Configuração do BIG-IP
- (Exemplo de Route Domain 0)
Todos os comandos abaixo são executados no tmsh no BIG-IP. Ajuste os nomes dos objetos e os IPs conforme necessário.
Para a configuração geral de túnel GRE no BIG-IP, consulte Configuring a GRE Tunnel Using BIG-IP. Para a configuração inicial de roteamento com a Cloud, consulte K000147949.
[root@bigip:Active]# tmshroot@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)#Self IPs Externos
Seção intitulada “Self IPs Externos”Endpoints GRE
Estes são os IPs em cada unidade BIG-IP utilizados como endpoints
de túnel GRE, tipicamente na VLAN externa. Cada unidade possui seu próprio
self IP externo não flutuante (traffic-group-local-only):
BIG-IP-A:
create net self xc-ddos-v4-self-a \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_A_OUTER_V4x/24
create net self xc-ddos-v6-self-a \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_A_OUTER_V6x/64BIG-IP-B:
create net self xc-ddos-v4-self-b \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_B_OUTER_V4x/24
create net self xc-ddos-v6-self-b \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_B_OUTER_V6x/64Túneis GRE
Seção intitulada “Túneis GRE”Cada túnel aponta de uma unidade BIG-IP para um endpoint de centro de limpeza (scrubbing center) da Cloud. Crie dois túneis por unidade (um para cada centro de limpeza localizado geograficamente) para um total de quatro túneis lógicos no par de alta disponibilidade:
Túnel C1-T1 — BIG-IP-A para xCENTER_1x:
create net tunnels tunnel xc-ddos-c1t1-v4 \ local-address xBIGIP_A_OUTER_V4x \ profile gre \ remote-address xXC_C1_OUTER_V4x
create net tunnels tunnel xc-ddos-c1t1-v6 \ local-address xBIGIP_A_OUTER_V6x \ profile gre \ remote-address xXC_C1_OUTER_V6xTúnel C2-T1 — BIG-IP-A para xCENTER_2x:
create net tunnels tunnel xc-ddos-c2t1-v4 \ local-address xBIGIP_A_OUTER_V4x \ profile gre \ remote-address xXC_C2_OUTER_V4x
create net tunnels tunnel xc-ddos-c2t1-v6 \ local-address xBIGIP_A_OUTER_V6x \ profile gre \ remote-address xXC_C2_OUTER_V6xTúnel C1-T2 — BIG-IP-B para xCENTER_1x:
create net tunnels tunnel xc-ddos-c1t2-v4 \ local-address xBIGIP_B_OUTER_V4x \ profile gre \ remote-address xXC_C1_OUTER_V4x
create net tunnels tunnel xc-ddos-c1t2-v6 \ local-address xBIGIP_B_OUTER_V6x \ profile gre \ remote-address xXC_C1_OUTER_V6xTúnel C2-T2 — BIG-IP-B para xCENTER_2x:
create net tunnels tunnel xc-ddos-c2t2-v4 \ local-address xBIGIP_B_OUTER_V4x \ profile gre \ remote-address xXC_C2_OUTER_V4x
create net tunnels tunnel xc-ddos-c2t2-v6 \ local-address xBIGIP_B_OUTER_V6x \ profile gre \ remote-address xXC_C2_OUTER_V6xOs nomes dos túneis (xc-ddos-c1t1-v4, etc.) são arbitrários; utilize sua própria
convenção de nomenclatura.
