bgp flowspec的基本测试

Posted 2023-05-06

参考技术A 第一种 sflow-RT(192.168.10.1 )---------juniper VMX

第二种   gobgp(192.168.20.1 -----------juniper VMX

限速(1000Bps),但是juiper是按bps算，juniper会*8

sflow-RT的话，按如下启动

#./start.sh -Dddos_protect.router=192.168.10.254  -Dddos_protect.as=65070  -Dbgp.start=yes -Dbgp.port=179 -Dddos_protect.enable.ipv6=no -Dddos_protect.enable.flowspec=yes  -Dddos_protect.flowspec.rate=1000  -Dddos_protect.flowspec.community=65070:1000

注: -Dddos_protect.flowspec.community=65070:1000不起作用，在juniper里始终都是Communities: traffic-rate:0:1000

gobgp的话，按以下发布/32的路由

#gobgp global rib -a ipv4-flowspec add match destination 117.27.230.10/32  then rate-limit 1000.0

以上的1000Bps在junipertraffic-rate团体属性中体现:Communities: traffic-rate:0:1000

若要体现as即Communities: traffic-rate:65060:1000 

gobgp global rib -a ipv4-flowspec add match destination 117.27.230.12/32  then rate-limit 1000.0 as 65060

juniepr VMX的配置
root@CE-R> show configuration | display set

set version 20190319.203446_builder.r1013243

set system root-authentication encrypted-password "$6$AeSB/yQX$Xo6uUk1XAQtXLs4nCMxperSKE9f7YavFwv66W8Zpi8nDRh6Cj4wudDEXr7HVgvu.L8eYD97QrdrBhlwBecpT11"

set system services ssh root-login allow

set system services ssh protocol-version v2

set system host-name CE-R

set system syslog user * any emergency

set system syslog file messages any notice

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any

set system processes dhcp-service traceoptions file dhcp_logfile

set system processes dhcp-service traceoptions file size 10m

set system processes dhcp-service traceoptions level all

set system processes dhcp-service traceoptions flag packet

set interfaces ge-0/0/0 unit 0 family inet address 201.10.10.254/24

set interfaces ge-0/0/1 unit 0 family inet address 203.10.10.1/24

set interfaces ge-0/0/2 unit 0 family inet filter group 1

set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.254/24

set interfaces ge-0/0/3 unit 0 family inet address 222.77.177.254/24

set interfaces ge-0/0/4 unit 0 family inet filter group 1

set interfaces ge-0/0/4 unit 0 family inet address 172.20.1.254/24

set interfaces ge-0/0/5 unit 0 family inet filter group 1

set interfaces ge-0/0/5 unit 0 family inet address 192.168.20.254/24

set interfaces dsc unit 0 family inet address 192.0.2.102/32

set interfaces fxp0 unit 0 family inet address 10.5.245.195/24

set policy-options policy-statement TRAFFIC-RATE term 1 from route-filter 119.27.230.0/24 prefix-length-range /32-/32

set policy-options policy-statement TRAFFIC-RATE term 1 then accept

set policy-options policy-statement skip-validation then accept

set routing-options static route 10.5.0.0/16 next-hop 10.5.245.254

set routing-options static route 202.101.10.0/24 next-hop 203.10.10.254

set routing-options static route 119.27.230.0/24 next-hop 201.10.10.1

set routing-options router-id 192.168.10.254

set routing-options autonomous-system 64497

set routing-options flow interface-group 1

set routing-options flow interface-group exclude

set routing-options flow term-order standard

set protocols bgp group CUST-FLOWSPEC family inet flow

set protocols bgp group CUST-FLOWSPEC neighbor 192.168.10.1 family inet flow no-validate TRAFFIC-RATE

set protocols bgp group CUST-FLOWSPEC neighbor 192.168.10.1 peer-as 65070

set protocols bgp group CUST-FLOWSPEC neighbor 192.168.20.1 family inet flow no-validate TRAFFIC-RATE

set protocols bgp group CUST-FLOWSPEC neighbor 192.168.20.1 peer-as 65060

set protocols sflow polling-interval 10

set protocols sflow sample-rate ingress 1000

set protocols sflow source-ip 192.168.10.254

set protocols sflow collector 192.168.10.1

set protocols sflow interfaces ge-0/0/1.0 polling-interval 10

set protocols sflow interfaces ge-0/0/1.0 sample-rate ingress 1000

使用hping3发包:

hping3 --flood --udp --rand-source -k 119.27.230.10 -p 5353

验证:

root@CE-R> show route protocol bgp receive-protocol bgp 192.168.10.1 extensive all   

