.
----End
Issue 01 (2015-07-20)
51
HUAWEI Anti-DDoS
Configuration Examples
3.3.3.3 indicates the destination IP address of the blackhole route. A blackhole route is generated
after the route matching the routing policy is advertised to the blackhole router.
After blackhole traffic diversion is enabled on the ATIC management center, a static route with
the NULL0 egress to 2.2.2.2 is generated on the cleaning device. After routing policy
blackhole is matched, a new static route to 2.2.2.2 and with next hop 3.3.3.3 is generated.
NOTE
When you configure a blackhole route, set the node to a smaller value than those of other traffic diversion policies
for it to be preferentially matched.
Step 3 Configure the BGP community attribute and advertise the dynamically generated route.
[sysname] bgp
[sysname-bgp]
[sysname-bgp]
[sysname-bgp]
[sysname-bgp]
200
peer 7.7.1.3 as-number 200
peer 7.7.1.3 route-policy blackhole export
import-route static
quit
A static route to 2.2.2.2 and with next hop 3.3.3.3 is advertised to the blackhole router through
BGP and is stacked up with blackhole route ip route-static 3.3.3.3 255.255.255.255 NULL0.
In this manner, a route with the NULL0 egress as the next-hop interface to 2.2.2.2 is generated
for blackhole traffic diversion.
----End
Issue 01 (2015-07-20)
52
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
53
HUAWEI Anti-DDoS
Configuration Examples
Normal
networks
Backbone
network
MAN
MAN
MAN
A MAN carries heavy traffic of various types and is vulnerable to attacks. The following aspects
must be considered for attack defense planning based on MAN traffic characteristics.
Planning Roadmap
1.
Deployment mode
An anti-DDoS device is often associated with a Netflow device in off-line mode. The antiDDoS device cleans traffic, while the Netflow device detects traffic. Only the Netflow
device produced by Genienrm is supported.
As Netflow devices have been deployed in most MANs, associating a cleaning device with
an existing Netflow device reduces expenditure. In addition, Netflow devices are sample
Issue 01 (2015-07-20)
54
HUAWEI Anti-DDoS
Configuration Examples
detection devices coping with heavy traffic attacks on MANs, and there is no high
performance requirement for such devices.
Anti-DDoS devices can also serve as detecting devices. Compared with Netflow devices,
anti-DDoS devices that check each packet provide more refined detection and also require
more expenditure.
2.
Performance choice
Plan the interface specifications based on the customer link bandwidth. The highest subcard
processing performance of an SPU is 80 Gbit/s. As DDoS attack defense is performanceconsuming, you must reserve enough cleaning and detection resources.
3.
Defense policy
Policies are configured on MANs to guarantee bandwidth and prevent link congestion.
When configuring defense policies, you must first identify the destination IP addresses to
which traffic is preferentially protected, add such destination IP addresses to user-defined
Zones, and configure defense policies based on the user-defined Zones. The default Zone
defense policies apply to unidentified destination IP addresses. Defense policies vary with
Zones.
Tenants of a carrier can be added to user-defined Zones, for which differentiated defense
policies are configured.
4.
5.
55
HUAWEI Anti-DDoS
Configuration Examples
Legitimate PC
Botnet
Router1
Cleaning device
Backbone
Network
Netflow
ATIC
Management
center
Router2
Regional
Network
Regional
Network
Attacked target
Legitimate traffic
Attack traffic
Netflow traffic
Management traffic
Issue 01 (2015-07-20)
56
HUAWEI Anti-DDoS
Configuration Examples
Interface
IP Address
Description
Cleaning device
GE2/0/1
10.1.2.2/24
Cleaning interface.
Interface through
which traffic enters
the cleaning device.
The cleaning device
applies defense
policies to, analyzes,
and cleans the
incoming traffic.
GE2/0/1.100
10.1.3.2/24
Injection interface.
Interface through
which normal traffic
goes back to the
original link after
traffic cleaning.
GE3/0/0
10.1.6.1/24
Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The cleaning device
sends logs or
captured packets to
the anti-DDoS
collector in the ATIC
management center
for further analysis
and processing.
