You are on page 1of 102

HUAWEI Anti-DDoS

V500R001

Configuration Examples
Issue

01

Date

2015-07-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.


No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions


and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address:

Huawei Industrial Base


Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website:

http://www.huawei.com

Email:

support@huawei.com

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

Contents

Contents
1 Configuration Examples for System Deployment..................................................................1
1.1 Example for Configuring Interconnection Between the AntiDDoS8000 and ATIC (Out-of-Path Deployment of an
Intermixed Device)...............................................................................................................................................................2
1.2 Example for Configuring Interconnection Between the AntiDDoS8000s and ATIC (In-Path Deployment of Active and
Standby Devices)..................................................................................................................................................................8

2 Configuration Examples for Traffic Diversion and Injection............................................17


2.1 Example for PBR Diversion and Static Route Injection..............................................................................................18
2.2 Example for PBR Diversion and PBR Injection..........................................................................................................20
2.3 Example for BGP Diversion and Layer-2 Injection.....................................................................................................23
2.4 Example for BGP Diversion and UNR Route Injection...............................................................................................27
2.5 Example for BGP Diversion and PBR Injection..........................................................................................................30
2.6 Example for BGP Diversion and GRE Injection..........................................................................................................34
2.7 Example for BGP Diversion and MPLS VPN Injection..............................................................................................38
2.8 Example for BGP Diversion and MPLS LSP Injection...............................................................................................44
2.9 Example for Cleaning Blackhole Routes (Configuring the Router to Discard Packets)..............................................49

3 Configuration Examples for Comprehensive Scenarios......................................................53


3.1 Scenario 1: MAN Attack Defense................................................................................................................................54
3.1.1 Scenario Description..................................................................................................................................................54
3.1.2 Typical Networking...................................................................................................................................................55
3.1.3 Data Planning............................................................................................................................................................56
3.1.4 Configuration Procedure............................................................................................................................................61
3.1.5 Configuration Scripts.................................................................................................................................................70
3.1.6 Commissioning..........................................................................................................................................................72
3.2 Scenario 2: Data Center Security Protection................................................................................................................73
3.2.1 Scenario Description..................................................................................................................................................73
3.2.2 Typical Networking...................................................................................................................................................75
3.2.3 Data Planning............................................................................................................................................................76
3.2.4 Configuration Procedure............................................................................................................................................80
3.2.5 Configuration Scripts.................................................................................................................................................95
3.2.6 Commissioning..........................................................................................................................................................98

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ii

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Configuration Examples for System


Deployment

About This Chapter


This section provides an example for configuring system deployment.
1.1 Example for Configuring Interconnection Between the AntiDDoS8000 and ATIC (Out-ofPath Deployment of an Intermixed Device)
1.2 Example for Configuring Interconnection Between the AntiDDoS8000s and ATIC (In-Path
Deployment of Active and Standby Devices)

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

1.1 Example for Configuring Interconnection Between the


AntiDDoS8000 and ATIC (Out-of-Path Deployment of an
Intermixed Device)
Networking Requirements
As shown in Figure 1-1, the intermixed device is deployed at the network node in off-line mode
to detect and clean downstream traffic destined for the Zone. It copies traffic on the link to the
detecting interface in optical splitting mode to detect traffic in real time, and notifies the ATIC
management center upon anomalies. The ATIC management center delivers a traffic-diversion
task to the cleaning SPU, so that traffic is diverted to the cleaning interface. After cleaned, normal
traffic is injected to the original link for further forwarding through the traffic-injection interface.
GigabitEthernet 2/0/1 on the cleaning device is used for receiving optically split traffic. Traffic
passing through the interface is sent to the detecting SPU for analysis. GigabitEthernet 1/0/1 is
used for receiving diverted traffic. The cleaning SPU cleans the traffic received by
GigabitEthernet 1/0/1. After cleaned, traffic is injected to the router for forwarding through
subinterface GigabitEthernet 1/0/1.100.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Figure 1-1 Networking diagram of the intermixed device in off-line mode

Optical
splitter
GE2/0/1
Router

GE1/0/1

GE3/0/0
10.1.5.1/24

GE1/0/1.100
Intermixed
device

ATIC management
center
10.1.5.2/24

Optically split traffic


Pre-cleaning traffic
Post-cleaning traffic
Zone

Zone

This example mainly describes how to configure the intermixed device and ATIC management
center deployed on the network. Details on how to configure traffic diversion and injection, and
defense policies are omitted.
For details on the example for configuring traffic diversion and injection, see Traffic Diversion
and Injection Configuration Examples.

Service Planning
l

The intermixed device is named AntiDDoS.

The ATIC management center is deployed in centralized mode. That is, both the anti-DDoS
collector and the ATIC server are deployed on the same server.

Table 1-1 shows the IP addresses of the intermixed device and ATIC management center.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Table 1-1 IP addresses


Device Name

Interface

IP Address

Description

Intermixed device

GigabitEthernet
2/0/1

Indicates a
detecting interface.
It is used for
receiving optically
split traffic on the
link and the IP
address is not
required.

GigabitEthernet
1/0/1

10.1.2.1/24

Indicates a cleaning
interface.
It is an inbound
interface for
diverted traffic. The
intermixed device
applies diversified
defense policies to
the incoming traffic
of the interface, and
analyzes and cleans
the traffic.

GigabitEthernet
1/0/1.100

10.1.3.1/24

Indicates a trafficinjection interface.


Cleaned traffic is
injected to the
original link
through the
interface.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Device Name

Interface

IP Address

Description

GigabitEthernet
3/0/0

10.1.5.1/24

Indicates an
interface through
which the cleaning
device
communicates with
the ATIC
management
center.
The intermixed
device sends logs or
captured packets to
the anti-DDoS
collector in the
ATIC management
center for further
analysis and
processing.
The IP address of
the interface and
that of the ATIC
management center
must be reachable.
In this example,
they reside on the
same network
segment.

ATIC management
center

10.1.5.2/24

Indicates the IP
address of the ATIC
management
center.

Configuration Roadmap
Perform the following on the intermixed device:
1.

Log in to the intermixed device by using the console port for the first time to upgrade the
software version.

2.

Load the license.

3.

Set IP addresses for interfaces, add the interfaces to security zones, and configure interzone
packet filtering.

4.

Change the default user name and password, and configure Telnet.

5.

Configure SNMP, so that the ATIC management center can obtain the status of the
intermixed device.

6.

Configure detecting and cleaning interfaces and enable traffic statistical collection on them.

7.

Specify detecting and cleaning SPUs and restart the SPUs.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

8.

1 Configuration Examples for System Deployment

Save the configuration.

Perform the following in the ATIC management center:


1.

Log in to the ATIC management center for the first time.

2.

Creating an Anti-DDoS device.

3.

Save the configuration.

4.

Configure proper defense policies.

Configuring the Intermixed Device


Step 1 Log in to the intermixed device by using the console port for the first time. The default user
name and password are admin and Admin@123.
You can view version information by running the display version command. Upgrade the
software version to the latest. For details, refer to the Upgrade Instructions.
Step 2 Load the license.
<AntiDDoS> system-view
[AntiDDoS] license active lic_antiddos8000_20150430.dat

Step 3 Specify detecting and cleaning SPU subcards.


[AntiDDoS] firewall ddos clean-spu slot 3 card 0
[AntiDDoS] firewall ddos detect-spu slot 3 card 1

Step 4 Change the default user name and password, and configure Telnet.
Set the authentication mode of the VTY administrator page to AAA and disconnection period
for idle administrators to 5 minutes (10 minutes by default).
NOTE

Compared with STelnet, Telnet is insecure. Therefore, STelnet is recommended. This example uses Telnet
to describe the configuration procedure.
<AntiDDoS> system-view
[AntiDDoS] telnet server enable
[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] idle-timeout 5
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type telnet
[AntiDDoS-aaa-manager-user-atic] quit
[AntiDDoS-aaa] bind manager-user vtyadmin role system-admin

Step 5 Optional: Configure automatic lockout upon administrator login failures.


By default, if an administrator fails to log in for consecutive 3 times, the administrator account
will be locked for 30 minutes. In this example, the administrator account will be locked for 10
minutes upon 2 login failures.
[AntiDDoS-aaa] lock-authentication enable
[AntiDDoS-aaa] lock-authentication failed-count 2
[AntiDDoS-aaa] lock-authentication timeout 10

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Step 6 Set the IP addresses of interfaces and add the interfaces to security zones (omitted).
Step 7 Enable default interzone packet filtering.
[AntiDDoS] security-policy
[AntiDDoS-policy-security] rule name ddos1
[AntiDDoS-policy-security-rule-ddos1] source-zone any
[AntiDDoS-policy-security-rule-ddos1] destination-zone any
[AntiDDoS-policy-security-rule-ddos1] action permit
[AntiDDoS-policy-security-rule-ddos1] quit
[AntiDDoS-policy-security] quit

Step 8 Configure SNMP.


NOTE

Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123

Step 9 Configure the detecting interface.


[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos detect enable
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit

Step 10 Configure the cleaning interface.


[AntiDDoS] interface GigabitEthernet 1/0/1
[AntiDDoS-GigabitEthernet1/0/1] anti-ddos clean enable
[AntiDDoS-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet1/0/1] quit

Step 11 Save the configuration.


<AntiDDoS> save

----End

Configuring the ATIC Management Center


Step 1 Log in to the ATIC management center for the first time.
1.

Enter https://10.1.5.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.

2.

Enter the user name, password, and verification code on the login page. The user name is
atic, and the password is Admin@123. Click Log In.

3.

Change the initial password upon the first login.

Step 2 Create an anti-DDoS device.


1.

Choose Defense > Network Settings > Devices.

2.

Click

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Figure 1-2 Create an anti-DDoS device.

3.

Click OK. The anti-DDoS device is added to the NE list.

Step 3 Save the configuration.


1.

Choose Defense > Policy Settings > Global Policy.

2.

Select the check box of the cleaning device and click

Step 4 Configure a defense policy (omitted).


----End

1.2 Example for Configuring Interconnection Between the


AntiDDoS8000s and ATIC (In-Path Deployment of Active
and Standby Devices)
Networking Requirements
As shown in Figure 1-3, two cleaning devices are deployed in in-path mode and work in active/
standby mode to detect and clean the traffic destined for the Zone. Both upstream and
downstream service interfaces on the cleaning devices connect to switches. Based on the defense
policy delivered by the ATIC management center, the cleaning devices detect and clean network
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

traffic, and report traffic and attack logs to the ATIC management center. In so doing, various
reports are generated for query.
Figure 1-3 Networking diagram of the cleaning devices in in-path mode

ATIC management center


VRRP group 1

GE1/0/1
1.1.1.1/24

VRRP group 3

GE3/0/0

AntiDDoS_A
GE1/0/3
2.2.2.1/24

GE3/0/0

GE3/0/3
5.1.1.3/24

GE3/0/3
5.1.1.4/24
VRRP group 2

GE1/0/1
1.1.1.2/24
AntiDDoS_B
GE1/0/3
2.2.2.2/24

Traffic before cleaning


Traffic after cleaning
Zone

Service link
Backup link

This example mainly describes how to configure the cleaning devices and ATIC management
center deployed on the network. Details on how to configure defense policies are omitted.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Service Planning
l

The cleaning device names are AntiDDoS_A and AntiDDoS_B.

The ATIC management center is deployed in centralized mode. That is, the anti-DDoS
collector and management server are deployed on one physical server.

The service interfaces on the cleaning devices work at Layer 3. Enable VRRP on upstream
and downstream switches. Use GigabitEthernet 3/0/0s to communicate with the ATIC
management center.

Table 1-2 lists the IP addresses of the cleaning devices and ATIC management center.
Table 1-2 Planning for the IP addresses of interfaces on devices
Device

Interface

IP Address

Description

Cleaning
device A

GigabitEthernet
1/0/1

1.1.1.1/24

Indicates a service
interface.
It serves as an outbound
interface for downstream
traffic and connects to the
Zone network.

GigabitEthernet
1/0/3

2.2.2.1/24

Indicates a service
interface, also named
cleaning interface.
It serves as an inbound
interface for downstream
traffic and connects to the
Internet.

GigabitEthernet
3/0/0

10.1.5.3/24

Indicates an interface
through which a cleaning
device communicates with
the ATIC management
center.
The cleaning device sends
logs or captured packets to
the anti-DDoS collector in
the ATIC management
center for further analysis
and processing.
The IP address of this
interface and the IP address
of the ATIC management
center must be reachable. In
this example, the two IP
addresses are in the same
network segment.

GigabitEthernet
3/0/3

Issue 01 (2015-07-20)

5.1.1.2/24

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Indicates a heartbeat
interface.

10

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Device

Interface

IP Address

Description

Cleaning
device B

GigabitEthernet
1/0/1

1.1.1.2/24

Indicates a service
interface.
It serves as an outbound
interface for downstream
traffic and connects to the
Zone network.

GigabitEthernet
1/0/3

2.2.2.2/24

Indicates a service
interface, also named
cleaning interface.
It serves as an inbound
interface for downstream
traffic and connects to the
Internet.

GigabitEthernet
3/0/0

10.1.5.4/24

Indicates an interface
through which a cleaning
device communicates with
the ATIC management
center.
The cleaning device sends
logs or captured packets to
the anti-DDoS collector in
the ATIC management
center for further analysis
and processing.
The IP address of this
interface and the IP address
of the ATIC management
center must be reachable. In
this example, the two IP
addresses are in the same
network segment.

GigabitEthernet
3/0/3

5.1.1.3/24

Indicates a heartbeat
interface.

Management
center

10.1.5.2/24

Indicates the IP address of


the ATIC management
center.

Zone

2.2.2.0/24

Indicates the IP address


segment of the Zone.

Table 1-3 lists the VRRP virtual IP addresses planned for the cleaning devices.
NOTE

The anti-DDoS solution supports only active/standby hot standby, not load balancing hot standby. In
addition, only the active/standby backup using VRRP is supported.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

11

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Table 1-3 Planning for VRRP virtual IP addresses


VRRP Group

Member
Interface

Virtual IP
Address

Description

VRRP group 1

Cleaning device
A:
GigabitEthernet
1/0/1

1.1.1.10/24

These service interfaces


connect to an upstream
switch.

2.2.2.10/24

These service interfaces


connect to a downstream
switch.

10.1.5.1/24

These interfaces connect to


the ATIC management
center.

Cleaning device
B:
GigabitEthernet
1/0/1
VRRP group 2

Cleaning device
A:
GigabitEthernet
1/0/3
Cleaning device
B:
GigabitEthernet
1/0/3

VRRP group 3

Cleaning device
A:
GigabitEthernet
3/0/0
Cleaning device
B:
GigabitEthernet
3/0/0

Configuration Roadmap
Do as follows on the two cleaning devices:
1.

