BIG-IP 配置
BIG-IP
Section titled “BIG-IP”- (路由域 0 示例)
以下所有命令均在 BIG-IP 的 tmsh 中执行。请根据需要调整对象名称和 IP 地址。
有关 BIG-IP 上 GRE 隧道的常规配置,请参阅 使用 BIG-IP 配置 GRE 隧道。有关与云端的初始路由配置设置,请参阅 K000147949。
[root@bigip:Active]# tmshroot@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)#外部自身 IP
Section titled “外部自身 IP”GRE 端点
以下 IP 是每台 BIG-IP 设备上用作 GRE 隧道端点的地址,通常位于外部 VLAN 上。每台设备拥有各自独立的非浮动外部自身 IP(traffic-group-local-only):
BIG-IP-A:
create net self xc-ddos-v4-self-a \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_A_OUTER_V4x/24
create net self xc-ddos-v6-self-a \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_A_OUTER_V6x/64BIG-IP-B:
create net self xc-ddos-v4-self-b \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_B_OUTER_V4x/24
create net self xc-ddos-v6-self-b \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_B_OUTER_V6x/64GRE 隧道
Section titled “GRE 隧道”每条隧道从一台 BIG-IP 设备指向一个云清洗中心端点。每台设备创建两条隧道(分别指向两个地理位置不同的清洗中心),整个 HA 对共计 四条逻辑隧道:
隧道 C1-T1 — BIG-IP-A 至 xCENTER_1x:
create net tunnels tunnel xc-ddos-c1t1-v4 \ local-address xBIGIP_A_OUTER_V4x \ profile gre \ remote-address xXC_C1_OUTER_V4x
create net tunnels tunnel xc-ddos-c1t1-v6 \ local-address xBIGIP_A_OUTER_V6x \ profile gre \ remote-address xXC_C1_OUTER_V6x隧道 C2-T1 — BIG-IP-A 至 xCENTER_2x:
create net tunnels tunnel xc-ddos-c2t1-v4 \ local-address xBIGIP_A_OUTER_V4x \ profile gre \ remote-address xXC_C2_OUTER_V4x
create net tunnels tunnel xc-ddos-c2t1-v6 \ local-address xBIGIP_A_OUTER_V6x \ profile gre \ remote-address xXC_C2_OUTER_V6x隧道 C1-T2 — BIG-IP-B 至 xCENTER_1x:
create net tunnels tunnel xc-ddos-c1t2-v4 \ local-address xBIGIP_B_OUTER_V4x \ profile gre \ remote-address xXC_C1_OUTER_V4x
create net tunnels tunnel xc-ddos-c1t2-v6 \ local-address xBIGIP_B_OUTER_V6x \ profile gre \ remote-address xXC_C1_OUTER_V6x隧道 C2-T2 — BIG-IP-B 至 xCENTER_2x:
create net tunnels tunnel xc-ddos-c2t2-v4 \ local-address xBIGIP_B_OUTER_V4x \ profile gre \ remote-address xXC_C2_OUTER_V4x
create net tunnels tunnel xc-ddos-c2t2-v6 \ local-address xBIGIP_B_OUTER_V6x \ profile gre \ remote-address xXC_C2_OUTER_V6x隧道名称(xc-ddos-c1t1-v4 等)可自由定义,请使用您自己的命名规范。
设置隧道 MTU
Section titled “设置隧道 MTU”GRE 封装会增加额外开销(IPv4 外层 24 字节,IPv6 外层 44 字节)。若未显式设置 MTU,接近 1500 字节的数据包将发生分片或被丢弃。请设置隧道 MTU 以计入封装开销:
modify net tunnels tunnel xc-ddos-c1t1-v4 mtu 1476modify net tunnels tunnel xc-ddos-c1t1-v6 mtu 1456modify net tunnels tunnel xc-ddos-c1t2-v4 mtu 1476modify net tunnels tunnel xc-ddos-c1t2-v6 mtu 1456modify net tunnels tunnel xc-ddos-c2t1-v4 mtu 1476modify net tunnels tunnel xc-ddos-c2t1-v6 mtu 1456modify net tunnels tunnel xc-ddos-c2t2-v4 mtu 1476modify net tunnels tunnel xc-ddos-c2t2-v6 mtu 1456GRE 防欺骗(上行 ACL)
Section titled “GRE 防欺骗(上行 ACL)”GRE(IP 协议 47)不提供身份验证。任何知悉外层 IP 对的人均可向隧道注入流量。请在上行路由器或防火墙上应用 ACL,将入站 GRE 流量限制为仅来自预期云清洗中心源 IP:
! 上行路由器 ACL 示例(Cisco IOS 风格)ip access-list extended ALLOW-XC-GRE permit gre host xXC_C1_OUTER_V4x host xBIGIP_A_OUTER_V4x permit gre host xXC_C2_OUTER_V4x host xBIGIP_A_OUTER_V4x permit gre host xXC_C1_OUTER_V4x host xBIGIP_B_OUTER_V4x permit gre host xXC_C2_OUTER_V4x host xBIGIP_B_OUTER_V4x deny gre any host xBIGIP_A_OUTER_V4x log deny gre any host xBIGIP_B_OUTER_V4x log内部自身 IP(BGP 对等)