The IP address of this
interface and the IP
address of the ATIC
management center
must be reachable. In
this example, the two
IP addresses are in
the same network
segment.
NOTE
The interface must be
on an LPU.
Loopback interface
Issue 01 (2015-07-20)
2.2.2.2/32
57
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Interface
IP Address
Description
Management center
10.1.6.2/24
The management
center must be
reachable to the
cleaning device.
Router1
GE1/0/1
10.1.2.1/24
Interface through
traffic is diverted to
the cleaning device.
GE1/0/1.100
10.1.3.1/24
Interface through
which traffic is
injected back to the
original link.
GE1/0/3
10.1.5.1/24
Interface through
which Router1 is
directly connected to
Router2.
Loopback interface
5.5.5.5/32
Loopback interface
3.3.3.3/32
GE1/0/1
10.1.5.2/24
Interface through
which Router2 is
directly connected to
Router1.
GE1/0/3
10.1.7.2/24
Interface which is
reachable to the
Netflow device.
Router2
Issue 01 (2015-07-20)
58
HUAWEI Anti-DDoS
Configuration Examples
Loopback
5.5.5.5/32
GE1/0/1
10.1.2.1/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Loopback
2.2.2.2/32
GE2/0/1
GE3/0/0
10.1.2.2/24
10.1.6.1/24
GE1/0/1.100 GE2/0/1.100
10.1.3.1/24
10.1.3.2/24 Cleaning
device
GE1/0/3
10.1.7.2/24
Eth0
10.1.7.1/24
Router2
Loopback
3.3.3.3/32
GE1/0/2
1.1.1.2/24
NetFlow
Diverted traffic
Zone
1.1.1.1/32
Injected traffic
Netflow traffic
Management traffic
The Netflow device must be produced by Genienrm and running a version released later
than January 1, 2014.
Traffic is injected back from the cleaning device's GE2/0/1.100 to Router1's GE1/0/1.100.
The ATIC management center is deployed in centralized mode. That is, the anti-DDoS
collector and management server are deployed on one physical server.
Configuration Roadmap
Do as follows on the cleaning device:
1.
2.
3.
Assign IP addresses to interfaces, add the interfaces to security zones, and enable interzone
default packet filtering.
4.
5.
Configure SNMP, so that the ATIC management center can obtain the status of the cleaning
device.
6.
Configure the cleaning interface and enable traffic statistics on the interface.
7.
Issue 01 (2015-07-20)
59
HUAWEI Anti-DDoS
Configuration Examples
8.
2.
3.
4.
In addition, configure the routers. This example provides router configurations for reference,
and the configurations may need to be adjusted according to the actual router model in a live
network.
Issue 01 (2015-07-20)
Attack Type
Description
UDP Flood
Land Attack
ICMP Misuse
UDP Fragment
TCP Fragment
IP Protocol Null
User-Defined Attack
The Genienrm Netflow device supports userdefined attack types with specified protocol
types and port numbers.
60
HUAWEI Anti-DDoS
Configuration Examples
This example uses Telnet as an example to describe the configuration procedure. Compared with STelnet,
Telnet is insecure. Therefore, STelnet is recommended.
[AntiDDoS] telnet server enable
[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] idle-timeout 5
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type telnet
[AntiDDoS-aaa-manager-user-atic] quit
Step 4 Set the IP addresses of interfaces and add the interfaces to security zones.
# Assign IP addresses to interfaces.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[AntiDDoS-GigabitEthernet2/0/1] quit
[AntiDDoS] interface GigabitEthernet 2/0/1.100
[AntiDDoS-GigabitEthernet2/0/1.100] ip address 10.1.3.2 24
[AntiDDoS-GigabitEthernet2/0/1.100] vlan-type dot1q 100
[AntiDDoS-GigabitEthernet2/0/1.100] quit
[AntiDDoS] interface GigabitEthernet 3/0/0
[AntiDDoS-GigabitEthernet3/0/0] ip address 10.1.6.1 24
[AntiDDoS-GigabitEthernet3/0/0] quit
Issue 01 (2015-07-20)
61
HUAWEI Anti-DDoS
Configuration Examples
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security] quit
source-zone any
destination-zone any
action permit
quit
Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c as an example to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123
Step 8 On the cleaning device, configure the next-hop address used for a dynamically generated route.