Log in to each cleaning device through the console port for the first time and upgrade the
software version.

2.

Load the license.

3.

Configure STelnet.

4.

Configure interfaces, add them to security zones, and enable default packet filtering.

5.

Configure SNMP, so that the ATIC management center can obtain the status of each
cleaning device.

6.

Configure cleaning interfaces and enable traffic statistics on the interfaces.

7.

Specify the cleaning SPU subcard.

8.

Configure hot standby.

9.

Save the configuration.

Do as follows on the ATIC management center:


Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

12

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

1.

Log in to the ATIC management center for the first time.

2.

Create anti-DDoS devices.

3.

Save the configuration.

4.

Configure a defense policy.

Configuring Cleaning Device A


Step 1 Log in to the cleaning device through the console port for the first time. The default user name
and password are admin and Admin@123.
You can view version information by running the display version command. Upgrade the
software version to the latest. For details, see Upgrade Guide.
Step 2 Load the license.
<AntiDDoS> system-view
[AntiDDoS] license active lic_antiddos8000_20150430.dat

Step 3 Specify the cleaning SPU subcard.


[AntiDDoS] firewall ddos clean-spu slot 3 card 0

Step 4 Create a user name, set a password, and configure Telnet.


[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] protocol inbound ssh
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type ssh
[AntiDDoS-aaa-manager-user-atic] level 15
[AntiDDoS-aaa-manager-user-atic] quit
[AntiDDoS-aaa] quit
[AntiDDoS] rsa local-key-pair create
The key name will be: AntiDDoS_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security risks.
The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
[AntiDDoS] stelnet server enable
[AntiDDoS] ssh user atic
[AntiDDoS] ssh user atic authentication-type password
[AntiDDoS] ssh user atic service-type stelnet

Step 5 Set interface IP addresses and add the interfaces to security zones (omitted).
Step 6 Configure SNMP.
NOTE

Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

13

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

[AntiDDoS_A] snmp-agent sys-info version v2c


[AntiDDoS_A] snmp-agent community read public@123
[AntiDDoS_A] snmp-agent community write private@123

Step 7 Specify GigabitEthernet 1/0/1 as a cleaning interface and enable traffic statistics on the interface.
[AntiDDoS_A] interface GigabitEthernet 1/0/1
[AntiDDoS_A-GigabitEthernet1/0/1] anti-ddos clean enable
[AntiDDoS_A-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
[AntiDDoS_A-GigabitEthernet1/0/1] quit

Step 8 Configure a VRRP group.


# Configure VRRP group 1 on the upstream service interface GigabitEthernet 1/0/1 and set its
state to Active. Note that if the IP address of this interface and the VRRP virtual IP address are
in different network segments, you must specify a mask for the VRRP virtual IP address.
[AntiDDoS_A] interface GigabitEthernet 1/0/1
[AntiDDoS_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.10 24 active
[AntiDDoS_A-GigabitEthernet1/0/1] quit

# Configure VRRP group 2 on the downstream service interface GigabitEthernet 1/0/3 and set
its state to Active.
[AntiDDoS_A] interface GigabitEthernet 1/0/3
[AntiDDoS_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 2.2.2.10 active
[AntiDDoS_A-GigabitEthernet1/0/3] quit

# Configure VRRP group 3 on the interface connecting to the ATIC management center and set
its state to Active.
NOTE

You must add the interfaces connecting the anti-DDoS devices to the ATIC management center to a VRRP
group and set a virtual IP address for the VRRP group, so that the interfaces use this virtual IP address to
communicate with the ATIC management center.
[AntiDDoS_A] interface GigabitEthernet 3/0/0
[AntiDDoS_A-GigabitEthernet3/0/0] vrrp vrid 3 virtual-ip 10.1.5.1 active
[AntiDDoS_A-GigabitEthernet3/0/0] quit

Step 9 Configure the source IP address for sending logs.


[AntiDDoS_A] info-center loghost source 10.1.5.1
NOTE

In hot standby networking, you must set the source IP address for the anti-DDoS devices to send logs to
the VRRP virtual IP address, so that the ATIC management center can parse the operation logs of the antiDDoS devices.

Step 10 Specify a heartbeat interface and enable hot standby.


[AntiDDoS_A] hrp interface GigabitEthernet 3/0/3 remote 5.1.1.2
[AntiDDoS_A] hrp enable

Step 11 Enable default interzone packet filtering.


Create a security policy on AntiDDoS_A. After hot standby starts to work properly, the security
policy configured on AntiDDoS_A will be automatically backed up to AntiDDoS_B.
HRP_M[AntiDDoS_A] security-policy
HRP_M[AntiDDoS_A-policy-security] rule name ddos1
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] source-zone any
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] destination-zone any
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] action permit
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] quit
HRP_M[AntiDDoS_A-policy-security] quit

Step 12 Save the configuration.


Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

14

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

HRP_M<AntiDDoS_A> save

----End

Configuring Cleaning Device B


Step 1 Configure hot standby on AntiDDoS_B.
# The configuration on AntiDDoS_B is similar to that on AntiDDoS_A except that:
1.

The IP addresses of interfaces on AntiDDoS_B are different from those of interfaces on


AntiDDoS_A.

2.

The state of the VRRP groups of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 on
AntiDDoS_B must be set to Standby.

----End

Configuring the ATIC Management Center


Step 1 Log in to the ATIC management center for the first time.
1.

Enter https://10.1.5.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.

2.

Enter the user name, password, and verification code on the login page. The user name is
admin, and the password is Admin@123. Click Log In.

3.

Change the initial password upon the first login.

Step 2 Create anti-DDoS devices.


1.

Choose Defense > Network Settings > Devices.

2.

Click

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

15

HUAWEI Anti-DDoS
Configuration Examples

1 Configuration Examples for System Deployment

Figure 1-4 Create anti-DDoS devices.

3.

Click OK. The anti-DDoS devices are added to the NE list.

Step 3 Save the configuration.


1.

Choose Defense > Policy Settings > Global Policy.

2.

Select the check box of the active cleaning device and click
.

Step 4 Configure a defense policy (omitted).


----End

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

16

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Configuration Examples for Traffic


Diversion and Injection

About This Chapter


This section provides an example for configuring traffic diversion and injection.
2.1 Example for PBR Diversion and Static Route Injection
2.2 Example for PBR Diversion and PBR Injection
2.3 Example for BGP Diversion and Layer-2 Injection
2.4 Example for BGP Diversion and UNR Route Injection
2.5 Example for BGP Diversion and PBR Injection
2.6 Example for BGP Diversion and GRE Injection
2.7 Example for BGP Diversion and MPLS VPN Injection
2.8 Example for BGP Diversion and MPLS LSP Injection
2.9 Example for Cleaning Blackhole Routes (Configuring the Router to Discard Packets)

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

17

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

2.1 Example for PBR Diversion and Static Route Injection


Networking Requirements
As shown in Figure 2-1, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through PBR in real
time. After cleaned, normal traffic is injected to Router1 through the static route. After that,
Router1 forwards the normal traffic to Router2 and finally to the Zone.
Figure 2-1 Networking diagram of PBR diversion and static route injection

GE1/0/0
10.1.1.1/24

GE1/0/1
10.1.2.1/24

GE2/0/1
10.1.2.2/24

GE1/0/2
10.1.3.1/24

GE2/0/2
10.1.3.2/24

Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24

Cleaning
device

ATIC
Management center

Router2

Diverted traffic
Injected traffic
Zone
1.1.1.1/32

Service Planning
To meet networking requirements, plan related services as follows:
l

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.

A traffic-diversion channel is established between Router1 GE1/0/1 and GE2/0/1 on the


cleaning device, and a traffic-injection channel is established between Router1 GE1/0/2
and GE2/0/2 on the cleaning device. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic to the original link by using GE2/0/1. Table
2-1 shows the IP addresses of the interfaces.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

18

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Table 2-1 IP addresses


Device Name

Interface

IP Address

Cleaning device

GE2/0/1

10.1.2.2/24

GE2/0/2

10.1.3.2/24

GE1/0/0

10.1.1.1/24

GE1/0/1

10.1.2.1/24

GE1/0/2

10.1.3.1/24

GE1/0/3

10.1.5.1/24

GE1/0/1

10.1.5.2/24

Router1

Router2

Configuration Roadmap
1.

Configure a PBR on Router1 GE1/0/0 to divert Zone traffic by using GE1/0/1,


implementing traffic diversion.

2.

Enable traffic statistical collection on the cleaning interface of the cleaning device.

3.

Configure a static route on the cleaning device to point the next hop of the packet with
destination IP address 1.1.1.1/32 to 10.1.3.1/32. Then configure a PBR on Router1 GE1/0/2
to issue injected traffic to Router2, implementing traffic injection.

4.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.

Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure the PBR on
Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure a PBR on Router1 GE1/0/0 for traffic diversion.
# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip destination 1.1.1.1 0
[Router1-acl-adv-3001] quit
[Router1] traffic classifier class1
[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit

# Configure a traffic behavior and an action for forwarding packets.


[Router1] traffic behavior behavior1
[Router1-behavior-behavior1] redirect ip-nexthop 10.1.2.2 interface
GigabitEthernet 1/0/1
[Router1-behavior-behavior1] quit

# Define a traffic policy and specify an action for the classifier in the policy.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

19

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[Router1] traffic policy policy1


[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit

# Apply the PBR to the interface.


[Router1] interface GigabitEthernet 1/0/0
[Router1-GigabitEthernet1/0/0] traffic-policy policy1 inbound
[Router1-GigabitEthernet1/0/0] quit

Step 3 Configure a PBR on Router1 GE1/0/2 for traffic injection.


# Configure a traffic behavior and an action for forwarding packets.
[Router1] traffic behavior behavior2
[Router1-behavior-behavior2] redirect ip-nexthop 10.1.5.2 interface
GigabitEthernet 1/0/3
[Router1-behavior-behavior2] quit

# Define a traffic policy and specify an action for the classifier in the policy.
[Router1] traffic policy policy2
[Router1-trafficpolicy-policy2] classifier class1 behavior behavior2
[Router1-trafficpolicy-policy2] quit

# Apply the PBR to the interface.


[Router1] interface GigabitEthernet 1/0/2
[Router1-GigabitEthernet1/0/2] traffic-policy policy2 inbound
[Router1-GigabitEthernet1/0/2] quit

----End

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit

Step 3 Configure a static route on the cleaning device for traffic injection.
[sysname] ip route-static 1.1.1.1 32 10.1.3.1

Step 4 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

----End

2.2 Example for PBR Diversion and PBR Injection


Networking Requirements
As shown in Figure 2-2, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through PBR in real
time. After cleaned, normal traffic is injected to Router1 through PBR. After that, Router1
forwards the normal traffic to Router2 and finally to the Zone.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

20

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Figure 2-2 Networking diagram of PBR diversion and PBR injection

GE1/0/0
10.1.1.1/24

GE1/0/1
10.1.2.1/24

GE2/0/1
10.1.2.2/24

GE1/0/2
10.1.3.1/24

GE2/0/2
10.1.3.2/24

Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24

Cleaning
device

ATIC
Management center

Router2

Diverted traffic
Injected traffic
Zone
1.1.1.1/32

Service Planning
To meet networking requirements, plan related services as follows:
l

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.

A traffic-diversion channel is established between Router1 GE1/0/1 and GE2/0/1 on the


cleaning device, and a traffic-injection channel is established between Router1 GE1/0/2
and GE2/0/2 on the cleaning device. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic to the original link by using GE2/0/1. Table
2-2 shows the IP addresses of the interfaces.
Table 2-2 IP addresses
Device Name

Interface

IP Address

Cleaning device

GE2/0/1

10.1.2.2/24

GE2/0/2

10.1.3.2/24

GE1/0/0

10.1.1.1/24

GE1/0/1

10.1.2.1/24

GE1/0/2

10.1.3.1/24

Router1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

21

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Device Name

Router2

Interface

IP Address

GE1/0/3

10.1.5.1/24

GE1/0/1

10.1.5.2/24

Configuration Roadmap
1.

Configure a PBR on Router1 GE1/0/0 to divert Zone traffic by using GE1/0/1,


implementing traffic diversion.

2.

Enable traffic statistical collection on the cleaning interface of the cleaning device.

3.

Configure a PBR on GE2/0/1 of the cleaning device to inject incoming traffic to Router1
by using GE2/0/2, implementing traffic injection.

4.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.

Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure the PBR on
Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure a PBR on Router1 GE1/0/0 for traffic diversion.
# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip destination 1.1.1.1 0
[Router1-acl-adv-3001] quit
[Router1] traffic classifier class1
[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit

# Configure a traffic behavior and an action for forwarding packets.


[Router1] traffic behavior behavior1
[Router1-behavior-behavior1] redirect ip-nexthop 10.1.2.2 interface
GigabitEthernet 1/0/1
[Router1-behavior-behavior1] quit

# Define a traffic policy and specify an action for the classifier in the policy.
[Router1] traffic policy policy1
[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit

# Apply the PBR to the interface.


[Router1] interface GigabitEthernet 1/0/0
[Router1-GigabitEthernet1/0/0] traffic-policy policy1 inbound
[Router1-GigabitEthernet1/0/0] quit

----End

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

22

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit

Step 3 Configure the PBR on GE2/0/1 of the cleaning device for traffic injection.
[sysname] policy-based-route
[sysname-policy-pbr] rule name huizhu
[sysname-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[sysname-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet 2/0/2
next-hop 10.1.3.1
[sysname-policy-pbr-rule-huizhu] quit
[sysname-policy-pbr] quit

Step 4 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

----End

2.3 Example for BGP Diversion and Layer-2 Injection


Networking Requirements
As shown in Figure 2-3, the cleaning device connects to Layer-3 switch Switch1 in off-line
mode to detect and clean the traffic destined for the Zone. GE2/0/1 on the cleaning device is
directly connected to Switch1 GE1/0/1. Interfaces work at Layer 3 and subinterfaces serve for
traffic diversion and injection. In off-line mode, downstream traffic destined for the Zone is
diverted to the cleaning device for detecting and cleaning through BGP diversion in real time.
After cleaning is complete, the cleaning device requests the MAC address of the Zone by sending
an ARP request packet. Then the Zone replies with an ARP reply packet. Subsequently, the
cleaning device injects traffic to the Zone by using the Layer-2 switch based on the MAC address.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

23

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Figure 2-3 Networking diagram of BGP diversion and Layer-2 injection

Switch1

GE1/0/1
VLAN10

GE2/0/1.10
10.1.2.2/24

VLAN20

GE2/0/1.20
10.1.3.2/24

GE1/0/2
VLAN20

Cleaning
device

ATIC
Management center

Switch2

Switch1

VLANIF 10: 10.1.2.1/24


VLANIF 20: 10.1.3.1/24
Diverted traffic
Injected traffic

Zone
10.1.3.10/24

Service Planning
To meet networking requirements, plan related services as follows:
l

The Zone is 10.1.3.10/24.

