728x90


1.1.1.1        1.1.1.2      1.1.1.3

[vMX-1]---[vMX-2]---[vMX-3]


1.lowest route preference


chano@vMX-2_PE1# show protocols bgp | display set 

set protocols bgp group TEST type internal

set protocols bgp group TEST local-address 1.1.1.2

set protocols bgp group TEST cluster 1.1.1.2

set protocols bgp group TEST neighbor 1.1.1.3

set protocols bgp group TEST_2 type internal

set protocols bgp group TEST_2 preference 200

set protocols bgp group TEST_2 local-address 1.1.1.2

set protocols bgp group TEST_2 cluster 1.1.1.2

set protocols bgp group TEST_2 neighbor 1.1.1.1


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0                               


inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100.0.0/24     *[BGP/170] 00:00:37, localpref 100, from 1.1.1.3

                      AS path: I, validation-state: unverified

                    > to 10.0.0.3 via ge-0/0/4.0

                    [BGP/200] 00:00:46, localpref 100, from 1.1.1.1

                      AS path: I, validation-state: unverified

                    > to 10.1.0.0 via ge-0/0/1.0

[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 extensive | match inactive                 

                Inactive reason: Route Preference


2. highest local preference 


[edit]

chano@vMX-1_CE1# set policy-options policy-statement export-bgp-static term 10 then local-preference 50 

[edit]

chano@vMX-3# set policy-options policy-statement export-bgp-static term 10 then local-preference 200



chano@vMX-2_PE1# run show route 100.100.0.0 


inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100.0.0/24     *[BGP/170] 00:00:07, localpref 200, from 1.1.1.3

                      AS path: I, validation-state: unverified

                    > to 10.0.0.3 via ge-0/0/4.0

                    [BGP/170] 00:00:21, localpref 50, from 1.1.1.1

                      AS path: I, validation-state: unverified

                    > to 10.1.0.0 via ge-0/0/1.0


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 | match inactive 


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 extensive | match inactive 

                Inactive reason: Local Preference


3. AS path


[edit]

chano@vMX-1_CE1# set policy-options policy-statement export-bgp-static term 10 then as-path-prepend 2345    


[edit]

chano@vMX-1_CE1# run show route advertising-protocol bgp 1.1.1.2                                            


inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden)

  Prefix                  Nexthop              MED     Lclpref    AS path

* 100.100.0.0/24          Self                         100        2345 [1234] I



[edit]

chano@vMX-2_PE1# run show route 100.100.0.0                               


inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100.0.0/24     *[BGP/170] 00:05:47, localpref 100, from 1.1.1.3

                      AS path: I, validation-state: unverified

                    > to 10.0.0.3 via ge-0/0/4.0

                    [BGP/170] 00:01:10, localpref 100, from 1.1.1.1

                      AS path: 2345 I, validation-state: unverified

                    > to 10.1.0.0 via ge-0/0/1.0


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 extensive | match inactive    

                Inactive reason: AS path



4. lowest origin value


IGP (I) > EGP (E) > incomplete (?)


[edit]

chano@vMX-1_CE1# set policy-options policy-statement export-bgp-static term 10 then origin egp 


[edit]

chano@vMX-3# set policy-options policy-statement export-bgp-static term 10 then origin igp 


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0                               


inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100.0.0/24     *[BGP/170] 00:10:04, localpref 100, from 1.1.1.3

                      AS path: I, validation-state: unverified

                    > to 10.0.0.3 via ge-0/0/4.0

                    [BGP/170] 00:00:15, localpref 100, from 1.1.1.1

                      AS path: E, validation-state: unverified

                    > to 10.1.0.0 via ge-0/0/1.0


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 extensive | match inactive    

                Inactive reason: Origin



5. lowest MED


[edit]

chano@vMX-1_CE1# set routing-options static route 100.100.0.0/24 metric 200 

[edit]

chano@vMX-3# set routing-options static route 100.100.0.0/24 metric 100  



[edit]

chano@vMX-2_PE1# run show route 100.100.0.0                               


inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100.0.0/24     *[BGP/170] 00:07:03, MED 100, localpref 100, from 1.1.1.3