Section titled “内部自身 IP(BGP 对等)”为 GRE 隧道内部分配内部 IP 地址,这些地址将与云端建立 BGP 会话。allow-service 必须包含 tcp:179(BGP),以便对等会话建立。在内部自身 IP 上添加 icmp:any 可通过隧道启用 PMTUD 和可达性测试:
隧道 C1-T1 — BIG-IP-A 至 xCENTER_1x:
create net self xc-ddos-c1t1-inner-v4 \ vlan xc-ddos-c1t1-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T1_INNER_V4x/30
create net self xc-ddos-c1t1-inner-v6 \ vlan xc-ddos-c1t1-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T1_INNER_V6x/64隧道 C2-T1 — BIG-IP-A 至 xCENTER_2x:
create net self xc-ddos-c2t1-inner-v4 \ vlan xc-ddos-c2t1-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T1_INNER_V4x/30
create net self xc-ddos-c2t1-inner-v6 \ vlan xc-ddos-c2t1-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T1_INNER_V6x/64隧道 C1-T2 — BIG-IP-B 至 xCENTER_1x:
create net self xc-ddos-c1t2-inner-v4 \ vlan xc-ddos-c1t2-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T2_INNER_V4x/30
create net self xc-ddos-c1t2-inner-v6 \ vlan xc-ddos-c1t2-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T2_INNER_V6x/64隧道 C2-T2 — BIG-IP-B 至 xCENTER_2x:
create net self xc-ddos-c2t2-inner-v4 \ vlan xc-ddos-c2t2-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T2_INNER_V4x/30
create net self xc-ddos-c2t2-inner-v6 \ vlan xc-ddos-c2t2-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T2_INNER_V6x/64使用 imish 为路由域 0 配置 BGP。
-
进入 RD 0 的 imish:
bash tmsh run /util imish -r 0 -
进入特权模式和配置模式:
imish localhost.localdomain[0]> enablelocalhost.localdomain[0]# configure terminal -
BGP 配置示例:
BIG-IP-A(router-id xBIGIP_A_OUTER_V4x,邻居 C1-T1 + C2-T1):
router bgp xCUSTOMER_ASNx no synchronization bgp log-neighbor-changes no auto-summary bgp router-id xBIGIP_A_OUTER_V4x bgp graceful-restart restart-time 120 redistribute kernel route-map route-to-cloud-ipv4
neighbor cloud peer-group neighbor cloud remote-as xF5_XC_ASNx neighbor cloud description cloud-peer-group neighbor cloud password xBGP_PASSWORDx neighbor cloud timers 10 30 neighbor cloud soft-reconfiguration inbound neighbor cloud version 4 neighbor cloud capability graceful-restart neighbor cloud send-community neighbor cloud ttl-security hops 1 neighbor cloud maximum-prefix 10 warning-only neighbor cloud prefix-list deny-all in neighbor cloud prefix-list route-to-cloud-ipv4 out
neighbor xXC_C1_T1_INNER_V4x peer-group cloud neighbor xXC_C1_T1_INNER_V4x description cloud-c1-t1-v4
neighbor xXC_C2_T1_INNER_V4x peer-group cloud neighbor xXC_C2_T1_INNER_V4x description cloud-c2-t1-v4
address-family ipv6 redistribute kernel route-map route-to-cloud-ipv6 neighbor cloud activate neighbor cloud soft-reconfiguration inbound neighbor cloud capability graceful-restart neighbor cloud prefix-list deny-all6 in neighbor cloud prefix-list route-to-cloud-ipv6 out neighbor xXC_C1_T1_INNER_V6x peer-group cloud neighbor xXC_C1_T1_INNER_V6x description cloud-c1-t1-v6 neighbor xXC_C2_T1_INNER_V6x peer-group cloud neighbor xXC_C2_T1_INNER_V6x description cloud-c2-t1-v6 exit-address-family
ip prefix-list deny-all deny 0.0.0.0/0 le 32ip prefix-list route-to-cloud-ipv4 permit xPROTECTED_PREFIX_V4x