Subinterfaces GE2/0/1.10 and GE2/0/1.20 on the cleaning device serve for traffic diversion
and injection respectively.

Create VLAN10 and VLAN20 on Switch1. Configure Switch1 GE1/0/1 as a Trunk


interface to allow packets over VLAN10 and VLAN20 through, and Switch1 GE1/0/2 as
a Trunk interface to allow packets over VLAN20 through. Table 2-3 shows the IP addresses
of the interfaces.
Table 2-3 IP addresses
Device Name

Interface

IP Address

Cleaning device

GE2/0/1.10

10.1.2.2/24

GE2/0/1.20

10.1.3.2/24

VLANIF 10

10.1.2.1/24

VLANIF 20

10.1.3.1/24

Switch1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

24

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Configuration Roadmap
1.

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
10.1.3.10/32 in real time, regardless of attacks.

2.

Create VLAN10 and VLAN20 on Switch1, configure interface attributes, and associate
them with VLANs. Then set the IP address of the Vlanif interface.

3.

Associate subinterface GE2/0/1.10 on the cleaning device with VLNA10 and subinterface
GE2/0/1.20 with VLAN20.

4.

Establish a BGP peer between VLANIF10 interface on Switch1 and GE2/0/1.10 on the
cleaning device. Configure BGP on both Switch1 and the cleaning device, import the UNR
route to the cleaning device into BGP, and advertise the route to Switch1.

5.

To perform Layer-2 injection, enable FIB filtering over the 32-bit UNR route to the cleaning
device to prevent the UNR route from being delivered to the FIB. In this way, normal traffic
injection is safeguarded.

6.

Configure a community attribute on the cleaning device. In this way, Switch1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.

7.

Enable traffic statistical collection on cleaning interface GE2/0/1.10.

8.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1.10 for searching for the reverse route.

9.

After traffic diversion and injection are configured, enable the loop check function to check
the route.

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 Configure subinterfaces on the cleaning device and associate them with VLAN IDs.
# Set the IP address of subinterface GE2/0/1.10 on the cleaning device and associate GE2/0/1.10
with VLAN10.
<sysname> system-view
[sysname] interface GigabitEthernet 2/0/1.10
[sysname-GigabitEthernet2/0/1.10] vlan-type dot1q 10
[sysname-GigabitEthernet2/0/1.10] ip address 10.1.2.2 24
[sysname-GigabitEthernet2/0/1.10] quit

# Set the IP address of subinterface GE2/0/1.20 on the cleaning device and associate GE2/0/1.20
with VLAN20.
<sysname> system-view
[sysname] interface GigabitEthernet 2/0/1.20
[sysname-GigabitEthernet2/0/1.20] vlan-type dot1q 20
[sysname-GigabitEthernet2/0/1.20] ip address 10.1.3.2 24
[sysname-GigabitEthernet2/0/1.20] quit

Step 3 On the cleaning device, set the next-hop address for dynamically generating a route.
[sysname] firewall ddos bgp-next-hop 10.1.2.1

Step 4 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

25

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Step 5 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 10.1.3.10 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 10.1.3.10.
Step 6 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit

After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Switch1 through BGP. In this manner, after receiving the
traffic destined for 10.1.3.10/24, Switch1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 7 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1.10
[sysname-GigabitEthernet2/0/1.10] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1.10] quit

Step 8 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1.10 10.1.2.1

----End

Configuring Switch1
The following uses Huawei S9300 as an example to describe how to configure Switch1.
Step 1 Create VLANs.
<switch1> system-view
[switch1] vlan 10
[switch1-vlan10] quit
[switch1] vlan 20
[switch1-vlan20] quit

Step 2 Configure interface attributes and associate them with VLANs.


<switch1> system-view
[switch1] interface gigabitethernet
[switch1-GigabitEthernet1/0/1] port
[switch1-GigabitEthernet1/0/1] port
[switch1-GigabitEthernet1/0/1] quit
[switch1] interface gigabitethernet
[switch1-GigabitEthernet1/0/2] port
[switch1-GigabitEthernet1/0/2] port
[switch1-GigabitEthernet1/0/2] quit

1/0/1
link-type trunk
trunk allow-pass vlan 10 20
1/0/2
link-type trunk
trunk allow-pass vlan 20

Step 3 Set IP addresses for Vlanif interfaces.


[switch1] interface vlanif 10
[switch1-Vlanif10] ip address 10.1.2.1 24

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

26

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[switch1-Vlanif10] quit
[switch1] interface vlanif 20
[switch1-Vlanif20] ip address 10.1.3.1 24
[switch1-Vlanif20] quit

Step 4 Configure BGP.


[switch1] bgp 100
[switch1-bgp] peer 10.1.2.2 as-number 100
[switch1-bgp] quit

----End

2.4 Example for BGP Diversion and UNR Route Injection


Networking Requirements
As shown in Figure 2-4, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through BGP diversion
in real time. After cleaned, normal traffic is injected to Router1 through the UNR route. After
that, Router1 forwards the normal traffic to Router2 and finally to the Zone.
Figure 2-4 Networking diagram of BGP diversion and UNR route injection

GE1/0/1
10.1.2.1/24

GE2/0/1
10.1.2.2/24

GE1/0/2
10.1.3.1/24

GE2/0/2
10.1.3.2/24

Router1
GE1/0/3
10.1.5.1/24

Cleaning
device

GE1/0/1
10.1.5.2/24

ATIC Management
center

Router2

Diverted traffic
Zone
1.1.1.1/32

Injected traffic

Service Planning
To meet networking requirements, plan related services as follows:
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

27

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.

A traffic-diversion channel is established between Router1 GE1/0/1 and GE2/0/1 on the


cleaning device, and a traffic-injection channel is established between Router1 GE1/0/2
and GE2/0/2 on the cleaning device. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic to the original link by using GE2/0/1. Table
2-4 shows the IP addresses of the interfaces.
Table 2-4 IP addresses
Device Name

Interface

IP Address

Cleaning device

GE2/0/1

10.1.2.2/24

GE2/0/2

10.1.3.2/24

GE1/0/1

10.1.2.1/24

GE1/0/2

10.1.3.1/24

GE1/0/3

10.1.5.1/24

GE1/0/1

10.1.5.2/24

Router1

Router2

Configuration Roadmap
1.

In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.

2.

Enable traffic statistical collection on the cleaning interface of the cleaning device.

3.

Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.

4.

Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.

5.

Configure the PBR on Router1 GE1/0/2 to send injected traffic to downstream device
Router2. Subsequently, Router2 takes over the task to forward the traffic to the Zone.

6.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.

7.

After traffic diversion and injection are configured, enable the loop check function to check
the route.

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 On the cleaning device, set the next-hop address for dynamically generating a route.
<sysname> system-view
[sysname] firewall ddos bgp-next-hop 10.1.3.1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

28

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Step 3 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1 and delivers the route to the FIB. You can run the display ip
routing-table command to display the following output:
[sysname] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
1.1.1.1/32
---- More ----

Proto
Direct

Pre
0

Cost
0

Flags NextHop
D
10.1.3.1

Interface
GigabitEthernet2/0/2

Step 4 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit

After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match. After
cleaning is complete, the cleaning device injects the cleaned traffic to Router1 through GE2/0/2
along the UNR route.
The UNR route generated in step 3 is used for traffic diversion on Router1 as well as traffic
injection on the cleaning device. Therefore, traffic injection does not require configuration on
the cleaning device.
Step 5 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit

Step 6 Configure a default route for searching for the reverse route.
[sysname] ip route-UNR 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

----End

Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and PBR
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

29

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Step 2 Configure BGP for Router1.


[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit

Step 3 Configure a PBR on Router1 GE1/0/2.


# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip
[Router1-acl-adv-3001] quit
[Router1] traffic classifier class1
[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit

# Configure a traffic behavior and an action for forwarding packets.


[Router1] traffic behavior behavior1
[Router1-behavior-behavior1] redirect ip-nexthop 10.1.5.2 interface
GigabitEthernet 1/0/3
[Router1-behavior-behavior1] quit

# Define a traffic policy and specify an action for the classifier in the policy.
[Router1] traffic policy policy1
[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit

# Apply the PBR to the interface.


[Router1] interface GigabitEthernet 1/0/2
[Router1-GigabitEthernet1/0/2] traffic-policy policy1 inbound
[Router1-GigabitEthernet1/0/2] quit

----End

2.5 Example for BGP Diversion and PBR Injection


Networking Requirements
As shown in Figure 2-5, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through BGP diversion
in real time. After cleaned, normal traffic is injected to Router1 through PBR. After that, Router1
forwards the normal traffic to Router2 and finally to the Zone.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

30

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Figure 2-5 Networking diagram of BGP diversion and PBR injection

GE1/0/1
10.1.2.1/24

GE2/0/1
10.1.2.2/24

GE1/0/2
10.1.3.1/24

GE2/0/2
10.1.3.2/24

Router1
GE1/0/3
10.1.5.1/24

Cleaning
device

GE1/0/1
10.1.5.2/24

ATIC Management
center

Router2

Diverted traffic
Injected traffic

Zone
1.1.1.1/32

Service Planning
To meet networking requirements, plan related services as follows:
l

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.

A traffic-diversion channel is established between Router1 GE1/0/1 and GE2/0/1 on the


cleaning device, and a traffic-injection channel is established between Router1 GE1/0/2
and GE2/0/2 on the cleaning device. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic to the original link by using GE2/0/2. Table
2-5 shows the IP addresses of the interfaces.
Table 2-5 IP addresses
Device Name

Interface

IP Address

Cleaning device

GE2/0/1

10.1.2.2/24

GE2/0/2

10.1.3.2/24

GE1/0/1

10.1.2.1/24

GE1/0/2

10.1.3.1/24

GE1/0/3

10.1.5.1/24

Router1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

31

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Device Name

Interface

IP Address

Router2

GE1/0/1

10.1.5.2/24

Configuration Roadmap
1.

In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.

2.

Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.

3.

Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.

4.

To perform PBR injection, enable FIB filtering over the 32-bit UNR route to the cleaning
device to prevent the UNR route from being delivered to the FIB. In this way, normal traffic
injection is safeguarded.

5.

Enable traffic statistical collection on the cleaning interface of the cleaning device.

6.

Configure the PBR on Router1 GE1/0/2 to send injected traffic to downstream device
Router2. Subsequently, Router2 takes over the task to forward the traffic to the Zone.

7.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.

8.

After traffic diversion and injection are configured, enable the loop check function to check
the route.

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 On the cleaning device, set the next-hop address for dynamically generating a route.
<sysname> system-view
[sysname] firewall ddos bgp-next-hop 10.1.3.1

Step 3 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter

Step 4 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
Step 5 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

32

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[sysname-bgp] ipv4-family unicast


[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit

After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 6 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit

Step 7 Configure the PBR on GE2/0/1 of the cleaning device for traffic injection.
[sysname] policy-based-route
[sysname-policy-pbr] rule name huizhu
[sysname-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[sysname-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet 2/0/2
10.1.3.1
[sysname-policy-pbr-rule-huizhu] quit
[sysname-policy-pbr] quit

Step 8 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

----End

Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and PBR
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure BGP for Router1.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit

Step 3 Configure a PBR on Router1 GE1/0/2.


# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip
[Router1-acl-adv-3001] quit
[Router1] traffic classifier class1
[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit

# Configure a traffic behavior and an action for forwarding packets.


[Router1] traffic behavior behavior1
[Router1-behavior-behavior1] redirect ip-nexthop 10.1.5.2 interface
GigabitEthernet 1/0/3
[Router1-behavior-behavior1] quit

# Define a traffic policy and specify an action for the classifier in the policy.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

33

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[Router1] traffic policy policy1


[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit

# Apply the PBR to the interface.


[Router1] interface GigabitEthernet 1/0/2
[Router1-GigabitEthernet1/0/2] traffic-policy policy1 inbound
[Router1-GigabitEthernet1/0/2] quit

----End

2.6 Example for BGP Diversion and GRE Injection


Networking Requirements
As shown in Figure 2-6, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through BGP diversion
in real time. After cleaned, normal traffic is injected to Router2 through GRE. After that, Router2
forwards the normal traffic to the Zone.
Figure 2-6 Networking diagram of BGP diversion and GRE injection

GE1/0/1
10.1.2.1/24

loopback
GE2/0/1 2.2.2.2/32
10.1.2.2/24

GE1/0/2
10.1.3.1/24

GE2/0/2
10.1.3.2/24

Router1
GE1/0/3
10.1.5.1/24

ne

GE1/0/1
10.1.5.2/24

un
ET

ATIC
Cleaning
Management
center
device

GR

Router2
loopback
3.3.3.3/32

Diverted traffic
Injected traffic
Zone
1.1.1.1/32

Service Planning
To meet networking requirements, plan related services as follows:
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

34

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.

A traffic-diversion channel is established between Router1 GE1/0/1 and GE2/0/1 on the


cleaning device, and a GRE injection channel is established between the cleaning device
and Router2. Their loopback addresses act as source and destination addresses respectively.
The cleaning device diverts the specified traffic by using GE1/0/1 and injects cleaned traffic
over the GRE tunnel. Table 2-6 shows the IP addresses of the interfaces.
Table 2-6 IP addresses
Device Name

Interface

IP Address

Cleaning device

GE2/0/1

10.1.2.2/24

GE2/0/2

10.1.3.2/24

Tunnel interface

10.1.1.1/24

Loopback interface

2.2.2.2/32

GE1/0/1

10.1.2.1/24

GE1/0/2

10.1.3.1/24

GE1/0/3

10.1.5.1/24

GE1/0/1

10.1.5.2/24

Tunnel interface

10.1.1.2/24

Loopback interface

3.3.3.3/32

Router1

Router2

Configuration Roadmap
1.

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time.

2.

Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.

3.

Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.

4.

To perform GRE injection, enable FIB filtering over the 32-bit UNR route to the cleaning
device to prevent the UNR route from being delivered to the FIB. In this way, normal traffic
injection is safeguarded.

5.

Enable traffic statistical collection on the cleaning interface of the cleaning device.

6.

Set loopback addresses for the cleaning device and Router2.

7.

Create GRE tunnels on both the cleaning device and Router2, and set source and destination
addresses for the GRE tunnel. The loopback addresses of the cleaning device and Router2
act as the source and destination addresses of the tunnel respectively. Ensure that the
cleaning device and Router2 are routable.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

35

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

8.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.