<AntiDDoS> system-view
[AntiDDoS] firewall ddos bgp-next-hop 10.1.3.1
Step 10 Configure the BGP function and community attribute on the cleaning device.
[AntiDDoS] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[AntiDDoS] route-policy 1 permit node 1
[AntiDDoS-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[AntiDDoS-route-policy] apply community no-advertise
[AntiDDoS-route-policy] quit
[AntiDDoS] bgp 100
[AntiDDoS-bgp] peer 10.1.2.1 as-number 100
[AntiDDoS-bgp] import-route unr
[AntiDDoS-bgp] ipv4-family unicast
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[AntiDDoS-bgp-af-ipv4] quit
[AntiDDoS-bgp] quit
After the configuration is complete, the UNR generated on the cleaning device will be imported
to BGP and then advertised to Router1 through BGP. In this manner, when Router1 receives
traffic defined for 1.1.1.1/32, it searches the routing table, matches the route according to the
longest mask, and forwards the traffic to the cleaning device through GE1/0/1.
Step 11 Enable traffic statistics on the cleaning interface of the cleaning device.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit
Issue 01 (2015-07-20)
62
HUAWEI Anti-DDoS
Configuration Examples
[AntiDDoS-mpls] quit
[AntiDDoS] mpls ldp
[AntiDDoS-ldp] quit
[AntiDDoS] interface GigabitEthernet 2/0/1.100
[AntiDDoS-GigabitEthernet2/0/1.100] mpls
[AntiDDoS-GigabitEthernet2/0/1.100] mpls ldp
[AntiDDoS-GigabitEthernet2/0/1.100] quit
The lsp-trigger configuration must be subject to the IP address for which an LSP will be established.
[AntiDDoS] mpls
[AntiDDoS-mpls] lsp-trigger all
[AntiDDoS-mpls] quit
Step 14 Configure OSPF to advertise the interface-connected network segment and LSR ID host route.
[AntiDDoS] ospf 1
[AntiDDoS-ospf-1] area 0
[AntiDDoS-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[AntiDDoS-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[AntiDDoS-ospf-1-area-0.0.0.0] quit
[AntiDDoS-ospf-1] quit
----End
Enter https://10.1.6.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.
2.
Enter the user name, password, and verification code on the login page. The user name is
admin, and the password is Admin@123. Click Log In.
3.
2.
Click
Issue 01 (2015-07-20)
63
HUAWEI Anti-DDoS
Configuration Examples
3.
2.
Click
Issue 01 (2015-07-20)
64
HUAWEI Anti-DDoS
Configuration Examples
3.
1.
2.
3.
Issue 01 (2015-07-20)
65
HUAWEI Anti-DDoS
Configuration Examples
4.
5.
Issue 01 (2015-07-20)
66
HUAWEI Anti-DDoS
Configuration Examples
6.
7.
Issue 01 (2015-07-20)
67
HUAWEI Anti-DDoS
Configuration Examples
Choose Defense > Policy Settings > Zone, select the check box of a Zone, and click
.
2.
Click OK. The deployment progress is displayed, and the progress bar is automatically
closed after the deployment is complete.
3.
Choose Defense > Policy Settings > Global Policy, select the check box of the
AntiDDoS, and click
4.
Click OK. The saving progress is displayed, and the progress bar is automatically closed
after the configuration is saved.
----End
Configuring Router1
This part uses Huawei NE80E as an example to describe BGP and MPLS configurations on the
router. The router configuration varies with software versions. The following configuration is
only an example for reference.
Step 1 Assign IP addresses to interfaces on Router1 (omitted).
Step 2 Configure the BGP function.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit
Issue 01 (2015-07-20)
68
HUAWEI Anti-DDoS
Configuration Examples
Step 5 Configure OSPF to advertise the interface-connected network segment and LSR ID host route.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1] quit
----End
Configuring Router2
This part uses Huawei NE80E as an example to describe the MPLS configuration on the router.