                      AS path: I, validation-state: unverified

                    > to 10.0.0.3 via ge-0/0/4.0

                    [BGP/170] 00:00:22, MED 300, localpref 100, from 1.1.1.1

                      AS path: I, validation-state: unverified

                    > to 10.1.0.0 via ge-0/0/1.0


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 extensive | match inactive    

                Inactive reason: Not Best in its group - Route Metric or MED comparison

6.route type


[edit]

chano@vMX-2_PE1# show protocols bgp | display set 

set protocols bgp group TEST type external

set protocols bgp group TEST peer-as 2345

set protocols bgp group TEST neighbor 10.0.0.3


set protocols bgp group TEST_2 type internal

set protocols bgp group TEST_2 local-address 1.1.1.2

set protocols bgp group TEST_2 cluster 1.1.1.2

set protocols bgp group TEST_2 neighbor 1.1.1.1


[edit]

chano@vMX-1_CE1# set policy-options policy-statement export-bgp-static term 10 then as-path-prepend 1111  AS path


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0                               


inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100.0.0/24     *[BGP/170] 00:01:15, MED 100, localpref 100

                      AS path: 2345 I, validation-state: unverified

                    > to 10.0.0.3 via ge-0/0/4.0

                    [BGP/170] 00:00:08, localpref 100, from 1.1.1.1

                      AS path: 1111 I, validation-state: unverified

                    > to 10.1.0.0 via ge-0/0/1.0


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 extensive | match inactive    

                Inactive reason: Interior > Exterior > Exterior via Interior

  


7. lowest IGP cost 


[edit]

chano@vMX-2_PE1# set protocols ospf area 0 interface ge-0/0/1 metric 100 


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 


inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100.0.0/24     *[BGP/170] 00:02:44, localpref 100, from 1.1.1.3

                      AS path: I, validation-state: unverified

                    > to 10.0.0.3 via ge-0/0/4.0

                    [BGP/170] 00:08:32, localpref 100, from 1.1.1.1

                      AS path: I, validation-state: unverified

                    > to 10.1.0.0 via ge-0/0/1.0


[edit]

chano@vMX-2_PE1# run show route 100.100.0.0 extensive | match inactive 

                Inactive reason: Not Best in its group - IGP metric



저작자표시
728x90
COS 설정 확인 shell 명령어


jnpr@PE-3# exit 
Exiting configuration mode

{master}
jnpr@PE-3> start shell pfe network fpc4 


RMPC platform (1200Mhz QorIQ P2020 processor, 3584MB memory, 512KB flash)


NPC0(pe1-RE0 vty)# show cos scheduler-hierarchy

<--snip-->

class-of-service egress scheduler hierarchy - rates in kbps
---------------------------------------------------------------------------------
                                    shaping guarntd delaybf  excess
interface name               index    rate    rate    rate    rate
 other
---------------------------- -----  ------- ------- ------- -------
-------------
xe-0/0/1                       164        0       0       0       0
  xe-0/0/1.2000                329    10000       0       0       0
    q 1 - pri 0/0            37272        0     24%     24%      0%
    q 2 - pri 0/0            37272        0      2%      2%      0%
    q 3 - pri 2/0            37272        0      1%      5%      0%
    q 4 - pri 0/0            37272        0     24%     24%      0%
    q 5 - pri 3/0            37272        0     24%    5000      0% exact
  xe-0/0/1.32767               429        0    2000    2000       0
    q 0 - pri 0/1                2        0     95%     95%      0%
    q 3 - pri 0/1                2        0      5%      5%      0%


NGMPC4(PE-3 vty)# show cos halp ifl 401
IFL type: Basic

--------------------------------------------------------------------------------
IFL name: (xe-4/0/0.200, xe-4/0/0)   (Index 401, IFD Index 207)
    XQ chip id: 0
    XQ chip Scheduler: 0
    XQ chip L2 index: -1
    XQ chip L3 index: -1
    XQ chip L4 index: 31
    XQ chip base Q index: 248
    Number of queues: 8
Queue    State        Max       Guaranteed   Burst  Weight Priorities Drop-Rules  Scaling-profile 
Index                 rate         rate      size            G    E   Wred  Tail       ID
------ ----------- ----------- ------------ ------- ------ ---------- ----------  ----------------
   248  Configured  3000000000            0 67108864      1   GL   EL    0   140        3
   249  Configured  3000000000    200000000 67108864     24   GL   EL    4   493        3
   250  Configured  3000000000    300000000 67108864     37   GL   EL    4   493        3
   251  Configured  3000000000    500000000 67108864     62   GL   EL    4   493        3
   252  Configured  3000000000     Disabled 67108864      1   GH   EH    4   508        1
   253  Configured  3000000000            0 67108864      1   GL   EL    0   140        3
   254  Configured  3000000000            0 67108864      1   GL   EL    0   140        3
   255  Configured  3000000000            0 67108864      1   GL   EL    0   140        3