9.

After traffic diversion and injection are configured, enable the loop check function to check
the route.
NOTE

When you configure GRE injection, do not configure the keepalive command at both ends of the tunnel.

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 Configure GRE on the cleaning device.
# Create a tunnel interface, and set both source and destination IP addresses for it.
<sysname> system-view
[sysname] interface Tunnel 1
[sysname-Tunnel1] tunnel-protocol gre
[sysname-Tunnel1] ip address 10.1.1.1 255.255.255.0
[sysname-Tunnel1] source 2.2.2.2
[sysname-Tunnel1] destination 3.3.3.3
[sysname-Tunnel1] quit

# Add the tunnel interface to the security zone. Ensure that the security zone where the tunnel
interface resides is the same as that where source interface GE2/0/2 resides.
[sysname] firewall zone trust
[sysname-zone-trust] add interface Tunnel 1
[sysname-zone-trust] quit

# Configure a pbr route to divert traffic to the tunnel interface.


[sysname] policy-based-route
[sysname-policy-pbr] rule name
[sysname-policy-pbr-rule-gre1]
[sysname-policy-pbr-rule-gre1]
[sysname-policy-pbr-rule-gre1]
[sysname-policy-pbr-rule-gre1]
[sysname-policy-pbr] quit

gre1
ingress-interface GigabitEthernet 2/0/1
destination-address 1.1.1.1 32
action pbr egress-interface Tunnel 1
quit

Step 3 On the cleaning device, set the next-hop address for dynamically generating a route.
[sysname] firewall ddos bgp-next-hop 10.1.1.2

Step 4 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter

Step 5 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
Step 6 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix
[sysname] route-policy
[sysname-route-policy]
[sysname-route-policy]
[sysname-route-policy]

Issue 01 (2015-07-20)

EXPORT-TO-DDoS index 10 permit 0.0.0.0 32


1 permit node 1
if-match ip-prefix EXPORT-TO-DDoS
apply community no-advertise
quit

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

36

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[sysname] bgp 100


[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit

After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 7 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit

Step 8 Set a loopback address for the cleaning device.


[sysname] interface loopback 1
[sysname-LoopBack1] ip address 2.2.2.2 32
[sysname-LoopBack1] quit

Step 9 Configure OSPF to notify the network segment connected to each interface.
[sysname] ospf 1
[sysname-ospf-1] area 0
[sysname-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[sysname-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[sysname-ospf-1-area-0.0.0.0] quit
[sysname-ospf-1] quit

Step 10 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

----End

Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure OSPF to notify the network segment connected to each interface.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.0] quit
[Router1-ospf-1] quit

Step 3 Configure BGP for Router1.


[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit

----End

Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure GRE on Router2.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

37

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Step 1 Set the interface IP address of Router2. (Omitted)


Step 2 Set a loopback address for Router2.
<Router2> set board-type slot 1 tunnel
<Router2> system-view
[Router2] interface loopback 1
[Router2-LoopBack1] ip address 3.3.3.3 32
[Router2-LoopBack1] target-board 1
[Router2-LoopBack1] binding tunnel gre
[Router2-LoopBack1] quit

Step 3 # Create a tunnel interface, and set both source and destination IP addresses for it.
# Create a tunnel interface, and set both source and destination IP addresses for it.
[Router2] interface Tunnel 1
[Router2-Tunnel1] tunnel-protocol gre
[Router2-Tunnel1] ip address 10.1.1.2 255.255.255.0
[Router2-Tunnel1] source 3.3.3.3
[Router2-Tunnel1] destination 2.2.2.2
[Router2-Tunnel1] quit

Step 4 Configure OSPF to notify the network segment connected to each interface.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1] quit

network 10.1.5.0 0.0.0.255


network 1.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
quit

----End

2.7 Example for BGP Diversion and MPLS VPN Injection


Networking Requirements
As shown in Figure 2-7, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through BGP diversion
in real time. After cleaned, normal traffic is injected to Router2 through MPLS VPN. After that,
Router2 forwards the normal traffic to the Zone. Only one interface on the cleaning device is
directly connected to the router. The interface serves traffic diversion and the subinterface serves
traffic injection.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

38

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Figure 2-7 Networking diagram of BGP diversion and MPLS VPN injection

loopback
5.5.5.5/32

GE1/0/1
10.1.2.1/24

loopback
2.2.2.2/32
GE2/0/1
10.1.2.2/24

Router1
GE1/0/3
10.1.5.1/24

GE1/0/1.100 GE2/0/1.100
10.1.3.1/24 10.1.3.2/24 Cleaning
device

ATIC
Management center

GE1/0/1
10.1.5.2/24
Router2
loopback
3.3.3.3/32

GE1/0/2
1.1.1.2/24
Diverted traffic
Injected traffic

Zone
1.1.1.1/32

Service Planning
To meet networking requirements, plan related services as follows:
l

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.

Router1 GE1/0/1 is directly connected to GE2/0/1 on the cleaning device. An MPLS VPN
traffic-injection tunnel is established between the cleaning device and Router2, and their
loopback addresses act as LSR IDs. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic over the MPLS VPN tunnel. Table 2-7 shows the
IP addresses of the interfaces.
Table 2-7 IP addresses
Device Name

Interface

IP Address

Cleaning device

GE2/0/1

10.1.2.2/24

GE2/0/1.100

10.1.3.2/24

Loopback interface

2.2.2.2/32

GE1/0/1

10.1.2.1/24

GE1/0/1.100

10.1.3.1/24

Router1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

39

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Device Name

Router2

Interface

IP Address

GE1/0/3

10.1.5.1/24

Loopback interface

5.5.5.5/32

GE1/0/1

10.1.5.2/24

GE1/0/2

1.1.1.2/24

Loopback interface

3.3.3.3/32

Configuration Roadmap
1.

In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.

2.

Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.

3.

Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.

4.

To perform MPLS VPN injection, enable FIB filtering over the 32-bit UNR route to the
cleaning device to prevent the UNR route from being delivered to the FIB. In this way,
normal traffic injection is safeguarded.

5.

Enable traffic statistical collection on the cleaning interface of the cleaning device.

6.

Set loopback addresses for the cleaning device, Router1, and Router2.

7.

Configure MPLS respectively on the cleaning device, Router1, and Router2, and configure
VPN instances on the cleaning device and Router2 to enable injected traffic to be forwarded
to Router2 through MPLS VPN.

8.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.

9.

After traffic diversion and injection are configured, enable the loop check function to check
the route.

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 On the cleaning device, set the next-hop address for dynamically generating a route.
<sysname> system-view
[sysname] firewall ddos bgp-next-hop 10.1.3.1

Step 3 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter

Step 4 Create a VPN instance and configure BGP and the community attribute on the cleaning device.
[sysname] ip vpn-instance ddos
[sysname-vpn-instance-ddos] ipv4-family
[sysname-vpn-instance-ddos-af-ipv4] route-distinguisher 1:1
[sysname-vpn-instance-ddos-af-ipv4] vpn-target 1:1 import-extcommunity

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

40

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[sysname-vpn-instance-ddos-af-ipv4] quit
[sysname-vpn-instance-ddos] quit
[sysname] ip ip-prefix ipx index 10 permit 3.3.3.3 32
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 deny node 1
[sysname-route-policy] if-match ip next-hop ip-prefix ipx
[sysname-route-policy] quit
[sysname] route-policy 1 permit node 5
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 200
[sysname-bgp] ipv4-family vpn-instance ddos
[sysname-bgp-ddos] import-route unr
[sysname-bgp-ddos] peer 10.1.2.1 as-number 100
[sysname-bgp-ddos] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-ddos] peer 10.1.2.1 advertise-community
[sysname-bgp-ddos] quit
[sysname-bgp] quit

Step 5 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
NOTE

In this scenario, after creating a Zone and adding devices, you must bind the Zone to the VPN instance of the
cleaning device.

After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
The UNR route generated on the cleaning device is imported to BGP and is advertised to Router1
through BGP. In this manner, after receiving the traffic destined for 1.1.1.1/32, Router1 searches
the routing table to preferentially forward the traffic to the cleaning device by using GE1/0/1
according to the longest mask match.
Step 6 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit

Step 7 Set a loopback address for the cleaning device.


[sysname] interface loopback 1
[sysname-LoopBack1] ip address 2.2.2.2 32
[sysname-LoopBack1] quit

Step 8 Configure MPLS on the cleaning device for traffic injection.


# Configure basic MPLS functions.
[sysname] mpls lsr-id 2.2.2.2
[sysname] mpls
[sysname-mpls] quit
[sysname] mpls ldp
[sysname-ldp] quit
[sysname] interface GigabitEthernet 2/0/1.100
[sysname-GigabitEthernet2/0/1.100] mpls
[sysname-GigabitEthernet2/0/1.100] mpls ldp
[sysname-GigabitEthernet2/0/1.100] quit

# Bind it to the interface.


[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] ip binding vpn-instance ddos

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

41

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[sysname-GigabitEthernet2/0/1] ip address 10.1.2.2 255.255.255.0


[sysname-GigabitEthernet2/0/1] quit

# Add the interface GigabitEthernet 2/0/1 to security zones.


[sysname] firewall zone trust
[sysname-zone-trust] add interface GigabitEthernet 2/0/1
[sysname-zone-trust] quit

# Configure MP-IBGP between the cleaning device and Router 2 to broadcast the VPNv4 route
between devices.
[sysname] bgp 200
[sysname-bgp] peer 3.3.3.3 as-number 200
[sysname-bgp] peer 3.3.3.3 connect-interface LoopBack 1
[sysname-bgp] ipv4-family vpnv4
[sysname-bgp-af-vpnv4] peer 3.3.3.3 enable
[sysname-bgp-af-vpnv4] quit
[sysname-bgp] quit

# Configure a policy for establishing an LSP.


[sysname] mpls
[sysname-mpls] lsp-trigger all
[sysname-mpls] quit

Step 9 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[sysname] ospf 1
[sysname-ospf-1] area 0
[sysname-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[sysname-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[sysname-ospf-1-area-0.0.0.0] quit
[sysname-ospf-1] quit

Step 10 Configure a default route for searching for the reverse route.
[sysname] ip route-static vpn-instance ddos 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

----End

Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and MPLS
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure BGP for Router1.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 200
[Router1-bgp] quit

Step 3 Set a loopback address for Router1.


[Router1] interface loopback 1
[Router1-LoopBack1] ip address 5.5.5.5 32
[Router1-LoopBack1] quit

Step 4 Configure MPLS.


# Configure basic MPLS functions.
[Router1] mpls lsr-id 5.5.5.5
[Router1] mpls

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

42

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[Router1-mpls] quit
[Router1] mpls ldp
[Router1-ldp] quit
[Router1] interface GigabitEthernet 1/0/1.100
[Router1-GigabitEthernet1/0/1.100] mpls
[Router1-GigabitEthernet1/0/1.100] mpls ldp
[Router1-GigabitEthernet1/0/1.100] quit
[Router1] interface GigabitEthernet 1/0/3
[Router1-GigabitEthernet1/0/3] mpls
[Router1-GigabitEthernet1/0/3] mpls ldp
[Router1-GigabitEthernet1/0/3] quit

Step 5 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1] quit

network 10.1.3.0 0.0.0.255


network 10.1.5.0 0.0.0.255
network 5.5.5.5 0.0.0.0
quit

----End

Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure BGP and MPLS
on Router2.
Step 1 Set the interface IP address of Router2. (Omitted)
Step 2 Set a loopback address for Router2.
[Router2] interface loopback 1
[Router2-LoopBack1] ip address 3.3.3.3 32
[Router2-LoopBack1] quit

Step 3 Configure MPLS.


# Configure basic MPLS functions.
[Router2] mpls lsr-id 3.3.3.3
[Router2] mpls
[Router2-mpls] quit
[Router2] mpls ldp
[Router2-ldp] quit
[Router2] interface GigabitEthernet 1/0/1
[Router2-GigabitEthernet1/0/1] mpls
[Router2-GigabitEthernet1/0/1] mpls ldp
[Router2-GigabitEthernet1/0/1] quit

# Create a VPN instance and bind it to the interface.


[Router2] ip vpn-instance ddos
[Router2-vpn-instance-ddos] route-distinguisher 1:1
[Router2-vpn-instance-ddos] vpn-target 1:1 export-extcommunity
[Router2-vpn-instance-ddos] vpn-target 1:1 import-extcommunity
[Router2-vpn-instance-ddos] quit
[Router2] interface GigabitEthernet 1/0/2
[Router2-GigabitEthernet1/0/2] ip binding vpn-instance ddos
[Router2-GigabitEthernet1/0/2] ip address 1.1.1.2 255.255.255.0
[Router2-GigabitEthernet1/0/2] quit

# Configure MP-IBGP between the cleaning device and Router 2 to broadcast the VPNv4 route
between devices.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

43

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[Router2] bgp 200


[Router2-bgp] peer 2.2.2.2 as-number 200
[Router2-bgp] peer 2.2.2.2 connect-interface LoopBack 1
[Router2-bgp] ipv4-family vpnv4
[Router2-bgp-af-vpnv4] peer 2.2.2.2 enable
[Router2-bgp-af-vpnv4] quit
[Router2-bgp] quit

# Advertise the Zone IP by BGP.


[Router2] bgp 200
[Router2-bgp] ipv4-family vpn-instance ddos
[Router2-bgp-ddos] network 1.1.1.0 255.255.255.0
[Router2-bgp-ddos] quit
[Router2-bgp] quit

# Configure a static route.


[Router2] ip route-static vpn-instance ddos 0.0.0.0 0.0.0.0 10.1.5.1 public

# Configure a policy for establishing an LSP.


[Router2] mpls
[Router2-mpls] lsp-trigger all
[Router2-mpls] quit

Step 4 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[Router2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Router2-ospf-1-area-0.0.0.0] quit
[Router2-ospf-1] quit

----End

2.8 Example for BGP Diversion and MPLS LSP Injection


Networking Requirements
As shown in Figure 2-8, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through BGP diversion
in real time. After cleaned, normal traffic is injected to Router2 through MPLS LSP. After that,
Router2 forwards the normal traffic to the Zone. Only one interface on the cleaning device is
directly connected to the router. The interface serves traffic diversion and the subinterface serves
traffic injection.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

44

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Figure 2-8 Networking diagram of BGP diversion and MPLS LSP injection

loopback
5.5.5.5/32

GE1/0/1
10.1.2.1/24

loopback
2.2.2.2/32
GE2/0/1
10.1.2.2/24

Router1
GE1/0/3
10.1.5.1/24

GE1/0/1.100 GE2/0/1.100
10.1.3.1/24 10.1.3.2/24 Cleaning
ATIC
device Management center

GE1/0/1
10.1.5.2/24
Router2
loopback
3.3.3.3/32
Diverted traffic
Injected traffic
Zone
1.1.1.1/32

Service Planning
To meet networking requirements, plan related services as follows:
l

In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.

