BIG-IP 設定
BIG-IP
Section titled “BIG-IP”- (路由域 0 範例)
以下所有指令均在 BIG-IP 的 tmsh 中執行。請依需求調整物件名稱 與 IP 位址。
有關 BIG-IP 上 GRE 隧道的一般設定,請參閱 Configuring a GRE Tunnel Using BIG-IP。有關 Cloud 的初始路由設定,請參閱 K000147949。
[root@bigip:Active]# tmshroot@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)#外部自身 IP
Section titled “外部自身 IP”GRE 端點
這些是每台 BIG-IP 裝置上用作 GRE 隧道端點的 IP,通常位於外部 VLAN。每台裝置各有其專屬的非浮動外部自身 IP(traffic-group-local-only):
BIG-IP-A:
create net self xc-ddos-v4-self-a \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_A_OUTER_V4x/24
create net self xc-ddos-v6-self-a \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_A_OUTER_V6x/64BIG-IP-B:
create net self xc-ddos-v4-self-b \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_B_OUTER_V4x/24
create net self xc-ddos-v6-self-b \ vlan external \ traffic-group traffic-group-local-only \ allow-service add { icmp:any gre:any } \ address xBIGIP_B_OUTER_V6x/64GRE 隧道
Section titled “GRE 隧道”每條隧道從一台 BIG-IP 裝置指向一個 Cloud 清洗中心端點。每台裝置建立兩條隧道(各指向一個地理位置的清洗中心),整個 HA 配對共有四條邏輯隧道:
隧道 C1-T1 — BIG-IP-A 至 xCENTER_1x:
create net tunnels tunnel xc-ddos-c1t1-v4 \ local-address xBIGIP_A_OUTER_V4x \ profile gre \ remote-address xXC_C1_OUTER_V4x
create net tunnels tunnel xc-ddos-c1t1-v6 \ local-address xBIGIP_A_OUTER_V6x \ profile gre \ remote-address xXC_C1_OUTER_V6x隧道 C2-T1 — BIG-IP-A 至 xCENTER_2x:
create net tunnels tunnel xc-ddos-c2t1-v4 \ local-address xBIGIP_A_OUTER_V4x \ profile gre \ remote-address xXC_C2_OUTER_V4x
create net tunnels tunnel xc-ddos-c2t1-v6 \ local-address xBIGIP_A_OUTER_V6x \ profile gre \ remote-address xXC_C2_OUTER_V6x隧道 C1-T2 — BIG-IP-B 至 xCENTER_1x:
create net tunnels tunnel xc-ddos-c1t2-v4 \ local-address xBIGIP_B_OUTER_V4x \ profile gre \ remote-address xXC_C1_OUTER_V4x
create net tunnels tunnel xc-ddos-c1t2-v6 \ local-address xBIGIP_B_OUTER_V6x \ profile gre \ remote-address xXC_C1_OUTER_V6x隧道 C2-T2 — BIG-IP-B 至 xCENTER_2x:
create net tunnels tunnel xc-ddos-c2t2-v4 \ local-address xBIGIP_B_OUTER_V4x \ profile gre \ remote-address xXC_C2_OUTER_V4x
create net tunnels tunnel xc-ddos-c2t2-v6 \ local-address xBIGIP_B_OUTER_V6x \ profile gre \ remote-address xXC_C2_OUTER_V6x隧道名稱(xc-ddos-c1t1-v4 等)為任意命名;請使用您自己的命名規則。
設定隧道 MTU
Section titled “設定隧道 MTU”GRE 封裝會增加額外負擔(IPv4 外層為 24 位元組,IPv6 外層為 44 位元組)。若未明確設定 MTU,接近 1500 位元組的封包將會分片或遭丟棄。請設定隧道 MTU 以因應封裝的額外負擔:
modify net tunnels tunnel xc-ddos-c1t1-v4 mtu 1476modify net tunnels tunnel xc-ddos-c1t1-v6 mtu 1456modify net tunnels tunnel xc-ddos-c1t2-v4 mtu 1476modify net tunnels tunnel xc-ddos-c1t2-v6 mtu 1456modify net tunnels tunnel xc-ddos-c2t1-v4 mtu 1476modify net tunnels tunnel xc-ddos-c2t1-v6 mtu 1456modify net tunnels tunnel xc-ddos-c2t2-v4 mtu 1476modify net tunnels tunnel xc-ddos-c2t2-v6 mtu 1456GRE 防偽造(上游 ACL)
Section titled “GRE 防偽造(上游 ACL)”GRE(IP 協定 47)不提供驗證機制。任何知悉外部 IP 配對的人均可向隧道注入流量。請在上游路由器或防火牆上套用 ACL,以將入站 GRE 限制為僅來自預期的 Cloud 清洗中心來源 IP:
! Example upstream router ACL (Cisco IOS style)ip access-list extended ALLOW-XC-GRE permit gre host xXC_C1_OUTER_V4x host xBIGIP_A_OUTER_V4x permit gre host xXC_C2_OUTER_V4x host xBIGIP_A_OUTER_V4x permit gre host xXC_C1_OUTER_V4x host xBIGIP_B_OUTER_V4x permit gre host xXC_C2_OUTER_V4x host xBIGIP_B_OUTER_V4x deny gre any host xBIGIP_A_OUTER_V4x log deny gre any host xBIGIP_B_OUTER_V4x log內部自身 IP(BGP 對等)
