Table of Contents
Advertisement
Implementing BGP Flowspec
The ensuing section provides an example of the CLI configuration of how flowspec works. First, on the
Flowspec router you define the match-action criteria to take on the incoming traffic. This comprises the PBR
portion of the configuration. The service-policy type defines the actual PBR policy and contains the
combination of match and action criteria which must be added to the flowspec. In this example, the policy is
added under address-family IPv4, and hence it is propagated as an IPv4 flowspec rule.
Flowspec router CLI example:
class-map type traffic match-all cm1
policy-map type pbr pm1
flowspec
Transient router CLI:
flowspec
For detailed procedural information and commands used for configuring Flowspec, see
Flowspec with ePBR, on page
Information About Implementing BGP Flowspec
To implement BGP Flowspec, you need to understand the following concepts:
Flow Specifications
A flow specification is an n-tuple consisting of several matching criteria that can be applied to IP traffic. A
given IP packet is said to match the defined flow if it matches all the specified criteria. A given flow may be
associated with a set of attributes, depending on the particular application; such attributes may or may not
include reachability information (that is, NEXT_HOP).
Every flow-spec route is effectively a rule, consisting of a matching part (encoded in the NLRI field) and an
action part (encoded as a BGP extended community). The BGP flowspec rules are converted internally to
equivalent C3PL policy representing match and action parameters. The match and action support can vary
based on underlying platform hardware capabilities.
and
Traffic Filtering Actions, on page 109
and action parameters.
Supported Matching Criteria and Actions
A Flow Specification NLRI type may include several components such as destination prefix, source prefix,
protocol, ports, and so on. This NLRI is treated as an opaque bit string prefix by BGP. Each bit string identifies
a key to a database entry with which a set of attributes can be associated. This NLRI information is encoded
using MP_REACH_NLRI and MP_UNREACH_NLRI attributes. Whenever the corresponding application
does not require Next-Hop information, this is encoded as a 0-octet length Next Hop in the MP_REACH_NLRI
attribute and ignored on receipt. The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is
match source-address ipv4 100.0.0.0/24
class type traffic cm1
drop
address-family ipv4
service-policy type pbr pm0
address-family ipv4
service-policy type pbr pm1
112.
Routing Configuration Guide for Cisco NCS 6000 Series Routers, IOS XR Release 6.4.x
Information About Implementing BGP Flowspec
Supported Matching Criteria and Actions, on page 105
provides information on the supported match (tuple definitions)
Configuring BGP
105
Advertisement
Chapters
Table of Contents