Router1 GE1/0/1 is directly connected to GE2/0/1 on the cleaning device. An MPLS trafficinjection tunnel is established between the cleaning device and Router2, and their loopback
addresses act as LSR IDs. The cleaning device diverts the specified traffic by using GE1/0/1
and injects cleaned traffic over the MPLS tunnel. Table 2-8 shows the IP addresses of the
interfaces.
Table 2-8 IP addresses
Device Name

Interface

IP Address

Cleaning device

GE2/0/1

10.1.2.2/24

GE2/0/1.100

10.1.3.2/24

Loopback interface

2.2.2.2/32

GE1/0/1

10.1.2.1/24

GE1/0/1.100

10.1.3.1/24

Router1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

45

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Device Name

Router2

Interface

IP Address

GE1/0/3

10.1.5.1/24

Loopback interface

5.5.5.5/32

GE1/0/1

10.1.5.2/24

Loopback interface

3.3.3.3/32

Configuration Roadmap
1.

In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.

2.

Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.

3.

Configure a community attribute on the cleaning device. In this way, Router1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.

4.

To perform MPLS LSP injection, enable FIB filtering over the 32-bit UNR route to the
cleaning device to prevent the UNR route from being delivered to the FIB. In this way,
normal traffic injection is safeguarded.

5.

Enable traffic statistical collection on the cleaning interface of the cleaning device.

6.

Set loopback addresses for the cleaning device, Router1, and Router2.

7.

Configure MPLS respectively on the cleaning device, Router1, and Router2 to enable
injected traffic to be forwarded to Router2 through MPLS. Ensure that the cleaning device
and Router2 are routable.

8.

Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.

9.

After traffic diversion and injection are configured, enable the loop check function to check
the route.

Configuring the Cleaning Device


Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 On the cleaning device, set the next-hop address for dynamically generating a route.
<sysname> system-view
[sysname] firewall ddos bgp-next-hop 10.1.3.1

Step 3 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter

Step 4 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 1.1.1.1 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 1.1.1.1.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

46

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Step 5 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit

After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
Step 6 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit

Step 7 Set a loopback address for the cleaning device.


[sysname] interface loopback 1
[sysname-LoopBack1] ip address 2.2.2.2 32
[sysname-LoopBack1] quit

Step 8 Configure MPLS on the cleaning device for traffic injection.


# Configure basic MPLS functions.
[sysname] mpls lsr-id 2.2.2.2
[sysname] mpls
[sysname-mpls] quit
[sysname] mpls ldp
[sysname-ldp] quit
[sysname] interface GigabitEthernet 2/0/1.100
[sysname-GigabitEthernet2/0/1.100] mpls
[sysname-GigabitEthernet2/0/1.100] mpls ldp
[sysname-GigabitEthernet2/0/1.100] quit

# Configure a policy for establishing an LSP.


[sysname] mpls
[sysname-mpls] lsp-trigger all
[sysname-mpls] quit

Step 9 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[sysname] ospf 1
[sysname-ospf-1] area 0
[sysname-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[sysname-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[sysname-ospf-1-area-0.0.0.0] quit
[sysname-ospf-1] quit

Step 10 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

----End
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

47

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and MPLS
on Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure BGP for Router1.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit

Step 3 Set a loopback address for Router1.


[Router1] interface loopback 1
[Router1-LoopBack1] ip address 5.5.5.5 32
[Router1-LoopBack1] quit

Step 4 Configure MPLS.


# Configure basic MPLS functions.
[Router1] mpls lsr-id 5.5.5.5
[Router1] mpls
[Router1-mpls] quit
[Router1] mpls ldp
[Router1-ldp] quit
[Router1] interface GigabitEthernet 1/0/1.100
[Router1-GigabitEthernet1/0/1.100] mpls
[Router1-GigabitEthernet1/0/1.100] mpls ldp
[Router1-GigabitEthernet1/0/1.100] quit
[Router1] interface GigabitEthernet 1/0/3
[Router1-GigabitEthernet1/0/3] mpls
[Router1-GigabitEthernet1/0/3] mpls ldp
[Router1-GigabitEthernet1/0/3] quit

Step 5 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1] quit

network 10.1.3.0 0.0.0.255


network 10.1.5.0 0.0.0.255
network 5.5.5.5 0.0.0.0
quit

----End

Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure MPLS on
Router2.
Step 1 Set the interface IP address of Router2. (Omitted)
Step 2 Set a loopback address for Router1.
[Router1] interface loopback 1
[Router1-LoopBack1] ip address 3.3.3.3 32
[Router1-LoopBack1] quit

Step 3 Configure MPLS.


# Configure basic MPLS functions.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

48

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

[Router2] mpls lsr-id 3.3.3.3


[Router2] mpls
[Router2-mpls] quit
[Router2] mpls ldp
[Router2-ldp] quit
[Router2] interface GigabitEthernet 1/0/1
[Router2-GigabitEthernet1/0/1] mpls
[Router2-GigabitEthernet1/0/1] mpls ldp
[Router2-GigabitEthernet1/0/1] quit

# Configure a policy for establishing an LSP.


[Router2] mpls
[Router2-mpls] lsp-trigger all
[Router2-mpls] quit

Step 4 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1-area-0.0.0.0]
[Router2-ospf-1] quit

network 10.1.5.0 0.0.0.255


network 1.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
quit

----End

2.9 Example for Cleaning Blackhole Routes (Configuring


the Router to Discard Packets)
Networking Requirements
As shown in Figure 2-9, the detecting device detects that IP address 2.2.2.2/24 is under heavytraffic attack, which severely congests the inbound bandwidths of the cleaning device. To protect
other Zones against attacks, the blackhole router discards all traffic destined for IP address
2.2.2.2/24.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

49

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Figure 2-9 Configuring blackhole traffic diversion

Detecting device
Optical splitter

GE1/0/1
7.7.1.3/24

Blackhole
router

GE2/0/1
7.7.1.1/24
Traffic-diversion
router

ATIC management center


Cleaning device
Detecting traffic
Discarded traffic due to blackhole
traffic diversion
Pre-cleaning traffic

Zone
2.2.2.0/24

Post-cleaning traffic

Implementation Mechanism
Routers are logically categorized as the traffic-diversion router and blackhole router. The trafficdiversion router diverts traffic to the cleaning device whereas the blackhole router discards all
traffic destined for an IP address. The blackhole router and traffic-diversion router can be the
same router or different routers.
1.

Set IP address 2.2.2.2/24 for blackhole traffic diversion in the ATIC management center.
A static route destined for 2.2.2.2/24 and with the NULL0 egress is generated on the
cleaning device.

2.

Configure a routing policy on the cleaning device to enable the route with the NULL0
egress to point to 3.3.3.3. Then import this route into BGP and advertise the BGP route to
the blackhole router.
3.3.3.3 indicates the destination IP address of the blackhole route. Both the route advertised
by the cleaning device and the blackhole route on the blackhole router are merged for
blackhole traffic diversion. The destination IP address can be any unreachable IP address.

3.

Configure blackhole route ip route-static 3.3.3.3 255.255.255.255 NULL0 on the


blackhole router. Then stack up another BGP route destined for 2.2.2.2/24 and with next
hop 3.3.3.3/24 to generate a route to 2.2.2.2/24 and with next-hop egress NULL0 for
blackhole traffic diversion.

Configuring the ATIC Management Center


Step 1 Choose Defense > Policy Settings > Black Hole Traffic Diversion.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

50

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Step 2 On the Black Hole Traffic Diversion Management page, click

Step 3 Select a cleaning NE and enter its IP address.


The traffic destined for the IP address is discarded.
Blackhole traffic diversion applies to traffic diversion by IPv4 or IPv6 address, not by network
segment.
Step 4 Optional: If you select Automatic Enabling, blackhole traffic diversion is automatically
delivered to the cleaning device once being created.
If you deselect Automatic Enabling, blackhole traffic diversion is delivered to the cleaning
device only after you enable the function.
Step 5 Click OK.
After blackhole traffic diversion is enabled, a static route with the NULL0 egress to 2.2.2.2 is
generated on the cleaning device.
----End

Configuring the Blackhole Router


The following uses Huawei NE80E as an example for configuring a router.
Step 1 Run the system-view command to access the system view.
Step 2 Configure a BGP community attribute.
[sysname] bgp 200
[sysname-bgp] peer 7.7.1.1 as-number 200
[sysname-bgp] quit

Step 3 Configure a blackhole route.


[sysname] ip route-static 3.3.3.3 255.255.255.255 NULL0

3.3.3.3 indicates the destination IP address of the blackhole route. Both the route advertised by
the cleaning device and the blackhole route on the blackhole router are merged for blackhole
traffic diversion. The destination IP address can be any IP address.
----End
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

51

HUAWEI Anti-DDoS
Configuration Examples

2 Configuration Examples for Traffic Diversion and Injection

Configuring the Cleaning Device


Step 1 In the user view, run the system-view command to access the system view.
Step 2 Configure routing policy blackhole.
[sysname] route-policy
[sysname-route-policy]
[sysname-route-policy]
[sysname-route-policy]

blackhole permit node 1


if-match interface NULL0
apply ip-address next-hop 3.3.3.3
quit

3.3.3.3 indicates the destination IP address of the blackhole route. A blackhole route is generated
after the route matching the routing policy is advertised to the blackhole router.
After blackhole traffic diversion is enabled on the ATIC management center, a static route with
the NULL0 egress to 2.2.2.2 is generated on the cleaning device. After routing policy
blackhole is matched, a new static route to 2.2.2.2 and with next hop 3.3.3.3 is generated.
NOTE

When you configure a blackhole route, set the node to a smaller value than those of other traffic diversion policies
for it to be preferentially matched.

Step 3 Configure the BGP community attribute and advertise the dynamically generated route.
[sysname] bgp
[sysname-bgp]
[sysname-bgp]
[sysname-bgp]
[sysname-bgp]

200
peer 7.7.1.3 as-number 200
peer 7.7.1.3 route-policy blackhole export
import-route static
quit

A static route to 2.2.2.2 and with next hop 3.3.3.3 is advertised to the blackhole router through
BGP and is stacked up with blackhole route ip route-static 3.3.3.3 255.255.255.255 NULL0.
In this manner, a route with the NULL0 egress as the next-hop interface to 2.2.2.2 is generated
for blackhole traffic diversion.
----End

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

52

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Configuration Examples for Comprehensive


Scenarios

About This Chapter


3.1 Scenario 1: MAN Attack Defense
3.2 Scenario 2: Data Center Security Protection

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

53

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

3.1 Scenario 1: MAN Attack Defense


3.1.1 Scenario Description
A metropolitan area network (MAN) provides a platform on which comprehensive services of
a city are transmitted. MANs often apply to large and medium-sized cities. The MANs provide
common and public network architecture and allow data, voice, images, and videos to be
effectively transmitted at high speeds, meeting changeable Internet application requirements.
Normal
hosts

Normal
networks

Backbone
network

MAN

MAN

MAN

A MAN carries heavy traffic of various types and is vulnerable to attacks. The following aspects
must be considered for attack defense planning based on MAN traffic characteristics.

Planning Roadmap
1.

Deployment mode
An anti-DDoS device is often associated with a Netflow device in off-line mode. The antiDDoS device cleans traffic, while the Netflow device detects traffic. Only the Netflow
device produced by Genienrm is supported.
As Netflow devices have been deployed in most MANs, associating a cleaning device with
an existing Netflow device reduces expenditure. In addition, Netflow devices are sample

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

54

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

detection devices coping with heavy traffic attacks on MANs, and there is no high
performance requirement for such devices.
Anti-DDoS devices can also serve as detecting devices. Compared with Netflow devices,
anti-DDoS devices that check each packet provide more refined detection and also require
more expenditure.
2.

Performance choice
Plan the interface specifications based on the customer link bandwidth. The highest subcard
processing performance of an SPU is 80 Gbit/s. As DDoS attack defense is performanceconsuming, you must reserve enough cleaning and detection resources.

3.

Defense policy
Policies are configured on MANs to guarantee bandwidth and prevent link congestion.
When configuring defense policies, you must first identify the destination IP addresses to
which traffic is preferentially protected, add such destination IP addresses to user-defined
Zones, and configure defense policies based on the user-defined Zones. The default Zone
defense policies apply to unidentified destination IP addresses. Defense policies vary with
Zones.
Tenants of a carrier can be added to user-defined Zones, for which differentiated defense
policies are configured.

4.

Traffic diversion mode


The injection mode mainly relies on the customer live network environment. The MPLS
LSP injection mode is used in most cases. As a carrier usually has many downlinks, next
hops must be separately specified for destination IP addresses in a policy. If the destination
IP addresses are discontinuous, the configuration is complicated. In this case, the MPLS
LSP injection mode is efficient. You only need to enable MPLS LSP tunnels on directly
connected interfaces.

5.

ATIC management center


The ATIC consists of the management center server and collector, which can be deployed
in either of the following modes:
l Centralized deployment: The ATIC management center server and collector are
deployed on the same physical server.
l Distributed deployment: The ATIC management center server and collector are
deployed in different physical servers. Multiple collectors can share one ATIC
management center server. One server can manage a maximum of 20 collectors.
An anti-DDoS collector can process the anti-DDoS service logs of about 50,000 IP
addresses. You can select the ATIC deployment mode based on the number of IP addresses
added to Zones.

3.1.2 Typical Networking


On the network shown in Figure 3-1, a cleaning device is attached to the core router Router1
to clean traffic destined for the Zone. After cleaning traffic, the cleaning device injects normal
traffic back to the original link in MPLS LSP injection mode. Router2 then forwards the traffic
to the Zone.
The cleaning device is directly connected to Router1 only through one interface. Traffic is
diverted to the cleaning device through the main interface, while injected back through a
subinterface. The traffic can also be injected back through another interface if there are enough
interfaces.
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

55

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Figure 3-1 Typical networking on a MAN


Legitimate PC

Legitimate PC
Botnet

Router1

Cleaning device

Backbone
Network

Netflow

ATIC
Management
center

Router2
Regional
Network

Regional
Network

Attacked target

Legitimate traffic
Attack traffic
Netflow traffic
Management traffic

3.1.3 Data Planning


Table 3-1 and Figure 3-2 show the IP addresses planned for the cleaning device and ATIC
management center.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

56

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Table 3-1 IP address planning


Device Name

Interface

IP Address

Description

Cleaning device

GE2/0/1

10.1.2.2/24

Cleaning interface.
Interface through
which traffic enters
the cleaning device.
The cleaning device
applies defense
policies to, analyzes,
and cleans the
incoming traffic.

