Limitations; Bgp Flowspec Conceptual Architecture - Cisco ASR 9000 Series Routing Configuration Manual

Limitations

• Drop the traffic
• Inject it in a different VRF for analysis or
• Allow it, but police it at a specific defined rate
Thus, instead of sending a route with a special community that the border routers must associate with a next
hop to drop in their route policy language, BGP flowspec sends a specific flow format to the border routers
instructing them to create a sort of ACL with class-map and policy-map to implement the rule you want
advertised. In order to accomplish this, BGP flowspec adds a new NLRI (network layer reachability information)
to the BGP protocol.
specifications, supported matching criteria and traffic filtering action.
The flowspec can be filtered based on source and destination in flowspec NLRI using RPL, and can be applied
on attach point of neighbor.
Limitations
These limitations apply for BGP flow specification:
• Flowspec is not supported on the following Cisco ASR 9000 first generation Ethernet Line Cards:
• Flowspec is not supported on subscriber and satellite interfaces.
• A maximum of five multi-value range can be specified in a flowspec rule.
• A mix of address families is not allowed in flowspec rules.
• In multiple match scenario, only the first matching flowspec rule will be applied.
• A maximum of 3000 flowspec rules are supported per system.

BGP Flowspec Conceptual Architecture

In this illustration, a Flowspec router (controller) is configured on the Provider Edge with flows (match criteria
and actions). The Flowspec router advertises these flows to the other edge routers and the AS (that is, Transit
1, Transit 2 and PE). These transit routers then install the flows into the hardware. Once the flow is installed
into the hardware, the transit routers are able to do a lookup to see if incoming traffic matches the defined
flows and take suitable action. The action in this scenario is to 'drop' the DDoS traffic at the edge of the
network itself and deliver only clean and legitimate traffic to the Customer Edge.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
204
Information About Implementing BGP Flowspec , on page 205
• A9K-40G (40Port 10/100/1000)
• A9K-4T (4 Port 10GE)
• A9K-2T20G (Combo Card)
• A9K-8T/4
• A9K-8T
• A9K-16T/8 (16 port 10GE)
Implementing BGP Flowspec
provides details on flow