Step 1 Assign IP addresses to interfaces on Router2 (omitted).
Step 2 Configure the loopback address for Router2.
[Router1] interface loopback 1
[Router1-LoopBack1] ip address 3.3.3.3 32
[Router1-LoopBack1] quit
Step 4 Configure OSPF to advertise the interface-connected network segment and LSR ID host route.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255
Issue 01 (2015-07-20)
69
HUAWEI Anti-DDoS
Configuration Examples
Step 5 Router2 sends Netflow logs to the Genienrm Netflow device. Configure Netflow on Router2.
# Configure a sampling ratio. The value must be the same as that configured on the Genienrm
Netflow device.
[Router2] ip netstream sampler fix-packets 1000 inbound
# Set the destination address and port number for NetStream output packets, that is, the address
of the Genienrm Netflow device.
[Router2] ip netstream export host 10.1.7.1 9900
# Specify an LPU as the NetStream board. For an NE40E, every interface supports NetStream,
and therefore no dedicated service board is required.
[Router2] slot 1
[Router2-slot-1] ip netstream sampler to slot self
----End
Issue 01 (2015-07-20)
70
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
71
HUAWEI Anti-DDoS
Configuration Examples
#
ipv4-family
unicast
undo
synchronization
import-route
unr
peer 10.1.2.1
enable
peer 10.1.2.1 route-policy 1
export
peer 10.1.2.1 advertisecommunity
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static 0.0.0.0 GigabitEthernet2/0/1 10.1.2.1
#
firewall ddos bgp-next-hop fib-filter
firewall ddos bgp-next-hop 10.1.3.1
#
firewall ddos log-local-ip 10.1.6.1
firewall ddos log-server-ip 10.1.6.2
#
DDoS attack defense policies are delivered by the ATIC management center. For details about
enabled defense policies, see the ATIC management center configuration.
3.1.6 Commissioning
After the configuration is complete, you can do as follows to commission the result:
1.
Perform ping tests using test IP addresses. The ping tests succeed.
2.
3.
Issue 01 (2015-07-20)
a.
Initiate a tracert test on the client to identify the packet discard point.
b.
If the router discards packets, check the route through which the injected traffic is
forwarded.
72
HUAWEI Anti-DDoS
Configuration Examples
c.
If the cleaning device discards packets, run the display firewall statistic system
discarded command to view the number of discarded packets and packet
discarding causes, and contact R&D engineers for support.
4.
Construct attack traffic (SYN flood traffic is used as an example) and configure a
corresponding defense policy.
5.
Choose Report > Report > Traffic Analysis and view the ATIC traffic comparison report.
l If the traffic curve is normal, logs are properly transmitted between the ATIC
management center and the device, and reports can be correctly exported.
l If the query result is empty, perform troubleshooting according to HUAWEI AntiDDoS
Maintenance Guide.
Issue 01 (2015-07-20)
73
HUAWEI Anti-DDoS
Configuration Examples
The following aspects must be considered for attack defense planning based on IDC traffic
characteristics.
Planning Roadmap
1.
Deployment mode
The detecting and cleaning devices are associated and deployed in off-line mode, and traffic
is dynamically diverted.
If traffic is statically diverted, the attack on one customer's service may affect other
customers' services. As traffic cleaning is performance-consuming, if the cleaning device
receives other customers' services when cleaning the service traffic of an attacked customer,
the normal services of other customers are affected once the cleaning device is overloaded.
If traffic is dynamically diverted, only attack traffic is diverted to the cleaning device. In
this manner, normal services are not affected even if the cleaning device is overloaded.
2.
Performance choice
Plan the interface specifications based on the customer link bandwidth. The highest subcard
processing performance of an SPU is 80 Gbit/s. As DDoS attack defense is performanceconsuming, you must reserve enough cleaning and detection resources.
3.
Issue 01 (2015-07-20)
Defense policy
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
74
HUAWEI Anti-DDoS
Configuration Examples
First, you must identify defense objects, create Zones accordingly, and configure defense
policies for the Zones. Use default Zone defense policies to protect unidentified objects.