GE2/0/1.100

10.1.3.2/24

Injection interface.
Interface through
which normal traffic
goes back to the
original link after
traffic cleaning.

GE3/0/0

10.1.6.1/24

Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The cleaning device
sends logs or
captured packets to
the anti-DDoS
collector in the ATIC
management center
for further analysis
and processing.
The IP address of this
interface and the IP
address of the ATIC
management center
must be reachable. In
this example, the two
IP addresses are in
the same network
segment.
NOTE
The interface must be
on an LPU.

Loopback interface

Issue 01 (2015-07-20)

2.2.2.2/32

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Interface used for


MPLS LSP injection.

57

HUAWEI Anti-DDoS
Configuration Examples

Device Name

Interface

IP Address

Description

Management center

10.1.6.2/24

The management
center must be
reachable to the
cleaning device.

Router1

GE1/0/1

10.1.2.1/24

Interface through
traffic is diverted to
the cleaning device.

GE1/0/1.100

10.1.3.1/24

Interface through
which traffic is
injected back to the
original link.

GE1/0/3

10.1.5.1/24

Interface through
which Router1 is
directly connected to
Router2.

Loopback interface

5.5.5.5/32

Interface used for


MPLS LSP injection.

Loopback interface

3.3.3.3/32

Interface used for


MPLS LSP injection.

GE1/0/1

10.1.5.2/24

Interface through
which Router2 is
directly connected to
Router1.

GE1/0/3

10.1.7.2/24

Interface which is
reachable to the
Netflow device.

Router2

Issue 01 (2015-07-20)

3 Configuration Examples for Comprehensive Scenarios

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

58

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Figure 3-2 IP address planning

Loopback
5.5.5.5/32

GE1/0/1
10.1.2.1/24

Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24

Loopback
2.2.2.2/32
GE2/0/1
GE3/0/0
10.1.2.2/24
10.1.6.1/24

GE1/0/1.100 GE2/0/1.100
10.1.3.1/24
10.1.3.2/24 Cleaning
device
GE1/0/3
10.1.7.2/24

ATIC management center

Eth0
10.1.7.1/24

Router2
Loopback
3.3.3.3/32

GE1/0/2
1.1.1.2/24

NetFlow

Diverted traffic
Zone
1.1.1.1/32

Injected traffic
Netflow traffic
Management traffic

The Netflow device must be produced by Genienrm and running a version released later
than January 1, 2014.

Traffic is diverted from Router1's GE1/0/1 to the cleaning device's GE2/0/1.

Traffic is injected back from the cleaning device's GE2/0/1.100 to Router1's GE1/0/1.100.

The cleaning device is an AntiDDoS.

The ATIC management center is deployed in centralized mode. That is, the anti-DDoS
collector and management server are deployed on one physical server.

Configuration Roadmap
Do as follows on the cleaning device:
1.

Load the license.

2.

Specify the service subcard type.

3.

Assign IP addresses to interfaces, add the interfaces to security zones, and enable interzone
default packet filtering.

4.

Create a user name, set a password, and configure Telnet.

5.

Configure SNMP, so that the ATIC management center can obtain the status of the cleaning
device.

6.

Configure the cleaning interface and enable traffic statistics on the interface.

7.

Configure traffic diversion and injection.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

59

HUAWEI Anti-DDoS
Configuration Examples

8.

3 Configuration Examples for Comprehensive Scenarios

Save the configuration.

Do as follows on the ATIC management center:


1.

Log in to the ATIC management center for the first time.

2.

Create an anti-DDoS device.

3.

Configure defense policies.

4.

Save the configuration.

In addition, configure the routers. This example provides router configurations for reference,
and the configurations may need to be adjusted according to the actual router model in a live
network.

Defense Supported by the Genienrm Netflow Device


As the Genienrm Netflow device is a third-party device, the attack types listed in Table 3-2 are
only for your reference. For actual use, refer to the features supported by the latest Genienrm
Netflow version.
Table 3-2 Attacks that the Genienrm Netflow device can defend against

Issue 01 (2015-07-20)

Attack Type

Description

Host Total Traffic

The amount of traffic arriving at a host


exceeds a preset threshold.

UDP Flood

The number of sent UDP packets exceeds a


preset threshold.

TCP RST Flood

The number of sent TCP RST packets


exceeds a preset threshold.

Land Attack

Spoofed TCP SYN packets (connection


initiation) with the target host's IP address are
sent to an open port as both source and
destination.

ICMP Misuse

The number of sent ICMP packets exceeds a


preset threshold.

UDP Fragment

Too many UDP fragments are sent.

TCP Fragment

Too many TCP fragments are sent.

TCP Flag Null or Misuse

The TCP flags of packets are Null or Misuse.

IP Protocol Null

IP packets with an empty protocol field are


sent to a target host.

TCP SYN Flood

The number of sent SYN Flood packets


exceeds a preset threshold.

User-Defined Attack

The Genienrm Netflow device supports userdefined attack types with specified protocol
types and port numbers.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

60

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

3.1.4 Configuration Procedure


Configuring the Cleaning Device
Step 1 Load the license.
<AntiDDoS> system-view
[AntiDDoS] license active lic_antiddos8000_20150430.dat

Step 2 Specify the cleaning SPU subcard.


[AntiDDoS] firewall ddos clean-spu slot 3 card 0
[AntiDDoS] firewall ddos clean-spu slot 3 card 1

Step 3 Configure Telnet.


Set the authentication mode of the VTY administrator page to AAA and disconnection period
for idle administrators to 5 minutes (10 minutes by default).
NOTE

This example uses Telnet as an example to describe the configuration procedure. Compared with STelnet,
Telnet is insecure. Therefore, STelnet is recommended.
[AntiDDoS] telnet server enable
[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] idle-timeout 5
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type telnet
[AntiDDoS-aaa-manager-user-atic] quit

Step 4 Set the IP addresses of interfaces and add the interfaces to security zones.
# Assign IP addresses to interfaces.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[AntiDDoS-GigabitEthernet2/0/1] quit
[AntiDDoS] interface GigabitEthernet 2/0/1.100
[AntiDDoS-GigabitEthernet2/0/1.100] ip address 10.1.3.2 24
[AntiDDoS-GigabitEthernet2/0/1.100] vlan-type dot1q 100
[AntiDDoS-GigabitEthernet2/0/1.100] quit
[AntiDDoS] interface GigabitEthernet 3/0/0
[AntiDDoS-GigabitEthernet3/0/0] ip address 10.1.6.1 24
[AntiDDoS-GigabitEthernet3/0/0] quit

# Add the interfaces to security zones.


[AntiDDoS] firewall zone trust
[AntiDDoS-zone-trust] add interface GigabitEthernet 2/0/1
[AntiDDoS-zone-trust] add interface GigabitEthernet 2/0/1.100
[AntiDDoS-zone-trust] add interface GigabitEthernet 3/0/0
[AntiDDoS-zone-trust] quit

Step 5 Enable interzone default packet filtering.


[AntiDDoS] security-policy
[AntiDDoS-policy-security] rule name ddos1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

61

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security] quit

source-zone any
destination-zone any
action permit
quit

Step 6 Configure SNMP.


NOTE

Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c as an example to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123

Step 7 Configure the cleaning interface.


[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos clean enable
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit

Step 8 On the cleaning device, configure the next-hop address used for a dynamically generated route.
<AntiDDoS> system-view
[AntiDDoS] firewall ddos bgp-next-hop 10.1.3.1

Step 9 Configure FIB filtering for the generated 32-bit UNR.


[AntiDDoS] firewall ddos bgp-next-hop fib-filter

Step 10 Configure the BGP function and community attribute on the cleaning device.
[AntiDDoS] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[AntiDDoS] route-policy 1 permit node 1
[AntiDDoS-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[AntiDDoS-route-policy] apply community no-advertise
[AntiDDoS-route-policy] quit
[AntiDDoS] bgp 100
[AntiDDoS-bgp] peer 10.1.2.1 as-number 100
[AntiDDoS-bgp] import-route unr
[AntiDDoS-bgp] ipv4-family unicast
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[AntiDDoS-bgp-af-ipv4] quit
[AntiDDoS-bgp] quit

After the configuration is complete, the UNR generated on the cleaning device will be imported
to BGP and then advertised to Router1 through BGP. In this manner, when Router1 receives
traffic defined for 1.1.1.1/32, it searches the routing table, matches the route according to the
longest mask, and forwards the traffic to the cleaning device through GE1/0/1.
Step 11 Enable traffic statistics on the cleaning interface of the cleaning device.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit

Step 12 Set the loopback address for the cleaning device.


[AntiDDoS] interface loopback 1
[AntiDDoS-LoopBack1] ip address 2.2.2.2 32
[AntiDDoS-LoopBack1] quit

Step 13 Configure MPLS on the cleaning device for traffic injection.


# Configure basic MPLS functions.
[AntiDDoS] mpls lsr-id 2.2.2.2
[AntiDDoS] mpls

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

62

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

[AntiDDoS-mpls] quit
[AntiDDoS] mpls ldp
[AntiDDoS-ldp] quit
[AntiDDoS] interface GigabitEthernet 2/0/1.100
[AntiDDoS-GigabitEthernet2/0/1.100] mpls
[AntiDDoS-GigabitEthernet2/0/1.100] mpls ldp
[AntiDDoS-GigabitEthernet2/0/1.100] quit

# Configure an LSP triggering policy.


NOTE

The lsp-trigger configuration must be subject to the IP address for which an LSP will be established.
[AntiDDoS] mpls
[AntiDDoS-mpls] lsp-trigger all
[AntiDDoS-mpls] quit

Step 14 Configure OSPF to advertise the interface-connected network segment and LSR ID host route.
[AntiDDoS] ospf 1
[AntiDDoS-ospf-1] area 0
[AntiDDoS-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[AntiDDoS-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[AntiDDoS-ospf-1-area-0.0.0.0] quit
[AntiDDoS-ospf-1] quit

Step 15 Configure a default route for reverse route searching.


[AntiDDoS] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

Step 16 Configure interconnection with the ATIC management center.


[AntiDDoS] firewall ddos log-local-ip 10.1.6.1
[AntiDDoS] firewall ddos log-server-ip 10.1.6.2

Step 17 Save the configuration.


<AntiDDoS> save

----End

Configuring the ATIC Management Center


Step 1 Log in to the ATIC management center for the first time.
1.

Enter https://10.1.6.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.

2.

Enter the user name, password, and verification code on the login page. The user name is
admin, and the password is Admin@123. Click Log In.

3.

Change the initial password upon the first login.

Step 2 Create an anti-DDoS device.


1.

Choose Defense > Network Settings > Devices.

2.

Click

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

63

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Figure 3-3 Create an anti-DDoS device.

3.

Click OK. The anti-DDoS device is added to the NE list.

Step 3 Create a Netflow device.


1.

Choose Defense > Network Settings > Devices.

2.

Click

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

64

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Figure 3-4 Creating a Netflow device

3.

Click OK. The Netflow device is added to the NE list.

Step 4 Configure defense policies.


When configuring defense policies, you must first identify the destination IP addresses to which
traffic is preferentially protected, add such destination IP addresses to user-defined Zones, and
configure defense policies based on the user-defined Zones. The default Zone defense policies
apply to unidentified destination IP addresses. The following part uses default Zone defense
policies as an example to describe the configuration procedure.
corresponding to the default Zone.

1.

Choose Defense > Policy Settings > Zone. Click

2.

in the Operation column corresponding to the default


On the Defense Policy tab, click
defense policies starting with basic.

3.

Configure a default TCP defense policy.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

65

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

4.

Configure a default UDP defense policy.

5.

Configure a default ICMP defense policy.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

66

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

6.

Configure a default DNS defense policy.

7.

Configure a default HTTP defense policy.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

67

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Step 5 Deploy the defense policies and save the configuration.


1.

Choose Defense > Policy Settings > Zone, select the check box of a Zone, and click
.

2.

Click OK. The deployment progress is displayed, and the progress bar is automatically
closed after the deployment is complete.

3.

Choose Defense > Policy Settings > Global Policy, select the check box of the
AntiDDoS, and click

4.

Click OK. The saving progress is displayed, and the progress bar is automatically closed
after the configuration is saved.

----End

Configuring Router1
This part uses Huawei NE80E as an example to describe BGP and MPLS configurations on the
router. The router configuration varies with software versions. The following configuration is
only an example for reference.
Step 1 Assign IP addresses to interfaces on Router1 (omitted).
Step 2 Configure the BGP function.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit

Step 3 Configure the loopback address for Router1.


[Router1] interface loopback 1
[Router1-LoopBack1] ip address 5.5.5.5 32
[Router1-LoopBack1] quit

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

68

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Step 4 Configure MPLS.


# Configure basic MPLS functions.
[Router1] mpls lsr-id 5.5.5.5
[Router1] mpls
[Router1-mpls] quit
[Router1] mpls ldp
[Router1-ldp] quit
[Router1] interface GigabitEthernet 1/0/1.100
[Router1-GigabitEthernet1/0/1.100] mpls
[Router1-GigabitEthernet1/0/1.100] mpls ldp
[Router1-GigabitEthernet1/0/1.100] quit
[Router1] interface GigabitEthernet 1/0/3
[Router1-GigabitEthernet1/0/3] mpls
[Router1-GigabitEthernet1/0/3] mpls ldp
[Router1-GigabitEthernet1/0/3] quit

Step 5 Configure OSPF to advertise the interface-connected network segment and LSR ID host route.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1-area-0.0.0.0]
[Router1-ospf-1] quit

network 10.1.3.0 0.0.0.255


network 10.1.5.0 0.0.0.255
network 5.5.5.5 0.0.0.0
quit

----End

Configuring Router2
This part uses Huawei NE80E as an example to describe the MPLS configuration on the router.
Step 1 Assign IP addresses to interfaces on Router2 (omitted).
Step 2 Configure the loopback address for Router2.
[Router1] interface loopback 1
[Router1-LoopBack1] ip address 3.3.3.3 32
[Router1-LoopBack1] quit

Step 3 Configure MPLS.