저작자표시
728x90
The following highlighted truncated output of the command indicates a few error fields; the meaning of which is unknown to many users.
user@test>show interface ge-0/0/0 extensive
Physical interface: ge-0/0/0, Enabled, Physical link is Up
  Interface index: 134, SNMP ifIndex: 505, Generation: 137
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
  Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: 00:26:88:eb:62:c0, Hardware address: 00:26:88:eb:62:c0
  Last flapped   : 2012-06-04 14:39:14 UTC (00:35:10 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :                30972                    0 bps
   Output bytes  :                    0                    0 bps
   Input  packets:                  427                    0 pps
   Output packets:                    0                    0 pps
  Input errors:     Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,        L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,     
   FIFO errors: 0, Resource errors: 0   Output errors:                                   Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,    
 FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0

CAUSE:


SOLUTION:

The errors can be classified as Input and Output. Input errors account for the erroneous counters, which occur at the input queue of SRX interface.

  • Errors: Sum of the incoming frame aborts and FCS errors.

  • Drops: Number of packets dropped by the input queue of the I/O Manager ASIC. If the interface is saturated, this number increments once, for every packet that is dropped by the ASIC's RED mechanism.

  • Framing errors: Number of packets received with an invalid frame checksum (FCS).

  • Runts: Number of received frames that are smaller than the runt threshold.

  • Policed discards: Number of frames that the incoming packet match code discarded, as they were not recognized or not of interest. Usually, this field reports protocols that the JUNOS software does not handle.

  • L3 incompletes: Number of incoming packets discarded, as they have failed Layer 3 sanity checks for the headers. For example, a frame with less than 20 bytes of available IP header is discarded.

  • L2 channel errors: Number of times the software did not find a valid logical interface for an incoming frame.

  • L2 mismatch timeouts: Number of malformed or short packets which caused the incoming packet handler to discard the frame as unreadable.

  • FIFO errors: Number of FIFO errors in the receive direction that are reported by the ASIC on the PIC. If this value is ever non-zero, the PIC is probably malfunctioning.

  • Resource errors: Sum of transmit drops.

Output errors can be broadly summarized as follows:

  • Carrier transitions: Number of times that the interface has gone from down to up. This number does not normally increment quickly; increasing only when the cable is unplugged, the far-end system is powered down and then up, or another issue occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, far-end system, PIC or PIM is malfunctioning.

  • Errors: Sum of the outgoing frame aborts and FCS errors.

  • Drops: The number of packets which are dropped by the output queue of the I/O Manager ASIC. If the interface is saturated, this number increments once for every packet, which is dropped by the ASIC's RED mechanism.

  • Collisions: The number of Ethernet collisions. The Gigabit Ethernet PIC supports only full-duplex operation; so for Gigabit Ethernet PICs, this number should always remain 0. If it is non-zero, there is a software bug.

  • Aged packets: The number of packets which remained in the shared packet SDRAM for so long, that the system automatically purged them. The value in this field should never increment. If it does, it is most likely a software bug or possible malfunctioning hardware.

  • FIFO errors: The number of FIFO errors in the send direction, as reported by the ASIC on the PIC. If this value is ever non-zero, the PIC is probably malfunctioning.

  • HS link CRC errors: The number of errors on the high-speed links between the ASICs, which are responsible for handling the router interfaces.

  • MTU errors: The number of packets whose size exceeded the interface MTU.

  • Resource errors: Sum of transmit drops.


저작자표시
728x90

BGP FlowSpec은 BGP peer간에 신속하게 filtering and policing 기능을  전파시켜 DDOS 공격을 방지하는 역할을 한다.


기존의 RTBH는 ddos공격을 대상의 주소의 next-hop 을 null/discard 로 전파하여 공격을 방지 하였다. 하지만 이럴 경우 공격 공격대상이 unreachable 상태에 빠지게 된다. 


FlowSpec는 기존의 RTBH와는 다르게 null/discard 동작만이 아니라 source , destination, L4 parameter, packet parameter( length, fragmentation , etc, ) 등등 더 다양한 옵션을 사용 하여 ddos 공격에 대응 할 수 있다.



Juniper FlowSpec 동작


아래 그림과 같이 BGP peer를 통해 전달받은 flow를 validation 과정을 거쳐 match 되는 flow를 Local-RIB에 저장하고 firewall filter로 변환하여 각각에 PFE에 내려주면  모든 인터페이스에 해당 filter를 적용시킨다.