For example, an IDC network has three web servers, two DNS servers, and five game
servers. You can create a Zone for each server. That is, 10 Zones are created. Configure a
specific defense policy for each type of server. For example, configure an HTTP defense
policy for web servers, DNS defense policy for DNS servers, and UDP/TCP defense policy
for game servers.
However, the configuration of 10 servers is complicated. If services are almost the same
on a type of server, you can configure only three Zones for the three types of servers, add
the IP addresses to the corresponding Zones (multiple IP addresses or network segments
can be added to each Zone), and configure a defense policy for each Zone. In this manner,
you need to configure only three defense policies.
After the configuration is complete, key objects are protected. For other network resources
in the IDC, apply the default Zone defense policies.
4.
5.
Issue 01 (2015-07-20)
75
HUAWEI Anti-DDoS
Configuration Examples
Legitimate network
Botnet
Detecting device
Switch
Switch
E-banking
center
Credit card
center
Legitimate traffic
Attacked target
Attack traffic
Split traffic
Management traffic
Issue 01 (2015-07-20)
Device Name
Interface
IP Address
Description
Detecting device
GE2/0/1
Detecting interface.
76
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Interface
IP Address
Description
GE3/0/0
10.1.6.3/24
Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The detecting device
sends logs or
captured packets to
the anti-DDoS
collector in the ATIC
management center
for further analysis
and processing.
The IP address of this
interface and the IP
address of the ATIC
management center
must be reachable. In
this example, the two
IP addresses are in
the same network
segment.
NOTE
The interface must be
on an LPU.
Cleaning device
GE2/0/1
10.1.2.2/24
Cleaning interface.
Interface through
which traffic enters
the cleaning device.
The cleaning device
applies defense
policies to, analyzes,
and cleans the
incoming traffic.
GE2/0/2
10.1.3.2/24
Injection interface.
Interface through
which normal traffic
goes back to the
original link after
traffic cleaning.
Issue 01 (2015-07-20)
77
HUAWEI Anti-DDoS
Configuration Examples
Device Name
Interface
IP Address
Description
GE3/0/0
10.1.6.1/24
Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The cleaning device
sends logs or
captured packets to
the anti-DDoS
collector in the ATIC
management center
for further analysis
and processing.
The IP address of this
interface and the IP
address of the ATIC
management center
must be reachable. In
this example, the two
IP addresses are in
the same network
segment.
NOTE
The interface must be
on an LPU.
Management center
10.1.6.2/24
The management
center must be
reachable to the
cleaning device.
Router1
GE1/0/1
10.1.2.1/24
Interface through
traffic is diverted to
the cleaning device.
GE1/0/2
10.1.3.1/24
Interface through
which traffic is
injected back to the
original link.
GE1/0/3
10.1.5.1/24
Interface through
which Router1 is
directly connected to
Router2.
GE1/0/1
10.1.5.2/24
Interface through
which Router2 is
directly connected to
Router1.
Router2
Issue 01 (2015-07-20)
78
HUAWEI Anti-DDoS
Configuration Examples
Detecting
device GE3/0/0
10.1.6.3/24
GE2/0/1
GE1/0/1
10.1.2.1/24 10.1.2.2/24
Router1
GE3/0/0
GE2/0/2
GE1/0/2
10.1.6.1/24
10.1.3.2/24
Cleaning
10.1.3.1/24
device
Normal traffic
Router2
Attack traffic
Split traffic
Management traffic
Zone
Traffic is injected back from the cleaning device's GE2/0/2 to Router1's GE1/0/2.
The ATIC management center is deployed in centralized mode. That is, the anti-DDoS
collector and management server are deployed on one physical server.
Configuration Roadmap
Do as follows on the detecting device:
1.
2.
3.
Assign IP addresses to interfaces, add the interfaces to security zones, and enable interzone
default packet filtering. The detecting interface does not need IP addresses.
4.
5.
Configure STelnet.
6.
Configure SNMP, so that the ATIC management center can obtain the status of the detecting
device.
7.
Configure the detecting interface and enable traffic statistics on the interface.
Issue 01 (2015-07-20)
79
HUAWEI Anti-DDoS
Configuration Examples
8.
2.
3.
