- Read Me First
- Cisco BGP Overview
- BGP 4
- Configuring a Basic BGP Network
- BGP 4 Soft Configuration
- BGP Support for 4-byte ASN
- IPv6 Routing: Multiprotocol BGP Extensions for IPv6
- IPv6 Routing: Multiprotocol BGP Link-Local Address Peering
- IPv6 Multicast Address Family Support for Multiprotocol BGP
- Configuring Multiprotocol BGP (MP-BGP) Support for CLNS
- BGP IPv6 Admin Distance
- Connecting to a Service Provider Using External BGP
- BGP Route-Map Continue
- BGP Route-Map Continue Support for Outbound Policy
- Removing Private AS Numbers from the AS Path in BGP
- Configuring BGP Neighbor Session Options
- BGP Neighbor Policy
- BGP Dynamic Neighbors
- BGP Support for Next-Hop Address Tracking
- BGP Restart Neighbor Session After Max-Prefix Limit Reached
- BGP Support for Dual AS Configuration for Network AS Migrations
- Configuring Internal BGP Features
- BGP VPLS Auto Discovery Support on Route Reflector
- BGP FlowSpec Route-reflector Support
- BGP Flow Specification Client
- BGP NSF Awareness
- BGP Graceful Restart per Neighbor
- BGP Support for BFD
- IPv6 NSF and Graceful Restart for MP-BGP IPv6 Address Family
- BGP Persistence
- BGP Link Bandwidth
- Border Gateway Protocol Link-State
- iBGP Multipath Load Sharing
- BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN
- Loadsharing IP Packets over More Than Six Parallel Paths
- BGP Policy Accounting
- BGP Policy Accounting Output Interface Accounting
- BGP Cost Community
- BGP Support for IP Prefix Import from Global Table into a VRF Table
- BGP Support for IP Prefix Export from a VRF Table into the Global Table
- BGP per Neighbor SoO Configuration
- Per-VRF Assignment of BGP Router ID
- BGP Next Hop Unchanged
- BGP Support for the L2VPN Address Family
- BGP Event-Based VPN Import
- BGP Best External
- BGP PIC Edge for IP and MPLS-VPN
- Detecting and Mitigating a BGP Slow Peer
- Configuring BGP: RT Constrained Route Distribution
- Configuring a BGP Route Server
- BGP Diverse Path Using a Diverse-Path Route Reflector
- BGP Enhanced Route Refresh
- Configuring BGP Consistency Checker
- BGP—Origin AS Validation
- BGP MIB Support
- BGP 4 MIB Support for Per-Peer Received Routes
- BGP Support for Nonstop Routing (NSR) with Stateful Switchover (SSO) Using L2VPN VPLS
- BGP Support for Nonstop Routing (NSR) with Stateful Switchover (SSO) Using L2VPN VPLS
- BGP NSR Auto Sense
- BGP NSR Support for iBGP Peers
- BGP Graceful Shutdown
- BGP — mVPN BGP sAFI 129 - IPv4
- BGP-MVPN SAFI 129 IPv6
- BFD—BGP Multihop Client Support, cBit (IPv4 and IPv6), and Strict Mode
- BGP Attribute Filter and Enhanced Attribute Error Handling
- BGP Additional Paths
- BGP-Multiple Cluster IDs
- BGP-VPN Distinguisher Attribute
- BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard
- VPLS BGP Signaling
- Multicast VPN BGP Dampening
- BGP—IPv6 NSR
- BGP-VRF-Aware Conditional Advertisement
- BGP—Selective Route Download
- BGP—Support for iBGP Local-AS
- eiBGP Multipath for Non-VRF Interfaces (IPv4/IPv6)
- L3VPN iBGP PE-CE
- BGP NSR Support for MPLS VPNv4 and VPNv6 Inter-AS Option B
- BGP-RTC for Legacy PE
- BGP PBB EVPN Route Reflector Support
- BGP Monitoring Protocol
- VRF Aware BGP Translate-Update
- BGP Support for MTR
- BGP Accumulated IGP
- BGP MVPN Source-AS Extended Community Filtering
- BGP AS-Override Split-Horizon
- BGP Support for Multiple Sourced Paths Per Redistributed Route
- Maintenance Function: BGP Routing Protocol
- Finding Feature Information
- Restrictions for BGP FlowSpec Route-reflector Support
- Information About BGP FlowSpec Route-reflector Support
- How to Configure BGP FlowSpec Route-reflector Support
- Configuration Examples for BGP FlowSpec Route-reflector Support
- Additional References for BGP FlowSpec Route-reflector Support
- Feature Information for BGP FlowSpec Route-reflector Support
BGP FlowSpec
Route-reflector Support
The BGP (Border Gateway Protocol) Flowspec (Flow Specification) Route Reflector feature enables service providers to control traffic flows in their network. This helps in filtering traffic and helps in taking action against distributed denial of service (DDoS) mitigation by dropping the DDoS traffic or diverting it to an analyzer.