Definir MTU do túnel
Seção intitulada “Definir MTU do túnel”O encapsulamento GRE adiciona sobrecarga (24 bytes para o cabeçalho externo IPv4, 44 bytes para o cabeçalho externo IPv6). Sem um MTU explícito, pacotes próximos a 1500 bytes serão fragmentados ou descartados. Defina o MTU do túnel para considerar a sobrecarga do encapsulamento:
modify net tunnels tunnel xc-ddos-c1t1-v4 mtu 1476modify net tunnels tunnel xc-ddos-c1t1-v6 mtu 1456modify net tunnels tunnel xc-ddos-c1t2-v4 mtu 1476modify net tunnels tunnel xc-ddos-c1t2-v6 mtu 1456modify net tunnels tunnel xc-ddos-c2t1-v4 mtu 1476modify net tunnels tunnel xc-ddos-c2t1-v6 mtu 1456modify net tunnels tunnel xc-ddos-c2t2-v4 mtu 1476modify net tunnels tunnel xc-ddos-c2t2-v6 mtu 1456Anti-spoofing GRE (ACLs upstream)
Seção intitulada “Anti-spoofing GRE (ACLs upstream)”O GRE (protocolo IP 47) não fornece autenticação. Qualquer pessoa que conheça o par de IPs externos pode injetar tráfego no túnel. Aplique ACLs no roteador ou firewall upstream para restringir o GRE de entrada apenas aos IPs de origem dos centros de limpeza da Cloud esperados:
! Example upstream router ACL (Cisco IOS style)ip access-list extended ALLOW-XC-GRE permit gre host xXC_C1_OUTER_V4x host xBIGIP_A_OUTER_V4x permit gre host xXC_C2_OUTER_V4x host xBIGIP_A_OUTER_V4x permit gre host xXC_C1_OUTER_V4x host xBIGIP_B_OUTER_V4x permit gre host xXC_C2_OUTER_V4x host xBIGIP_B_OUTER_V4x deny gre any host xBIGIP_A_OUTER_V4x log deny gre any host xBIGIP_B_OUTER_V4x logSelf IPs Internos (peering BGP)
Seção intitulada “Self IPs Internos (peering BGP)”Atribua endereços IP internos (dentro do túnel GRE) que formarão a
sessão BGP com a Cloud. O allow-service deve
incluir tcp:179 (BGP) para que a sessão de peering seja estabelecida. Adicionar
icmp:any nos self IPs internos habilita o PMTUD e os testes de
acessibilidade através do túnel:
Túnel C1-T1 — BIG-IP-A para xCENTER_1x:
create net self xc-ddos-c1t1-inner-v4 \ vlan xc-ddos-c1t1-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T1_INNER_V4x/30
create net self xc-ddos-c1t1-inner-v6 \ vlan xc-ddos-c1t1-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T1_INNER_V6x/64Túnel C2-T1 — BIG-IP-A para xCENTER_2x:
create net self xc-ddos-c2t1-inner-v4 \ vlan xc-ddos-c2t1-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T1_INNER_V4x/30
create net self xc-ddos-c2t1-inner-v6 \ vlan xc-ddos-c2t1-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T1_INNER_V6x/64Túnel C1-T2 — BIG-IP-B para xCENTER_1x:
create net self xc-ddos-c1t2-inner-v4 \ vlan xc-ddos-c1t2-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T2_INNER_V4x/30
create net self xc-ddos-c1t2-inner-v6 \ vlan xc-ddos-c1t2-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T2_INNER_V6x/64Túnel C2-T2 — BIG-IP-B para xCENTER_2x:
create net self xc-ddos-c2t2-inner-v4 \ vlan xc-ddos-c2t2-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T2_INNER_V4x/30
create net self xc-ddos-c2t2-inner-v6 \ vlan xc-ddos-c2t2-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T2_INNER_V6x/64Utilize o imish para configurar o BGP para o Route Domain 0.
-
Entre no imish para RD 0:
bash tmsh run /util imish -r 0 -
Entre nos modos privilegiado e de configuração:
imish localhost.localdomain[0]> enablelocalhost.localdomain[0]# configure terminal -
Exemplo de configuração BGP:
BIG-IP-A (router-id xBIGIP_A_OUTER_V4x, vizinhos C1-T1 + C2-T1):
router bgp xCUSTOMER_ASNx no synchronization bgp log-neighbor-changes no auto-summary bgp router-id xBIGIP_A_OUTER_V4x bgp graceful-restart restart-time 120 redistribute kernel route-map route-to-cloud-ipv4
neighbor cloud peer-group neighbor cloud remote-as xF5_XC_ASNx neighbor cloud description cloud-peer-group neighbor cloud password xBGP_PASSWORDx neighbor cloud timers 10 30 neighbor cloud soft-reconfiguration inbound neighbor cloud version 4 neighbor cloud capability graceful-restart neighbor cloud send-community neighbor cloud ttl-security hops 1 neighbor cloud maximum-prefix 10 warning-only neighbor cloud prefix-list deny-all in neighbor cloud prefix-list route-to-cloud-ipv4 out
neighbor xXC_C1_T1_INNER_V4x peer-group cloud neighbor xXC_C1_T1_INNER_V4x description cloud-c1-t1-v4
neighbor xXC_C2_T1_INNER_V4x peer-group cloud neighbor xXC_C2_T1_INNER_V4x description cloud-c2-t1-v4