Assign IP addresses to interfaces, add the interfaces to security zones, and enable interzone
default packet filtering.
4.
Configure STelnet.
5.
Configure SNMP, so that the ATIC management center can obtain the status of the cleaning
device.
6.
Configure the cleaning interface and enable traffic statistics on the interface.
7.
8.
2.
3.
4.
5.
In addition, configure the router. This example provides router configurations for reference, and
the configurations may need to be adjusted according to the actual router model in a live network.
Issue 01 (2015-07-20)
80
HUAWEI Anti-DDoS
Configuration Examples
Step 4 Set the IP addresses of interfaces and add the interfaces to security zones.
# Assign IP addresses to interfaces.
[AntiDDoS] interface GigabitEthernet 3/0/0
[AntiDDoS-GigabitEthernet3/0/0] ip address 10.1.6.3 24
[AntiDDoS-GigabitEthernet3/0/0] anti-ddos detect-device manage-port enable
[AntiDDoS-GigabitEthernet3/0/0] quit
Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123
----End
Issue 01 (2015-07-20)
81
HUAWEI Anti-DDoS
Configuration Examples
Step 4 Set the IP addresses of interfaces and add the interfaces to security zones.
# Assign IP addresses to interfaces.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[AntiDDoS-GigabitEthernet2/0/1] quit
[AntiDDoS] interface GigabitEthernet 2/0/2
[AntiDDoS-GigabitEthernet2/0/2] ip address 10.1.3.2 24
[AntiDDoS-GigabitEthernet2/0/2] quit
[AntiDDoS] interface GigabitEthernet 3/0/0
[AntiDDoS-GigabitEthernet3/0/0] ip address 10.1.6.1 24
[AntiDDoS-GigabitEthernet3/0/0] quit
Issue 01 (2015-07-20)
82
HUAWEI Anti-DDoS
Configuration Examples
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security] quit
source-zone any
destination-zone any
action permit
quit
Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123
Step 8 On the cleaning device, configure the next-hop address used for a dynamically generated route.
<AntiDDoS> system-view
[AntiDDoS] firewall ddos bgp-next-hop 10.1.3.1
Step 10 Configure the BGP function and community attribute on the cleaning device.
[AntiDDoS] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[AntiDDoS] route-policy 1 permit node 1
[AntiDDoS-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[AntiDDoS-route-policy] apply community no-advertise
[AntiDDoS-route-policy] quit
[AntiDDoS] bgp 100
[AntiDDoS-bgp] peer 10.1.2.1 as-number 100
[AntiDDoS-bgp] import-route unr
[AntiDDoS-bgp] ipv4-family unicast
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[AntiDDoS-bgp-af-ipv4] quit
[AntiDDoS-bgp] quit
After the configuration is complete, the UNR generated on the cleaning device will be imported
to BGP and then advertised to Router1 through BGP. In this manner, when Router1 receives
traffic defined for 1.1.1.1/32, it searches the routing table, matches the route according to the
longest mask, and forwards the traffic to the cleaning device through GE1/0/1.
Step 11 Enable traffic statistics on the cleaning interface of the cleaning device.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit
Step 12 Configure PBR on GE2/0/1 of the cleaning device for traffic injection.
[AntiDDoS] policy-based-route
[AntiDDoS-policy-pbr] rule name huizhu
[AntiDDoS-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[AntiDDoS-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet
2/0/2 10.1.3.1
[AntiDDoS-policy-pbr-rule-huizhu] quit
[AntiDDoS-policy-pbr] quit
83
HUAWEI Anti-DDoS
Configuration Examples
----End
Enter https://10.1.6.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.
2.
Enter the user name, password, and verification code on the login page. The user name is
admin, and the password is Admin@123. Click Log In.
3.
2.
Click
Create a detecting device and a cleaning device and add the devices to the NE list.
Issue 01 (2015-07-20)
84
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
85
HUAWEI Anti-DDoS
Configuration Examples
3.
Click OK. The detecting device and cleaning device are added to the NE list.
Step 3 Choose Defense > Policy Settings > Zone, create user-defined Zones, and configure basic
information about the Zones.
When adding NEs, select both the detecting device and cleaning device.