LAB TEST

     

망 구성도


  [ R1 ] --------------------- [ R2 ]

       1.1.1.1     192.168.0.0/24        2.2.2.2  

R1

set logical-systems TEST_1 interfaces xe-1/2/0 unit 0 family inet address 10.10.10.1/24

set logical-systems TEST_1 interfaces lo0 unit 1 family inet address 1.1.1.1/32

set logical-systems TEST_1 protocols bgp group TEST type internal

set logical-systems TEST_1 protocols bgp group TEST local-address 1.1.1.1

set logical-systems TEST_1 protocols bgp group TEST family inet unicast

set logical-systems TEST_1 protocols bgp group TEST family inet flow no-validate TEST_default

set logical-systems TEST_1 protocols bgp group TEST neighbor 2.2.2.2

set logical-systems TEST_1 policy-options policy-statement TEST_default term 10 then accept

set logical-systems TEST_1 policy-options policy-statement TEST_default term 5 then reject

set logical-systems TEST_1 routing-options static route 2.2.2.2/32 next-hop 10.10.10.2

set logical-systems TEST_1 routing-options autonomous-system 1234


R2

set interfaces xe-1/3/0 unit 0 family inet address 10.10.10.2/24

set interfaces lo0 unit 2 family inet address 2.2.2.2/32

set routing-options static route 1.1.1.1/32 next-hop 10.10.10.1

set routing-options autonomous-system 1234

set routing-options flow route TEST match protocol icmp

set routing-options flow route TEST then discard

set protocols bgp group TEST type internal

set protocols bgp group TEST local-address 2.2.2.2

set protocols bgp group TEST family inet unicast

set protocols bgp group TEST family inet flow no-validate TEST

set protocols bgp group TEST cluster 2.2.2.2

set protocols bgp group TEST neighbor 1.1.1.1

set policy-options policy-statement TEST then accept


-> R2 에서  icmp discard 하는 flow (TEST) 를 생성하여 R1 에게 전달함.

 

BGP를 통해 flow를 전달받은  R1은 수신한 flow 를 보고 firewall filter 를 생성하여 모든 인터페이스에 적용시킨다.


R1에서 R2로 ping을 시도하면 수신받은 flow 기반으로 생성한 firewall filter에 의하여 icmp packet이 Drop 된다.


R1    firewall filter ( R1에서 R2로 ping 시도 후 )

icraft@Mx960# run show firewall 

Filter: __default_bpdu_filter__                                


Filter: __flowspec_default_inet__                              

Counters:

Name                                                Bytes              Packets

*,*,proto=1                                           588                    7


[edit]

icraft@Mx960# 


수신받은 flow는 show route 명령어를 통해 확인가능 하다.  해당 flow는 inetflow.0 table에 저장된다.

R1    routing table

inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


*,*,proto=1/term:1            

                   *[Flow/5] 01:04:20

                      Fictitious


[edit]

icraft@Mx960#  



수신받을 flow 도 필터링이 가능하다. 아래와 같은 flow 를 생성 하고 라우팅 테이블을 확인해보면

R2  

set routing-options flow route TEST match destination 100.100.0.0/16

set routing-options flow route TEST then accept


icraft@Mx960:TEST_1# show protocols bgp                  

group TEST {

    type internal;

    local-address 1.1.1.1;

    family inet {

        unicast;

        flow {

            no-validate TEST;

        }

    }

    neighbor 2.2.2.2;

}



R1

inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both


100.100/16,*/term:N/A          

                   *[BGP/170] 00:02:49, localpref 100, from 2.2.2.2

                      AS path: I, validation-state: unverified

                      Fictitious

[edit]

icraft@Mx960:TEST_1# # 


위와같이  R2로 부터 수신한 flow 가 table 에 등록되어 있는 것을 확인 가능하다.


이때 R1에  아래와 같은 정책을 적용한다.

R1

policy-statement TEST_reject {

    term 10 {

        from local-preference 100;

        then reject;

    }

    term 20 {

        then accept;

    }

}


icraft@Mx960:TEST_1# show protocols bgp                  

group TEST {

    type internal;

    local-address 1.1.1.1;

    family inet {

        unicast;

        flow {

            no-validate TEST_reject;

        }

    }

    neighbor 2.2.2.2;

}


R1에서 보내준 flow는 bgp로 수신받은 flow 이기 때문에 preference 가 100이므로 해당 flow 가 reject 가 된다.


이 때 라우팅 테이블을 확인 해 보면

R1

icraft@Mx960:TEST_1# run show route hidden  

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)


inetflow.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both


100.100/16,*/term:N/A          

                    [BGP ] 00:09:27, localpref 100, from 2.2.2.2

                      AS path: I, validation-state: unverified

                      Fictitious


[edit]

icraft@Mx960:TEST_1# 


해당 루트가 hidden으로 빠진걸 볼 수 있다. validation에서 match 되지 않는 flow 는 hidden 으로 빠지는걸 확인 가능하다.




저작자표시

+ Recent posts

티스토리툴바