BGP flow specification provides a mechanism to encode flow specification rules for traffic flows that can be distributed as BGP Network Layer Reachability Information (NLRI).
- Finding Feature Information
- Restrictions for BGP FlowSpec Route-reflector Support
- Information About BGP FlowSpec Route-reflector Support
- How to Configure BGP FlowSpec Route-reflector Support
- Configuration Examples for BGP FlowSpec Route-reflector Support
- Additional References for BGP FlowSpec Route-reflector Support
- Feature Information for BGP FlowSpec Route-reflector Support
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for BGP FlowSpec Route-reflector Support
Information About BGP FlowSpec Route-reflector Support
Overview of Flowspec
Flowspec specifies procedures for the distribution of flow specification rules as Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) that can be used in any application. It also defines application for the purpose of packet filtering in order to mitigate distributed denial of service attacks.
A flow specification rule consists of a matching part encoded in the BGP NLRI field and an action part encoded as BGP extended community as defined in the RFC 5575. A flow specification rule is a set of data (represented in an n-tuple) consisting of several matching criteria that can be applied to IP packet data. BGP flow specification rules are internally converted to equivalent Cisco Common Classification Policy Language (C3PL) representing corresponding match and action parameters.
Matching Criteria
The following table lists the various Flowspec tuples that are supported for BGP.
BGP Flowspec NLRI Type |
QoS Matching Field (IPv6) |
QoS Matching Field (IPv4) |
Input Value |
---|---|---|---|
Type 1 |
IPv6 destination address |
IPv4 destination address |
Prefix length |
Type 2 |
IPv6 source address |
IPv4 source address |
Prefix length |
Type 3 |
IPv6 next header |
IPv4 protocol |
Multi-value range |
Type 4 |
IPv6 source or destination port |
IPv4 source or destination port |
Multi-value range |
Type 5 |
IPv6 destination port |
IPv4 destination port |
Multi-value range |
Type 6 |
IPv6 source port |
IPv4 source port |
Multi-value range |
Type 7 |
IPv6 ICMP type |
IPv4 ICMP type |
Multi-value range |
Type 8 |
IPv6 ICMP code |
IPv4 ICMP code |
Multi-value range |
Type 9 |
IPv6 TCP flags |
IPv4 TCP flags (2 bytes include reserved bits) |
Bit mask |
Type 10 |
IPv6 packet length |
IPv4 packet length |
Multi-value range |
Type 11 |
IPv6 traffic class |
IPv4 DSCP |
Multi-value range |
Type 12 |
Reserved |
IPv4 fragment bits |
Bit mask |
Type 13 |
IPv6 flow label |
— |
Multi-value range |
How to Configure BGP FlowSpec Route-reflector Support
Configuring BGP FlowSpec Route-reflector Support
Perform this task to configure BGP FlowSpec on a route reflector. This task specifies only the IPv4 address family but, other address families are also supported for BGP flow specifications.