Section titled “內部自身 IP(BGP 對等)”指定內部 IP 位址(GRE 隧道內部),用於與 Cloud 建立 BGP 工作階段。allow-service 必須包含 tcp:179(BGP),以便建立對等工作階段。在內部自身 IP 上新增 icmp:any 可透過隧道啟用 PMTUD 與可達性測試:
隧道 C1-T1 — BIG-IP-A 至 xCENTER_1x:
create net self xc-ddos-c1t1-inner-v4 \ vlan xc-ddos-c1t1-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T1_INNER_V4x/30
create net self xc-ddos-c1t1-inner-v6 \ vlan xc-ddos-c1t1-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T1_INNER_V6x/64隧道 C2-T1 — BIG-IP-A 至 xCENTER_2x:
create net self xc-ddos-c2t1-inner-v4 \ vlan xc-ddos-c2t1-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T1_INNER_V4x/30
create net self xc-ddos-c2t1-inner-v6 \ vlan xc-ddos-c2t1-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T1_INNER_V6x/64隧道 C1-T2 — BIG-IP-B 至 xCENTER_1x:
create net self xc-ddos-c1t2-inner-v4 \ vlan xc-ddos-c1t2-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T2_INNER_V4x/30
create net self xc-ddos-c1t2-inner-v6 \ vlan xc-ddos-c1t2-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C1_T2_INNER_V6x/64隧道 C2-T2 — BIG-IP-B 至 xCENTER_2x:
create net self xc-ddos-c2t2-inner-v4 \ vlan xc-ddos-c2t2-v4 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T2_INNER_V4x/30
create net self xc-ddos-c2t2-inner-v6 \ vlan xc-ddos-c2t2-v6 \ traffic-group traffic-group-local-only \ allow-service add { tcp:179 icmp:any } \ address xBIGIP_C2_T2_INNER_V6x/64使用 imish 為路由域 0 設定 BGP。
-
進入 RD 0 的 imish:
bash tmsh run /util imish -r 0 -
進入特權模式與設定模式:
imish localhost.localdomain[0]> enablelocalhost.localdomain[0]# configure terminal -
BGP 設定範例:
BIG-IP-A(router-id xBIGIP_A_OUTER_V4x,鄰居 C1-T1 + C2-T1):
router bgp xCUSTOMER_ASNx no synchronization bgp log-neighbor-changes no auto-summary bgp router-id xBIGIP_A_OUTER_V4x bgp graceful-restart restart-time 120 redistribute kernel route-map route-to-cloud-ipv4
neighbor cloud peer-group neighbor cloud remote-as xF5_XC_ASNx neighbor cloud description cloud-peer-group neighbor cloud password xBGP_PASSWORDx neighbor cloud timers 10 30 neighbor cloud soft-reconfiguration inbound neighbor cloud version 4 neighbor cloud capability graceful-restart neighbor cloud send-community neighbor cloud ttl-security hops 1 neighbor cloud maximum-prefix 10 warning-only neighbor cloud prefix-list deny-all in neighbor cloud prefix-list route-to-cloud-ipv4 out
neighbor xXC_C1_T1_INNER_V4x peer-group cloud neighbor xXC_C1_T1_INNER_V4x description cloud-c1-t1-v4
neighbor xXC_C2_T1_INNER_V4x peer-group cloud neighbor xXC_C2_T1_INNER_V4x description cloud-c2-t1-v4
address-family ipv6 redistribute kernel route-map route-to-cloud-ipv6 neighbor cloud activate neighbor cloud soft-reconfiguration inbound neighbor cloud capability graceful-restart neighbor cloud prefix-list deny-all6 in neighbor cloud prefix-list route-to-cloud-ipv6 out neighbor xXC_C1_T1_INNER_V6x peer-group cloud neighbor xXC_C1_T1_INNER_V6x description cloud-c1-t1-v6 neighbor xXC_C2_T1_INNER_V6x peer-group cloud neighbor xXC_C2_T1_INNER_V6x description cloud-c2-t1-v6 exit-address-family
