PurposeCommand or Action
Specifies the IPv4 address family and enters address family
configuration submode, and initializes the global address
family.
address-family { ipv4 }
Example:
RP/0/RSP0/CPU0:router(config-bgp)# router bgp
100 neighbor 1.1.1.1 address-family ipv4
Step 4
Preserves the next-hop for the flowspec unchanged.flowspec next-hop unchanged
Example:
RP/0/RSP0/CPU0:router(config-bgp)# router bgp
Step 5
100 neighbor 1.1.1.1 address-family ipv4 flowspec
next-hop unchanged
Validate BGP Flowspec
BGP Flowspec validation is enabled by default for flowspec SAFI routes for IPv4. VPN routes are not subject
to the flow validation. A flow specification NLRI is validated to ensure that any one of the following conditions
holds true for the functionality to work:
•
The originator of the flow specification matches the originator of the best-match unicast route for the
destination prefix embedded in the flow specification.
•
There are no more specific unicast routes, when compared with the flow destination prefix, that have
been received from a different neighboring AS than the best-match unicast route, which has been
determined in the previous condition.
•
The AS_PATH and AS4_PATH attribute of the flow specification are empty.
•
The AS_PATH and AS4_PATH attribute of the flow specification does not contain AS_SET and
AS_SEQUENCE segments.
Any path which does not meet these conditions, is appropriately marked by BGP and not installed in flowspec
manager. Additionally, BGP enforces that the last AS added within the AS_PATH and AS4_PATH attribute
of a EBGP learned flow specification NLRI must match the last AS added within the AS_PATH and
AS4_PATH attribute of the best-match unicast route for the destination prefix embedded in the flow
specification. Also, when the redirect-to-IP extended community is present, by default, BGP enforces the
following check when receiving a flow-spec route from an eBGP peer:
If the flow-spec route has an IP next-hop X and includes a redirect-to-IP extended community, then the BGP
speaker discards the redirect-to-ip extended community (and not propagate it further with the flow-spec route)
if the last AS in the AS_PATH or AS4_PATH attribute of the longest prefix match for X does not match the
AS of the eBGP peer.
Disable Flowspec Redirect and Validation, on page 223 explains the procedure to disable BGP flowspec
validation.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
222
Implementing BGP Flowspec
Validate BGP Flowspec
To Next Page
Loading...
Need help?
General
