The ensuing section provides an example of the CLI configuration of how flowspec works. First, on the
Flowspec router you define the match-action criteria to take on the incoming traffic. This comprises the PBR
portion of the configuration. The service-policy type defines the actual PBR policy and contains the
combination of match and action criteria which must be added to the flowspec. In this example, the policy is
added under address-family IPv4, and hence it is propagated as an IPv4 flowspec rule.
Flowspec router CLI example:
class-map type traffic match-all cm1
match source-address ipv4 100.0.0.0/24
policy-map type pbr pm1
class type traffic cm1
drop
flowspec
address-family ipv4
service-policy type pbr pm0
Transient router CLI:
flowspec
address-family ipv4
service-policy type pbr pm1
For detailed procedural information and commands used for configuring Flowspec, see Configuring BGP
Flowspec with ePBR, on page 112.
Information About Implementing BGP Flowspec
To implement BGP Flowspec, you need to understand the following concepts:
Flow Specifications
A flow specification is an n-tuple consisting of several matching criteria that can be applied to IP traffic. A
given IP packet is said to match the defined flow if it matches all the specified criteria. A given flow may be
associated with a set of attributes, depending on the particular application; such attributes may or may not
include reachability information (that is, NEXT_HOP).
Every flow-spec route is effectively a rule, consisting of a matching part (encoded in the NLRI field) and an
action part (encoded as a BGP extended community). The BGP flowspec rules are converted internally to
equivalent C3PL policy representing match and action parameters. The match and action support can vary
based on underlying platform hardware capabilities. Supported Matching Criteria and Actions, on page 105
and Traffic Filtering Actions, on page 109 provides information on the supported match (tuple definitions)
and action parameters.
Supported Matching Criteria and Actions
A Flow Specification NLRI type may include several components such as destination prefix, source prefix,
protocol, ports, and so on. This NLRI is treated as an opaque bit string prefix by BGP. Each bit string identifies
a key to a database entry with which a set of attributes can be associated. This NLRI information is encoded
using MP_REACH_NLRI and MP_UNREACH_NLRI attributes. Whenever the corresponding application
does not require Next-Hop information, this is encoded as a 0-octet length Next Hop in the MP_REACH_NLRI
attribute and ignored on receipt. The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is
Routing Configuration Guide for Cisco NCS 6000 Series Routers, IOS XR Release 6.4.x
105
Implementing BGP Flowspec
Information About Implementing BGP Flowspec
To Next Page
Loading...
Need help?
General