The Zone IP address is the IP address of the server to be protected. A Zone is created for each
type of server. For example, create gameZone for game servers, webZone for web servers, and
dnsZone for DNS servers.
Step 4 Configure a defense policy for game servers.
corresponding to gameZone.
1.
2.
3.
Issue 01 (2015-07-20)
86
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
87
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
88
HUAWEI Anti-DDoS
Configuration Examples
corresponding to webZone.
2.
3.
Issue 01 (2015-07-20)
89
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
90
HUAWEI Anti-DDoS
Configuration Examples
corresponding to dnsZone.
2.
3.
Issue 01 (2015-07-20)
91
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
92
HUAWEI Anti-DDoS
Configuration Examples
Choose Defense > Policy Settings > Zone, select the check box of a Zone, and click
.
2.
Click OK. The deployment progress is displayed, and the progress bar is automatically
closed after the deployment is complete.
3.
Choose Defense > Policy Settings > Global Policy, select the check box of the
AntiDDoS, and click
4.
Click OK. The saving progress is displayed, and the progress bar is automatically closed
after the configuration is saved.
Step 8 Choose Defense > Policy Settings > Zone. Click a specific state in the Baseline Learning
column to enable the baseline learning function.
Baseline learning takes effect as long as traffic passes through the device, and no additional
policy is required.
Issue 01 (2015-07-20)
93
HUAWEI Anti-DDoS
Configuration Examples
Configuring Router1
This part uses Huawei NE80E as an example to describe BGP and PBR configurations on the
router. The router configuration varies with software versions. The following configuration is
only an example for reference.
Step 1 Assign IP addresses to interfaces on Router1 (omitted).
Step 2 Configure the BGP function.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit
Issue 01 (2015-07-20)
94
HUAWEI Anti-DDoS
Configuration Examples
# Define a traffic policy and specify the traffic behavior for the traffic classifier in the policy.
[Router1] traffic policy policy1
[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit
----End
Issue 01 (2015-07-20)
95
HUAWEI Anti-DDoS
Configuration Examples
Issue 01 (2015-07-20)
96
HUAWEI Anti-DDoS
Configuration Examples
#
ipv4-family
unicast
Issue 01 (2015-07-20)
97
HUAWEI Anti-DDoS
Configuration Examples
undo
synchronization
import-route
unr
peer 10.1.2.1
enable
peer 10.1.2.1 route-policy 1
export
peer 10.1.2.1 advertisecommunity
#
policy-basedroute
rule name
huizhu
ingress-interface
GigabitEthernet2/0/1
action pbr egress-interface GigabitEthernet2/0/2 10.1.3.1
#
ip route-static 0.0.0.0 GigabitEthernet2/0/1 10.1.2.1
#
firewall ddos bgp-next-hop fib-filter
firewall ddos bgp-next-hop 10.1.3.1
#
firewall ddos log-local-ip 10.1.6.1
firewall ddos log-server-ip 10.1.6.2
#
DDoS attack defense policies are delivered by the ATIC management center. For details about
enabled defense policies, see the ATIC management center configuration.
3.2.6 Commissioning
After the configuration is complete, you can do as follows to commission the result:
1.
Perform ping tests using test IP addresses. The ping tests succeed.
2.
3.
4.
Issue 01 (2015-07-20)
a.
Initiate a tracert test on the client to identify the packet discard point.
b.
If the router discards packets, check the route through which the injected traffic is
forwarded.
c.
If the cleaning device discards packets, run the display firewall statistic system
discarded command to view the number of discarded packets and packet
discarding causes, and contact R&D engineers for support.
Construct attack traffic (SYN flood traffic is used as an example) and configure a
corresponding defense policy.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
98
HUAWEI Anti-DDoS
Configuration Examples
5.
Choose Report > Report > Traffic Analysis and view the ATIC traffic comparison report.
l If the traffic curve is normal, logs are properly transmitted between the ATIC
management center and the device, and reports can be correctly exported.
l If the query result is empty, perform troubleshooting according to HUAWEI AntiDDoS
Maintenance Guide.
Issue 01 (2015-07-20)
99