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

__juniper_private1__.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

VRF1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

__juniper_private1__.inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

VRF1.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

inetflow.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

* 119.27.230.10,*,proto=17/term:4 (1 entry, 1 announced)

    Accepted

    Flags: NoNexthop

    Localpref: 100

    AS path: 65070 I

    Communities: traffic-rate:0:1000

* 119.27.230.10,*,proto=17,dstport=5353/term:2 (1 entry, 1 announced)

    Accepted

    Flags: NoNexthop

    Localpref: 100

    AS path: 65070 I

    Communities: traffic-rate:0:1000

* 119.27.230.10,*,proto=17,srcport=1202/term:3 (1 entry, 1 announced)

    Accepted

    Flags: NoNexthop

    Localpref: 100

    AS path: 65070 I

    Communities: traffic-rate:0:1000

root@CE-R>

root@CE-R>

root@CE-R> show route table inetflow.0                                               

inetflow.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

119.27.230.10,*,proto=17/term:4           

                  *[BGP/170] 00:00:56, localpref 100, from 192.168.10.1

                      AS path: 65070 I, validation-state: unverified

                      Fictitious

119.27.230.10,*,proto=17,dstport=5353/term:2           

                  *[BGP/170] 00:00:56, localpref 100, from 192.168.10.1

                      AS path: 65070 I, validation-state: unverified

                      Fictitious

119.27.230.10,*,proto=17,srcport=1202/term:3           

                  *[BGP/170] 00:00:56, localpref 100, from 192.168.10.1

                      AS path: 65070 I, validation-state: unverified

                      Fictitious

root@CE-R> show firewall

Filter: __default_bpdu_filter__                               

Filter: __flowspec_default_inet__                             

Counters:

Name                                                Bytes              Packets

119.27.230.10,*,proto=17                                0                    0

119.27.230.10,*,proto=17,dstport=5353                44184                1578

119.27.230.10,*,proto=17,srcport=1202                    0                    0

Policers:

Name                                                Bytes              Packets

8K_119.27.230.10,*,proto=17                            0                    0

8K_119.27.230.10,*,proto=17,dstport=5353              560028                20001

8K_119.27.230.10,*,proto=17,srcport=1202                    0                    0

直连BGP邻居配置

案例：直连BGP邻居配置

1）确保设备之间的连通性

2）配置BGP，指定邻居

3）验证
方案

使用eNSP搭建实验环境，如图-1所示。

    //R1的基本配置
      interface gi0/0/0 
        ip address  192.168.12.1  255.255.255.0 
    //R2的基本配置
      interface gi0/0/1 
        ip address  192.168.12.2  255.255.255.0 
    //配置R1启用BGP，并指定 AS 为 64512 
    bgp 64512        
    //指定邻居的IP地址以及邻居所在的 AS 号
      peer 192.168.12.2   as-number  64512
    //配置R2启用BGP，并指定 AS 为 64512 
    bgp 64512        
    //指定邻居的IP地址以及邻居所在的 AS 号
      peer 192.168.12.1   as-number  64512 
    //在R1上查看 BGP 的邻居表
    display  bgp   peer
    BGP local router ID : 192.168.12.1
     Local AS number : 64512
     Total number of peers : 1          Peers in established state : 0
     Peer          V    AS   MsgRcvd  MsgSent  OutQ  Up/Down    State     PrefRcv
     192.168.12.2  4  64512        0        1     0  00:00:45  Established    0        
    //在R2上查看 BGP 的邻居表
    display  bgp   peer
    BGP local router ID : 192.168.12.2
     Local AS number : 64512
     Total number of peers : 1          Peers in established state : 1
     Peer          V    AS   MsgRcvd  MsgSent  OutQ  Up/Down    State     PrefRcv
     192.168.12.1  4  64512        5        5     0  00:03:07  Established    0