address-family ipv6 redistribute kernel route-map route-to-cloud-ipv6 neighbor cloud activate neighbor cloud soft-reconfiguration inbound neighbor cloud capability graceful-restart neighbor cloud prefix-list deny-all6 in neighbor cloud prefix-list route-to-cloud-ipv6 out neighbor xXC_C1_T1_INNER_V6x peer-group cloud neighbor xXC_C1_T1_INNER_V6x description cloud-c1-t1-v6 neighbor xXC_C2_T1_INNER_V6x peer-group cloud neighbor xXC_C2_T1_INNER_V6x description cloud-c2-t1-v6 exit-address-family
ip prefix-list deny-all deny 0.0.0.0/0 le 32ip prefix-list route-to-cloud-ipv4 permit xPROTECTED_PREFIX_V4x
ipv6 prefix-list deny-all6 deny ::/0 le 128ipv6 prefix-list route-to-cloud-ipv6 permit xPROTECTED_PREFIX_V6x
ip route xPROTECTED_NET_V4x xPROTECTED_MASK_V4x null0 201ipv6 route xPROTECTED_PREFIX_V6x null0 201
route-map route-to-cloud-ipv4 permit 10 match ip address prefix-list route-to-cloud-ipv4 set origin igp
route-map route-to-cloud-ipv6 permit 10 match ipv6 address prefix-list route-to-cloud-ipv6 set origin igpBIG-IP-B (router-id xBIGIP_B_OUTER_V4x, vizinhos C1-T2 + C2-T2):
router bgp xCUSTOMER_ASNx no synchronization bgp log-neighbor-changes no auto-summary bgp router-id xBIGIP_B_OUTER_V4x bgp graceful-restart restart-time 120 redistribute kernel route-map route-to-cloud-ipv4
neighbor cloud peer-group neighbor cloud remote-as xF5_XC_ASNx neighbor cloud description cloud-peer-group neighbor cloud password xBGP_PASSWORDx neighbor cloud timers 10 30 neighbor cloud soft-reconfiguration inbound neighbor cloud version 4 neighbor cloud capability graceful-restart neighbor cloud send-community neighbor cloud ttl-security hops 1 neighbor cloud maximum-prefix 10 warning-only neighbor cloud prefix-list deny-all in neighbor cloud prefix-list route-to-cloud-ipv4 out
neighbor xXC_C1_T2_INNER_V4x peer-group cloud neighbor xXC_C1_T2_INNER_V4x description cloud-c1-t2-v4
neighbor xXC_C2_T2_INNER_V4x peer-group cloud neighbor xXC_C2_T2_INNER_V4x description cloud-c2-t2-v4
address-family ipv6 redistribute kernel route-map route-to-cloud-ipv6 neighbor cloud activate neighbor cloud soft-reconfiguration inbound neighbor cloud capability graceful-restart neighbor cloud prefix-list deny-all6 in neighbor cloud prefix-list route-to-cloud-ipv6 out neighbor xXC_C1_T2_INNER_V6x peer-group cloud neighbor xXC_C1_T2_INNER_V6x description cloud-c1-t2-v6 neighbor xXC_C2_T2_INNER_V6x peer-group cloud neighbor xXC_C2_T2_INNER_V6x description cloud-c2-t2-v6 exit-address-family
ip prefix-list deny-all deny 0.0.0.0/0 le 32ip prefix-list route-to-cloud-ipv4 permit xPROTECTED_PREFIX_V4x
ipv6 prefix-list deny-all6 deny ::/0 le 128ipv6 prefix-list route-to-cloud-ipv6 permit xPROTECTED_PREFIX_V6x
ip route xPROTECTED_NET_V4x xPROTECTED_MASK_V4x null0 201ipv6 route xPROTECTED_PREFIX_V6x null0 201
route-map route-to-cloud-ipv4 permit 10 match ip address prefix-list route-to-cloud-ipv4 set origin igp
route-map route-to-cloud-ipv6 permit 10 match ipv6 address prefix-list route-to-cloud-ipv6 set origin igpExplicação das principais configurações BGP:
timers 10 30— Keepalive a cada 10 s, hold time de 30 s. O padrão (60 / 180) é muito lento para o failover de mitigação de DDoS. Coordene os valores dos timers com o SOC para que ambos os lados estejam sincronizados.ttl-security hops 1— Habilita o GTSM (RFC 5082). Como as sessões BGP são de salto único sobre o túnel GRE, isso impede o spoofing remoto de BGP ao exigir TTL = 255 nos pacotes BGP recebidos.maximum-prefix 10 warning-only— Salvaguarda de defesa em profundidade. Mesmo que a prefix-list de entrada negue todas as rotas, isso gera um aviso caso o par envie prefixos inesperadamente.redistribute kernel— Injeta as rotas estáticasnull0no BGP por meio do route-map. Uma alternativa é utilizar declaraçõesnetworkexplícitas (por exemplo,network xPROTECTED_PREFIX_V4x), que são mais precisas porque apenas o prefixo exato é anunciado, independentemente de outras rotas do kernel. Ambas as abordagens funcionam;redistribute kernelcom um route-map restrito é apresentado aqui por sua flexibilidade.
As rotas estáticas null0 com distância administrativa maior (201)
garantem que os prefixos existam na tabela de roteamento do kernel, para que possam
ser redistribuídos para a Cloud via BGP sem afetar o
roteamento normal em condições sem ataque. Caso o prefixo protegido
já exista na tabela de roteamento a partir de outra origem com uma distância
administrativa menor, a rota null0 não estará ativa e a
redistribuição poderá falhar — verifique com show ip route após a
configuração.