ipv6 prefix-list deny-all6 deny ::/0 le 128ipv6 prefix-list route-to-cloud-ipv6 permit xPROTECTED_PREFIX_V6x
ip route xPROTECTED_NET_V4x xPROTECTED_MASK_V4x null0 201ipv6 route xPROTECTED_PREFIX_V6x null0 201
route-map route-to-cloud-ipv4 permit 10 match ip address prefix-list route-to-cloud-ipv4 set origin igp
route-map route-to-cloud-ipv6 permit 10 match ipv6 address prefix-list route-to-cloud-ipv6 set origin igpBIG-IP-B(router-id xBIGIP_B_OUTER_V4x,邻居 C1-T2 + C2-T2):
router bgp xCUSTOMER_ASNx no synchronization bgp log-neighbor-changes no auto-summary bgp router-id xBIGIP_B_OUTER_V4x bgp graceful-restart restart-time 120 redistribute kernel route-map route-to-cloud-ipv4
neighbor cloud peer-group neighbor cloud remote-as xF5_XC_ASNx neighbor cloud description cloud-peer-group neighbor cloud password xBGP_PASSWORDx neighbor cloud timers 10 30 neighbor cloud soft-reconfiguration inbound neighbor cloud version 4 neighbor cloud capability graceful-restart neighbor cloud send-community neighbor cloud ttl-security hops 1 neighbor cloud maximum-prefix 10 warning-only neighbor cloud prefix-list deny-all in neighbor cloud prefix-list route-to-cloud-ipv4 out
neighbor xXC_C1_T2_INNER_V4x peer-group cloud neighbor xXC_C1_T2_INNER_V4x description cloud-c1-t2-v4
neighbor xXC_C2_T2_INNER_V4x peer-group cloud neighbor xXC_C2_T2_INNER_V4x description cloud-c2-t2-v4
address-family ipv6 redistribute kernel route-map route-to-cloud-ipv6 neighbor cloud activate neighbor cloud soft-reconfiguration inbound neighbor cloud capability graceful-restart neighbor cloud prefix-list deny-all6 in neighbor cloud prefix-list route-to-cloud-ipv6 out neighbor xXC_C1_T2_INNER_V6x peer-group cloud neighbor xXC_C1_T2_INNER_V6x description cloud-c1-t2-v6 neighbor xXC_C2_T2_INNER_V6x peer-group cloud neighbor xXC_C2_T2_INNER_V6x description cloud-c2-t2-v6 exit-address-family
ip prefix-list deny-all deny 0.0.0.0/0 le 32ip prefix-list route-to-cloud-ipv4 permit xPROTECTED_PREFIX_V4x
ipv6 prefix-list deny-all6 deny ::/0 le 128ipv6 prefix-list route-to-cloud-ipv6 permit xPROTECTED_PREFIX_V6x
ip route xPROTECTED_NET_V4x xPROTECTED_MASK_V4x null0 201ipv6 route xPROTECTED_PREFIX_V6x null0 201
route-map route-to-cloud-ipv4 permit 10 match ip address prefix-list route-to-cloud-ipv4 set origin igp
route-map route-to-cloud-ipv6 permit 10 match ipv6 address prefix-list route-to-cloud-ipv6 set origin igp关键 BGP 设置说明:
timers 10 30— 每 10 秒发送一次 Keepalive,保持时间 30 秒。默认值(60/180)对于 DDoS 缓解故障切换而言响应过慢。请与 SOC 协调计时器值以确保两端一致。ttl-security hops 1— 启用 GTSM(RFC 5082)。由于 BGP 会话通过 GRE 隧道进行单跳通信,此设置通过要求入站 BGP 数据包的 TTL 值为 255 来防止远程 BGP 欺骗。maximum-prefix 10 warning-only— 纵深防御保障措施。尽管入站前缀列表已拒绝所有路由,但若对等方意外发送前缀,此设置将生成警告。redistribute kernel— 通过路由映射将null0静态路由注入 BGP。另一种方法是使用显式network语句(例如network xPROTECTED_PREFIX_V4x),该方式更为精确,因为无论其他内核路由如何,只有精确匹配的前缀才会被通告。两种方法均可使用;此处展示的是配合严格路由映射的redistribute kernel方式,以提供更大的灵活性。
管理距离较高(201)的 null0 静态路由确保前缀存在于内核路由表中,从而可通过 BGP 将其重新分发至云端,同时不影响非攻击状态下的正常路由。如果受保护前缀已通过其他来源以更低管理距离存在于路由表中,则 null0 路由将不会激活,重新分发可能失败——配置完成后请通过 show ip route 进行验证。