ip prefix-list deny-all deny 0.0.0.0/0 le 32ip prefix-list route-to-cloud-ipv4 permit xPROTECTED_PREFIX_V4x
ipv6 prefix-list deny-all6 deny ::/0 le 128ipv6 prefix-list route-to-cloud-ipv6 permit xPROTECTED_PREFIX_V6x
ip route xPROTECTED_NET_V4x xPROTECTED_MASK_V4x null0 201ipv6 route xPROTECTED_PREFIX_V6x null0 201
route-map route-to-cloud-ipv4 permit 10 match ip address prefix-list route-to-cloud-ipv4 set origin igp
route-map route-to-cloud-ipv6 permit 10 match ipv6 address prefix-list route-to-cloud-ipv6 set origin igpBIG-IP-B(router-id xBIGIP_B_OUTER_V4x,鄰居 C1-T2 + C2-T2):
router bgp xCUSTOMER_ASNx no synchronization bgp log-neighbor-changes no auto-summary bgp router-id xBIGIP_B_OUTER_V4x bgp graceful-restart restart-time 120 redistribute kernel route-map route-to-cloud-ipv4
neighbor cloud peer-group neighbor cloud remote-as xF5_XC_ASNx neighbor cloud description cloud-peer-group neighbor cloud password xBGP_PASSWORDx neighbor cloud timers 10 30 neighbor cloud soft-reconfiguration inbound neighbor cloud version 4 neighbor cloud capability graceful-restart neighbor cloud send-community neighbor cloud ttl-security hops 1 neighbor cloud maximum-prefix 10 warning-only neighbor cloud prefix-list deny-all in neighbor cloud prefix-list route-to-cloud-ipv4 out
neighbor xXC_C1_T2_INNER_V4x peer-group cloud neighbor xXC_C1_T2_INNER_V4x description cloud-c1-t2-v4
neighbor xXC_C2_T2_INNER_V4x peer-group cloud neighbor xXC_C2_T2_INNER_V4x description cloud-c2-t2-v4
address-family ipv6 redistribute kernel route-map route-to-cloud-ipv6 neighbor cloud activate neighbor cloud soft-reconfiguration inbound neighbor cloud capability graceful-restart neighbor cloud prefix-list deny-all6 in neighbor cloud prefix-list route-to-cloud-ipv6 out neighbor xXC_C1_T2_INNER_V6x peer-group cloud neighbor xXC_C1_T2_INNER_V6x description cloud-c1-t2-v6 neighbor xXC_C2_T2_INNER_V6x peer-group cloud neighbor xXC_C2_T2_INNER_V6x description cloud-c2-t2-v6 exit-address-family
ip prefix-list deny-all deny 0.0.0.0/0 le 32ip prefix-list route-to-cloud-ipv4 permit xPROTECTED_PREFIX_V4x
ipv6 prefix-list deny-all6 deny ::/0 le 128ipv6 prefix-list route-to-cloud-ipv6 permit xPROTECTED_PREFIX_V6x
ip route xPROTECTED_NET_V4x xPROTECTED_MASK_V4x null0 201ipv6 route xPROTECTED_PREFIX_V6x null0 201
route-map route-to-cloud-ipv4 permit 10 match ip address prefix-list route-to-cloud-ipv4 set origin igp
route-map route-to-cloud-ipv6 permit 10 match ipv6 address prefix-list route-to-cloud-ipv6 set origin igpBGP 主要設定說明:
timers 10 30— 每 10 秒傳送一次 Keepalive,保持時間為 30 秒。預設值(60 / 180)對於 DDoS 緩解的故障切換而言過於緩慢。請與 SOC 協調計時器數值以確保雙方一致。ttl-security hops 1— 啟用 GTSM(RFC 5082)。由於 BGP 工作階段為 GRE 隧道上的單跳,此設定要求入站 BGP 封包的 TTL = 255,從而防止遠端 BGP 偽造。maximum-prefix 10 warning-only— 縱深防禦保護措施。即使入站前綴清單已拒絕所有路由,若對等端意外傳送前綴,仍會產生警告。redistribute kernel— 透過 route-map 將null0靜態路由注入 BGP。另一種方式是使用明確的network陳述式(例如network xPROTECTED_PREFIX_V4x),這種方式更為精確,因為無論其他核心路由為何,都只會宣告確切的前綴。兩種方式均可使用;此處顯示的是帶有嚴格 route-map 的redistribute kernel,以提供更大彈性。
null0 靜態路由使用較高的管理距離(201),確保前綴存在於核心路由表中,以便透過 BGP 將其重新分發至 Cloud,同時不影響非攻擊狀態下的正常路由。若受保護的前綴已透過另一個管理距離較低的來源存在於路由表中,則 null0 路由將不會生效,且重新分發可能會失敗——請在設定完成後使用 show ip route 進行驗證。