Configure a BGP route reflector.
1.
enable
2.
configure terminal
3.
router bgp
autonomous-system-number
4.
neighbor
ip-address
remote-as
autonomous-system-number
5.
address-family {ipv4 | ipv6 | vpnv4 | vpnv6}
flowspec
6.
neighbor
ip-address
activate
7.
neighbor
ip-address
route-reflector-client
8.
end
DETAILED STEPS
Disabling BGP FlowSpec Validation
Perform this task if you want to disable the BGP flow specification validations for eBGP peers. The validations are enabled by default.
To know more about BGP flow specification validations, see RFC 5575 (draft-ietf-idr-bgp-flowspec-oid-01-Revised Validation Procedure for BGP Flow Specifications).
1.
enable
2.
configure terminal
3.
router bgp
autonomous-system-number
4.
address-family {ipv4 | ipv6 | vpnv4 | vpnv6}
flowspec
5.
neighbor
ip-address
validation off
DETAILED STEPS
Verifying BGP FlowSpec Route-reflector Support
The show commands can be entered in any order.
Configure BGP FlowSec on a route reflector.
1.
show bgp ipv4 flowspec
2.
show bgp ipv4 flowspec detail
3.
show bgp ipv4 flowspec summary
4.
show bgp ipv6 flowspec
5.
show bgp ipv6 flowspec detail
6.
show bgp ipv6 flowspec summary
7.
show bgp vpnv4 flowspec
8.
show bgp vpnv4 flowspec all detail
9.
show bgp vpnv6 flowspec
10.
show bgp vpnv6 flowspec
all detail
DETAILED STEPS
Configuration Examples for BGP FlowSpec Route-reflector Support
Example: BGP FlowSpec Route-reflector Support
Example: Configuring BGP FlowSpec on Route Reflector
Configure BGP route reflector and inject flowspec in the route reflector.
! Configure the topology !Configure the interfaces on RR RR> enable RR# configure terminal RR(config)# interface E0/0 RR(config-if)# ip address 10.0.0.1 255.224.0.0 RR(config-if)# no shutdown RR(config-if)# exit RR(config)# interface S2/0 RR(config-if)# ip address 10.32.0.1 255.224.0.0 RR(config-if)# no shutdown RR(config-if)# exit RR(config)# interface S3/0 RR(config-if)# ip address 10.64.0.1 255.224.0.0 RR(config-if)# no shutdown !Configure RR as the route reflector with S2/0(R1) and S2/0 (R2) as the neighbors RR(config)# router bgp 333 RR(config-router)# no synchronization RR(config-router)# network 10.0.0.0 mask 255.224.0.0 RR(config-router)# network 10.64.0.0 mask 255.224.0.0 RR(config-router)# network 10.32.0.0 mask 255.224.0.0 RR(config-router)# neighbor 10.64.0.2 remote-as 333 RR(config-router)# neighbor 10.32.0.2 remote-as 333 !Configure flowspec on route reflector RR(config-router)# address-family ipv4 flowspec RR(configure-router-af)# neighbor 10.64.0.2 activate RR(config-router)# neighbor 10.64.0.2 route-reflector-client RR(configure-router-af)# neighbor 10.32.0.2 activate RR(config-router)# neighbor 10.32.0.2 route-reflector-client !Verify the configuration RR> show bgp ipv4 flowspec
Additional References for BGP FlowSpec Route-reflector Support
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
BGP commands |
Cisco IOS IP Routing: BGP Command Reference |
Standards and RFCs
Standard/RFC |
Title |
---|---|
RFC 5575 |
Dissemination of Flow Specification Rules |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for BGP FlowSpec Route-reflector Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
BGP FlowSpec Route-reflector Support |
15.5(1)S |
The BGP FlowSpec Route-reflector Support feature enables services providers to control traffic flows in their network and mitigate DDoS attack. The following command was introduced by this feature: address-family {ipv4 | ipv6 | vpnv4 | vpnv6} flowspec. |