# Configure basic MPLS functions.
[Router2] mpls lsr-id 3.3.3.3
[Router2] mpls
[Router2-mpls] quit
[Router2] mpls ldp
[Router2-ldp] quit
[Router2] interface GigabitEthernet 1/0/1
[Router2-GigabitEthernet1/0/1] mpls
[Router2-GigabitEthernet1/0/1] mpls ldp
[Router2-GigabitEthernet1/0/1] quit

# Configure an LSP triggering policy.


[Router2] mpls
[Router2-mpls] lsp-trigger all
[Router2-mpls] quit

Step 4 Configure OSPF to advertise the interface-connected network segment and LSR ID host route.
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

69

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

[Router2-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255


[Router2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Router2-ospf-1-area-0.0.0.0] quit
[Router2-ospf-1] quit

Step 5 Router2 sends Netflow logs to the Genienrm Netflow device. Configure Netflow on Router2.
# Configure a sampling ratio. The value must be the same as that configured on the Genienrm
Netflow device.
[Router2] ip netstream sampler fix-packets 1000 inbound

# Set a source address for NetStream output packets.


[Router2] ip netstream export source 10.1.7.2

# Set the destination address and port number for NetStream output packets, that is, the address
of the Genienrm Netflow device.
[Router2] ip netstream export host 10.1.7.1 9900

# Configure the TCP-flag statistics function for the original flow.


[Router2] ip netstream tcp-flag enable

# Set an aging time for the NetStream original flow.


[Router2] ip netstream timeout active 1

# Specify an LPU as the NetStream board. For an NE40E, every interface supports NetStream,
and therefore no dedicated service board is required.
[Router2] slot 1
[Router2-slot-1] ip netstream sampler to slot self

# Enable NetStream for incoming traffic on the LPU.


[Router2] interface GigabitEthernet1/0/3
[Router2-GigabitEthernet1/0/1] ip netstream inbound

----End

3.1.5 Configuration Scripts


Configuration script of the cleaning device:
#
sysname AntiDDoS
#
securitypolicy
rule name
ddos1
action
permit
#
snmp-agent
snmp-agent community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7
snmp-agent community write cipher %^%#}Kf,W'WU`8O%L+Gd.MsF8yat7-Gh|EF,U^2LmL&6x&
{8W$S7oBXQUY.$voYBfPWX1qvD,"'pB[W\LG7O%^%#
snmp-agent sys-info version
v2c

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

70

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

snmp-agent trap enable


#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 5
#
manager-user
atic
password cipher @%@%lejNT_n+a+xqBl2)^M!6#qAGJCchPP']P$Q*Q9#d_AgEqAJ#@%@
%
service-type terminal
telnet
level 15
#
firewall ddos clean-spu slot 3 card 0
firewall ddos clean-spu slot 3 card 1
#
mpls lsr-id 2.2.2.2
mpls ldp
mpls
lsp-trigger all
#
interface GigabitEthernet2/0/1
undo shutdown
ip address 10.1.2.2 255.255.255.0
anti-ddos clean enable
anti-ddos flow-statistic enable
#
interface GigabitEthernet2/0/1.100
vlan-type dot1q 100
ip address 10.1.3.2 24
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip address 10.1.6.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet2/0/1
add interface GigabitEthernet2/0/1.100
add interface GigabitEthernet3/0/0
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
route-policy 1 permit node 1
if-match ip-prefix EXPORT-TO-DDoS
apply community no-advertise
#
bgp
100

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

71

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

peer 10.1.2.1 as-number


100

#
ipv4-family
unicast
undo
synchronization
import-route
unr
peer 10.1.2.1
enable
peer 10.1.2.1 route-policy 1
export
peer 10.1.2.1 advertisecommunity
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static 0.0.0.0 GigabitEthernet2/0/1 10.1.2.1
#
firewall ddos bgp-next-hop fib-filter
firewall ddos bgp-next-hop 10.1.3.1
#
firewall ddos log-local-ip 10.1.6.1
firewall ddos log-server-ip 10.1.6.2
#

DDoS attack defense policies are delivered by the ATIC management center. For details about
enabled defense policies, see the ATIC management center configuration.

3.1.6 Commissioning
After the configuration is complete, you can do as follows to commission the result:
1.

Perform ping tests using test IP addresses. The ping tests succeed.

2.

Create a static traffic diversion task.

3.

Initiate ping tests to destination IP addresses.


l If the ping tests succeed, run the display firewall session table command to view
session entries. If the ping session table exists, traffic injection succeeds.
l If the ping tests fail:

Issue 01 (2015-07-20)

a.

Initiate a tracert test on the client to identify the packet discard point.

b.

If the router discards packets, check the route through which the injected traffic is
forwarded.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

72

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

c.

If the cleaning device discards packets, run the display firewall statistic system
discarded command to view the number of discarded packets and packet
discarding causes, and contact R&D engineers for support.

4.

Construct attack traffic (SYN flood traffic is used as an example) and configure a
corresponding defense policy.

5.

Choose Report > Report > Traffic Analysis and view the ATIC traffic comparison report.
l If the traffic curve is normal, logs are properly transmitted between the ATIC
management center and the device, and reports can be correctly exported.
l If the query result is empty, perform troubleshooting according to HUAWEI AntiDDoS
Maintenance Guide.

3.2 Scenario 2: Data Center Security Protection


3.2.1 Scenario Description
An Internet Data Center (IDC) is a part of basic network resources. It provides large-scale, highquality, secure, and reliable data transmission services and high-speed access services for
Internet content providers, enterprises, media, and each types of websites. The IDC provides
DNS servers, web servers, game servers, and other services. In recent years, more and more
Internet-initiated DDoS attacks target IDCs. As a result, important servers are attacked; data
center link bandwidth is occupied; videos and games are compromised by application-layer
attacks.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

73

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

The following aspects must be considered for attack defense planning based on IDC traffic
characteristics.

Planning Roadmap
1.

Deployment mode
The detecting and cleaning devices are associated and deployed in off-line mode, and traffic
is dynamically diverted.
If traffic is statically diverted, the attack on one customer's service may affect other
customers' services. As traffic cleaning is performance-consuming, if the cleaning device
receives other customers' services when cleaning the service traffic of an attacked customer,
the normal services of other customers are affected once the cleaning device is overloaded.
If traffic is dynamically diverted, only attack traffic is diverted to the cleaning device. In
this manner, normal services are not affected even if the cleaning device is overloaded.

2.

Performance choice
Plan the interface specifications based on the customer link bandwidth. The highest subcard
processing performance of an SPU is 80 Gbit/s. As DDoS attack defense is performanceconsuming, you must reserve enough cleaning and detection resources.

3.
Issue 01 (2015-07-20)

Defense policy
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

74

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

First, you must identify defense objects, create Zones accordingly, and configure defense
policies for the Zones. Use default Zone defense policies to protect unidentified objects.
For example, an IDC network has three web servers, two DNS servers, and five game
servers. You can create a Zone for each server. That is, 10 Zones are created. Configure a
specific defense policy for each type of server. For example, configure an HTTP defense
policy for web servers, DNS defense policy for DNS servers, and UDP/TCP defense policy
for game servers.
However, the configuration of 10 servers is complicated. If services are almost the same
on a type of server, you can configure only three Zones for the three types of servers, add
the IP addresses to the corresponding Zones (multiple IP addresses or network segments
can be added to each Zone), and configure a defense policy for each Zone. In this manner,
you need to configure only three defense policies.
After the configuration is complete, key objects are protected. For other network resources
in the IDC, apply the default Zone defense policies.
4.

Traffic diversion mode


The cleaning device is attached to the router. BGP-based traffic diversion and PBR-based
traffic injection are used.

5.

ATIC management center


The ATIC consists of the management center server and collector, which can be deployed
in either of the following modes:
l Centralized deployment: The ATIC management center server and collector are
deployed on the same physical server.
l Distributed deployment: The ATIC management center server and collector are
deployed in different physical servers. Multiple collectors can share one ATIC
management center server. One server can manage a maximum of 20 collectors.
An anti-DDoS collector can process the anti-DDoS service logs of about 50,000 IP
addresses. You can select the ATIC deployment mode based on the number of IP addresses
added to Zones.

3.2.2 Typical Networking


On the network shown in Figure 3-5, a cleaning device is attached to the core router to detect
and clean the traffic destined for the Zone. The traffic must be diverted to the cleaning device
using BGP in real time. After traffic is cleaned, normal traffic is injected back to the original
link through PBR and finally forwarded to the Zone.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

75

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Figure 3-5 Typical networking for an IDC


Legitimate network

Legitimate network

Botnet

Detecting device

Cleaning device ATIC management


center
Firewall

Switch

Switch
E-banking
center

Credit card
center

Legitimate traffic

Attacked target

Attack traffic
Split traffic
Management traffic

3.2.3 Data Planning


Table 3-3 and Figure 3-6 show the IP addresses planned for the detecting device, cleaning
device, and ATIC management center.
Table 3-3 IP address planning

Issue 01 (2015-07-20)

Device Name

Interface

IP Address

Description

Detecting device

GE2/0/1

Detecting interface.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

76

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Device Name

Interface

IP Address

Description

GE3/0/0

10.1.6.3/24

Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The detecting device
sends logs or
captured packets to
the anti-DDoS
collector in the ATIC
management center
for further analysis
and processing.
The IP address of this
interface and the IP
address of the ATIC
management center
must be reachable. In
this example, the two
IP addresses are in
the same network
segment.
NOTE
The interface must be
on an LPU.

Cleaning device

GE2/0/1

10.1.2.2/24

Cleaning interface.
Interface through
which traffic enters
the cleaning device.
The cleaning device
applies defense
policies to, analyzes,
and cleans the
incoming traffic.

GE2/0/2

10.1.3.2/24

Injection interface.
Interface through
which normal traffic
goes back to the
original link after
traffic cleaning.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

77

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Device Name

Interface

IP Address

Description

GE3/0/0

10.1.6.1/24

Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The cleaning device
sends logs or
captured packets to
the anti-DDoS
collector in the ATIC
management center
for further analysis
and processing.
The IP address of this
interface and the IP
address of the ATIC
management center
must be reachable. In
this example, the two
IP addresses are in
the same network
segment.
NOTE
The interface must be
on an LPU.

Management center

10.1.6.2/24

The management
center must be
reachable to the
cleaning device.

Router1

GE1/0/1

10.1.2.1/24

Interface through
traffic is diverted to
the cleaning device.

GE1/0/2

10.1.3.1/24

Interface through
which traffic is
injected back to the
original link.

GE1/0/3

10.1.5.1/24

Interface through
which Router1 is
directly connected to
Router2.

GE1/0/1

10.1.5.2/24

Interface through
which Router2 is
directly connected to
Router1.

Router2

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

78

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Figure 3-6 IP address planning

Detecting
device GE3/0/0

10.1.6.3/24

GE2/0/1
GE1/0/1
10.1.2.1/24 10.1.2.2/24

Router1

ATIC management center

GE3/0/0
GE2/0/2
GE1/0/2
10.1.6.1/24
10.1.3.2/24
Cleaning
10.1.3.1/24

device

Normal traffic

Router2

Attack traffic
Split traffic
Management traffic

Zone

Traffic is diverted from Router1's GE1/0/1 to the cleaning device's GE2/0/1.

Traffic is injected back from the cleaning device's GE2/0/2 to Router1's GE1/0/2.

The cleaning device is an AntiDDoS.

The ATIC management center is deployed in centralized mode. That is, the anti-DDoS
collector and management server are deployed on one physical server.

Configuration Roadmap
Do as follows on the detecting device:
1.

Load the license.

2.

Specify the service subcard type.

3.

Assign IP addresses to interfaces, add the interfaces to security zones, and enable interzone
default packet filtering. The detecting interface does not need IP addresses.

4.

Configure the management interface.

5.

Configure STelnet.

6.

Configure SNMP, so that the ATIC management center can obtain the status of the detecting
device.

7.

Configure the detecting interface and enable traffic statistics on the interface.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

79

HUAWEI Anti-DDoS
Configuration Examples

8.

3 Configuration Examples for Comprehensive Scenarios

Save the configuration.

Do as follows on the cleaning device:


1.

Load the license.

2.

Specify the service subcard type.

3.

Assign IP addresses to interfaces, add the interfaces to security zones, and enable interzone
default packet filtering.

4.

Configure STelnet.

5.

Configure SNMP, so that the ATIC management center can obtain the status of the cleaning
device.

6.

Configure the cleaning interface and enable traffic statistics on the interface.

7.

Configure traffic diversion and injection.

8.

Save the configuration.

Do as follows on the ATIC management center:


1.

Log in to the ATIC management center for the first time.

2.

Create an anti-DDoS device.

3.

Configure defense policies.

4.

Save the configuration.

5.

Configure traffic baseline learning and adjust defense thresholds.

In addition, configure the router. This example provides router configurations for reference, and
the configurations may need to be adjusted according to the actual router model in a live network.

3.2.4 Configuration Procedure


Configuring the Detecting Device
Step 1 Load the license.
<AntiDDoS> system-view
[AntiDDoS] license active lic_detect_20150430.dat

Step 2 Specify the detecting SPU subcard.


[AntiDDoS] firewall ddos detect-spu slot 3 card 0
[AntiDDoS] firewall ddos detect-spu slot 3 card 1

Step 3 Configure STelnet.


[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] protocol inbound ssh
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type ssh
[AntiDDoS-aaa-manager-user-atic] level 15
[AntiDDoS-aaa-manager-user-atic] quit
[AntiDDoS-aaa] quit
[AntiDDoS] rsa local-key-pair create

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

80

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

The key name will be: AntiDDoS_Host


The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security risks.
The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
[AntiDDoS] stelnet server enable
[AntiDDoS] ssh user atic
[AntiDDoS] ssh user atic authentication-type password
[AntiDDoS] ssh user atic service-type stelnet

Step 4 Set the IP addresses of interfaces and add the interfaces to security zones.
# Assign IP addresses to interfaces.
[AntiDDoS] interface GigabitEthernet 3/0/0
[AntiDDoS-GigabitEthernet3/0/0] ip address 10.1.6.3 24
[AntiDDoS-GigabitEthernet3/0/0] anti-ddos detect-device manage-port enable
[AntiDDoS-GigabitEthernet3/0/0] quit

# Add the interfaces to security zones.


[AntiDDoS] firewall zone trust
[AntiDDoS-zone-trust] add interface GigabitEthernet 2/0/1
[AntiDDoS-zone-trust] add interface GigabitEthernet 3/0/0
[AntiDDoS-zone-trust] quit

Step 5 Enable interzone default packet filtering.


[AntiDDoS] security-policy
[AntiDDoS-policy-security] rule name ddos1
[AntiDDoS-policy-security-rule-ddos1] source-zone any
[AntiDDoS-policy-security-rule-ddos1] destination-zone any
[AntiDDoS-policy-security-rule-ddos1] action permit
[AntiDDoS-policy-security-rule-ddos1] quit
[AntiDDoS-policy-security] quit

Step 6 Configure SNMP.


NOTE

Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123

Step 7 Configure the detecting interface.


[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos detect enable
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit

Step 8 Configure interconnection with the ATIC management center.


[AntiDDoS] firewall ddos log-local-ip 10.1.6.3
[AntiDDoS] firewall ddos log-server-ip 10.1.6.2

Step 9 Save the configuration.


<AntiDDoS> save

----End
Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

81

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Configuring the Cleaning Device


Step 1 Load the license.
<AntiDDoS> system-view
[AntiDDoS] license active lic_clean_20150430.dat

Step 2 Specify the cleaning SPU subcard.


[AntiDDoS] firewall ddos clean-spu slot 3 card 0
[AntiDDoS] firewall ddos clean-spu slot 3 card 1

Step 3 Configure STelnet.


[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] protocol inbound ssh
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type ssh
[AntiDDoS-aaa-manager-user-atic] level 15
[AntiDDoS-aaa-manager-user-atic] quit
[AntiDDoS-aaa] quit
[AntiDDoS] rsa local-key-pair create
The key name will be: AntiDDoS_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security risks.
The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
[AntiDDoS] stelnet server enable
[AntiDDoS] ssh user atic
[AntiDDoS] ssh user atic authentication-type password
[AntiDDoS] ssh user atic service-type stelnet

Step 4 Set the IP addresses of interfaces and add the interfaces to security zones.
# Assign IP addresses to interfaces.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[AntiDDoS-GigabitEthernet2/0/1] quit
[AntiDDoS] interface GigabitEthernet 2/0/2
[AntiDDoS-GigabitEthernet2/0/2] ip address 10.1.3.2 24
[AntiDDoS-GigabitEthernet2/0/2] quit
[AntiDDoS] interface GigabitEthernet 3/0/0
[AntiDDoS-GigabitEthernet3/0/0] ip address 10.1.6.1 24
[AntiDDoS-GigabitEthernet3/0/0] quit

# Add the interfaces to security zones.


[AntiDDoS] firewall zone trust
[AntiDDoS-zone-trust] add interface GigabitEthernet 2/0/1
[AntiDDoS-zone-trust] add interface GigabitEthernet 2/0/2
[AntiDDoS-zone-trust] add interface GigabitEthernet 3/0/0
[AntiDDoS-zone-trust] quit

Step 5 Enable interzone default packet filtering.


[AntiDDoS] security-policy
[AntiDDoS-policy-security] rule name ddos1

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

82

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security-rule-ddos1]
[AntiDDoS-policy-security] quit

source-zone any
destination-zone any
action permit
quit

Step 6 Configure SNMP.


NOTE

Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123

Step 7 Configure the cleaning interface.


[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos clean enable
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit

Step 8 On the cleaning device, configure the next-hop address used for a dynamically generated route.
<AntiDDoS> system-view
[AntiDDoS] firewall ddos bgp-next-hop 10.1.3.1

Step 9 Configure FIB filtering for the generated 32-bit UNR.


[AntiDDoS] firewall ddos bgp-next-hop fib-filter

Step 10 Configure the BGP function and community attribute on the cleaning device.
[AntiDDoS] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[AntiDDoS] route-policy 1 permit node 1
[AntiDDoS-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[AntiDDoS-route-policy] apply community no-advertise
[AntiDDoS-route-policy] quit
[AntiDDoS] bgp 100
[AntiDDoS-bgp] peer 10.1.2.1 as-number 100
[AntiDDoS-bgp] import-route unr
[AntiDDoS-bgp] ipv4-family unicast
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[AntiDDoS-bgp-af-ipv4] quit
[AntiDDoS-bgp] quit

After the configuration is complete, the UNR generated on the cleaning device will be imported
to BGP and then advertised to Router1 through BGP. In this manner, when Router1 receives
traffic defined for 1.1.1.1/32, it searches the routing table, matches the route according to the
longest mask, and forwards the traffic to the cleaning device through GE1/0/1.
Step 11 Enable traffic statistics on the cleaning interface of the cleaning device.
[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit

Step 12 Configure PBR on GE2/0/1 of the cleaning device for traffic injection.
[AntiDDoS] policy-based-route
[AntiDDoS-policy-pbr] rule name huizhu
[AntiDDoS-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[AntiDDoS-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet
2/0/2 10.1.3.1
[AntiDDoS-policy-pbr-rule-huizhu] quit
[AntiDDoS-policy-pbr] quit

Step 13 Configure a default route for reverse route searching.


Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

83

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

[AntiDDoS] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1

Step 14 Configure interconnection with the ATIC management center.


[AntiDDoS] firewall ddos log-local-ip 10.1.6.1
[AntiDDoS] firewall ddos log-server-ip 10.1.6.2

Step 15 Save the configuration.


<AntiDDoS> save

----End

Configuring the ATIC Management Center


Step 1 Log in to the ATIC management center for the first time.
1.

Enter https://10.1.6.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.

2.

Enter the user name, password, and verification code on the login page. The user name is
admin, and the password is Admin@123. Click Log In.

3.

Change the initial password upon the first login.

Step 2 Create an anti-DDoS device.


1.

Choose Defense > Network Settings > Devices.

2.

Click

Create a detecting device and a cleaning device and add the devices to the NE list.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

84

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Figure 3-7 Create an anti-DDoS device.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

85

HUAWEI Anti-DDoS
Configuration Examples

3.

3 Configuration Examples for Comprehensive Scenarios

Click OK. The detecting device and cleaning device are added to the NE list.

Step 3 Choose Defense > Policy Settings > Zone, create user-defined Zones, and configure basic
information about the Zones.
When adding NEs, select both the detecting device and cleaning device.
The Zone IP address is the IP address of the server to be protected. A Zone is created for each
type of server. For example, create gameZone for game servers, webZone for web servers, and
dnsZone for DNS servers.
Step 4 Configure a defense policy for game servers.
corresponding to gameZone.

1.

Choose Defense > Policy Settings > Zone. Click

2.

On the Defense Policy tab, click


in the Operation column corresponding to the default
defense policy starting with basic.

3.

Configure the defense policy.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

86

HUAWEI Anti-DDoS
Configuration Examples

Issue 01 (2015-07-20)

3 Configuration Examples for Comprehensive Scenarios

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

87

HUAWEI Anti-DDoS
Configuration Examples

Issue 01 (2015-07-20)

3 Configuration Examples for Comprehensive Scenarios

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

88

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Step 5 Configure a defense policy for web servers.


1.

Choose Defense > Policy Settings > Zone. Click

corresponding to webZone.

2.

On the Defense Policy tab, click


in the Operation column corresponding to the default
defense policy starting with basic.

3.

Configure the defense policy.


As web servers have a little UDP traffic, you can directly limit the UDP traffic rate.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

89

HUAWEI Anti-DDoS
Configuration Examples

Issue 01 (2015-07-20)

3 Configuration Examples for Comprehensive Scenarios

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

90

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Step 6 Configure a defense policy for DNS servers.


1.

Choose Defense > Policy Settings > Zone. Click

corresponding to dnsZone.

2.

in the Operation column corresponding to the default


On the Defense Policy tab, click
defense policy starting with basic.

3.

Configure the defense policy.


To protect DNS servers, you must determine the DNS server type. DNS authorization
servers are deployed in most cases, and you can enable the active defense mode. If the
server type is unidentified, enable the passive defense mode.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

91

HUAWEI Anti-DDoS
Configuration Examples

Issue 01 (2015-07-20)

3 Configuration Examples for Comprehensive Scenarios

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

92

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Step 7 Deploy the defense policies and save the configuration.


1.

Choose Defense > Policy Settings > Zone, select the check box of a Zone, and click
.

2.

Click OK. The deployment progress is displayed, and the progress bar is automatically
closed after the deployment is complete.

3.

Choose Defense > Policy Settings > Global Policy, select the check box of the
AntiDDoS, and click

4.

Click OK. The saving progress is displayed, and the progress bar is automatically closed
after the configuration is saved.

Step 8 Choose Defense > Policy Settings > Zone. Click a specific state in the Baseline Learning
column to enable the baseline learning function.
Baseline learning takes effect as long as traffic passes through the device, and no additional
policy is required.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

93

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

Step 9 Adjust thresholds.


If many alarms are generated after baseline learning data is applied, you need to adjust thresholds
or other related parameter values:
l Change the sampling ratio to 0. That is, the device counts every packet. If a large sample
ratio is set, when a little traffic passes through the device, the statistical value is probably
inaccurate. Generally, if the total traffic rate is less than 1 Gbit/s, the sampling ratio can be
set to 0.
l View top N traffic of a Zone (without attacks), identify the IP address with the heaviest traffic,
and query protocol-based traffic comparison based on this IP address (set the statistical mode
to peak value and the time range to one week). Set the defense threshold to twice of the peak
value of each traffic type. If a traffic peak value is small (for example, 50 pps), using the
default threshold is recommended.
----End

Configuring Router1
This part uses Huawei NE80E as an example to describe BGP and PBR configurations on the
router. The router configuration varies with software versions. The following configuration is
only an example for reference.
Step 1 Assign IP addresses to interfaces on Router1 (omitted).
Step 2 Configure the BGP function.
[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit

Step 3 Configure PBR on GE1/0/2.


# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip
[Router1-acl-adv-3001] quit

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

94

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

[Router1] traffic classifier class1


[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit

# Configure a traffic behavior and set a packet forwarding action.


[Router1] traffic behavior behavior1
[Router1-behavior-behavior1] redirect ip-nexthop 10.1.5.2 interface
GigabitEthernet 1/0/3
[Router1-behavior-behavior1] quit

# Define a traffic policy and specify the traffic behavior for the traffic classifier in the policy.
[Router1] traffic policy policy1
[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit

# Apply the policy to the interface.


[Router1] interface GigabitEthernet 1/0/2
[Router1-GigabitEthernet1/0/2] traffic-policy policy1 inbound
[Router1-GigabitEthernet1/0/2] quit

----End

3.2.5 Configuration Scripts


Configuration script of the detecting device:
#
sysname AntiDDoS
#
securitypolicy
rule name
ddos1
action
permit
#
snmp-agent
snmp-agent community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7
snmp-agent community write cipher %^%#}Kf,W'WU`8O%L+Gd.MsF8yat7-Gh|EF,U^2LmL&6x&
{8W$S7oBXQUY.$voYBfPWX1qvD,"'pB[W\LG7O%^%#
snmp-agent sys-info version
v2c
snmp-agent trap enable
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
manager-user
atic
password cipher @%@%lejNT_n+a+xqBl2)^M!6#qAGJCchPP']P$Q*Q9#d_AgEqAJ#@%@
%
service-type
ssh
level 15
#

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

95

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

rsa local-key-pair create


stelnet server enable
ssh user atic
ssh user atic authentication-type password
ssh user atic service-type stelnet
#
firewall ddos detect-spu slot 3 card 0
firewall ddos detect-spu slot 3 card 1
#
interface GigabitEthernet2/0/1
anti-ddos detect enable
anti-ddos flow-statistic enable
#
interface GigabitEthernet3/0/0
ip address 10.1.6.3 255.255.255.0
anti-ddos detect-device manage-port enable
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet2/0/1
add interface GigabitEthernet3/0/0
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
firewall ddos log-local-ip 10.1.6.3
firewall ddos log-server-ip 10.1.6.2
#

Configuration script of the cleaning device:


#
sysname AntiDDoS
#
securitypolicy
rule name
ddos1
action
permit
#
snmp-agent
snmp-agent community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7snmp-agent
community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7
snmp-agent community write cipher %^%#}Kf,W'WU`8O%L+Gd.MsF8yat7-Gh|EF,U^2LmL&6x&
{8W$S7oBXQUY.$voYBfPWX1qvD,"'pB[W\LG7O%^%#
snmp-agent sys-info version
all
snmp-agent trap enable
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
manager-user
atic

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

96

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

password cipher @%@%lejNT_n+a+xqBl2)^M!6#qAGJCchPP']P$Q*Q9#d_AgEqAJ#@%@


%
service-type
ssh
level 15
#
rsa local-key-pair create
stelnet server enable
ssh user atic
ssh user atic authentication-type password
ssh user atic service-type stelnet
#
firewall ddos clean-spu slot 3 card 0
firewall ddos clean-spu slot 3 card 1
#
interface GigabitEthernet2/0/1
undo shutdown
ip address 10.1.2.2 255.255.255.0
anti-ddos clean enable
anti-ddos flow-statistic enable
#
interface GigabitEthernet2/0/2
vlan-type dot1q 100
ip address 10.1.3.2 24
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip address 10.1.6.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet2/0/1
add interface GigabitEthernet2/0/2
add interface GigabitEthernet3/0/0
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
route-policy 1 permit node 1
if-match ip-prefix EXPORT-TO-DDoS
apply community no-advertise
#
bgp
100
peer 10.1.2.1 as-number
100

#
ipv4-family
unicast

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

97

HUAWEI Anti-DDoS
Configuration Examples

3 Configuration Examples for Comprehensive Scenarios

undo
synchronization
import-route
unr
peer 10.1.2.1
enable
peer 10.1.2.1 route-policy 1
export
peer 10.1.2.1 advertisecommunity
#
policy-basedroute
rule name
huizhu
ingress-interface
GigabitEthernet2/0/1
action pbr egress-interface GigabitEthernet2/0/2 10.1.3.1
#
ip route-static 0.0.0.0 GigabitEthernet2/0/1 10.1.2.1
#
firewall ddos bgp-next-hop fib-filter
firewall ddos bgp-next-hop 10.1.3.1
#
firewall ddos log-local-ip 10.1.6.1
firewall ddos log-server-ip 10.1.6.2
#

DDoS attack defense policies are delivered by the ATIC management center. For details about
enabled defense policies, see the ATIC management center configuration.

3.2.6 Commissioning
After the configuration is complete, you can do as follows to commission the result:
1.

Perform ping tests using test IP addresses. The ping tests succeed.

2.

Create a static traffic diversion task.

3.

Initiate ping tests to destination IP addresses.


l If the ping tests succeed, run the display firewall session table command to view
session entries. If the ping session table exists, traffic injection succeeds.
l If the ping tests fail:

4.

Issue 01 (2015-07-20)

a.

Initiate a tracert test on the client to identify the packet discard point.

b.

If the router discards packets, check the route through which the injected traffic is
forwarded.

c.

If the cleaning device discards packets, run the display firewall statistic system
discarded command to view the number of discarded packets and packet
discarding causes, and contact R&D engineers for support.

Construct attack traffic (SYN flood traffic is used as an example) and configure a
corresponding defense policy.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

98

HUAWEI Anti-DDoS
Configuration Examples

5.

3 Configuration Examples for Comprehensive Scenarios

Choose Report > Report > Traffic Analysis and view the ATIC traffic comparison report.
l If the traffic curve is normal, logs are properly transmitted between the ATIC
management center and the device, and reports can be correctly exported.
l If the query result is empty, perform troubleshooting according to HUAWEI AntiDDoS
Maintenance Guide.

Issue 01 (2015-07-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

99