Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

• Identify and configure flow specification rules on the controller.

  Note	When the flow specification client is enabled, the matching criteria and corresponding actions in the controller’s flows are remotely injected into the client device, and the flows are programmed into the platform hardware of the client device.

• In Cisco IOS 15.5(S) release, BGP flow specification is supported only on a BGP flow specification client and route reflector.
• Mixing of address family matches and actions is not supported in flow specification rules. For example, IPv4 matches cannot be combined with IPv6 actions and vice versa.

The BGP protocol is used for flow specifications due to unique advantages it offers. The three elements that are used to route flow specifications through BGP enabled devices are: controller, client, and route-reflector (which is optional). This document is specific to the client element function.

Though devices with the IOS XE software (such as ASR 1000, and so on) can perform BGP flow specification client role and not the controller role, a brief outline of the BGP flow specification process is given below for better understanding.

The BGP flow specification functionality allows you to rapidly deploy and propagate filtering and policing functionality among a large number of BGP peer devices to mitigate the effects of a distributed denial-of-service (DDoS) attack over your network.

The BGP flow specification model comprises of a client and a controller (route-reflector usage is optional). The controller is responsible for sending or injecting the flow specification NRLI entry. The client (acting as a BGP speaker) receives the NRLI and programs the hardware forwarding to act on the instruction from the controller. An illustration of this model is provided below.

Figure 1. BGP Flow Specification Model

In the above topology, the controller on the left-hand side injects the flow specification NRLI into the client on the right-hand side. The client receives the information, sends it to the flow specification manager component, configures the ePBR (Enhanced Policy Based Routing) infrastructure, which in turn programs the platform hardware of the device. This way, you can create rules to handle DDoS attacks on your network.

First, associate the device to a BGP autonomous system and enable flow specification policy mapping capability for various address families. Then, identify a neighbor (through its IP address) as a BGP peer and enable the capability to exchange information between the devices through theneighbor activate command. This way, flow specification information can be exchanged between the client, controller, and any other flow specification client device.

!
router bgp 100
 address-family ipv4 flowspec
  neighbor 10.1.1.1 activate
!

The flow specification NLRI type consists of several optional sub-components. A specific packet is considered to match the flow specification when it matches the intersection (AND) of all the components present in the specification. The following are the supported component types or tuples that you can define:

1.    enable


2.    configure terminal


3.    router bgp as-number


4.    address-family {ipv4 | ipv6} flowspec


5.    neighbor ip-address activate


6.    exit


7.    address-family {ipv4 | ipv6} flowspec vrf vrf-name


8.    neighbor ip-address remote-as as-number


9.    neighbor ip-address activate


10.    exit

Device> enable

Device# configure terminal 

Device(config)# router bgp 100

Device(config-bgp)# address-family ipv4 flowspec

Device(config-bgp-af)# neighbor 10.1.1.1 activate

Device(config-bgp-af)# exit

Device(config-bgp)# address-family ipv4 flowspec vrf vrf1

Device(config-bgp-af)# neighbor 2001:DB8:1::1 remote-as 100

Device(config-bgp-af)# neighbor 2001:DB8:1::1 activate

Device(config-bgp-af)# exit

1.    enable


2.    configure terminal


3.    flowspec


4.    address-family ipv4


5.    local-install interface-all


6.    exit


7.    address-family ipv6


8.    local-install interface-all


9.    exit


10.    vrf vrf-name


11.    address-family ipv4


12.    local-install interface-all


13.    exit


14.    address-family ipv6


15.    local-install interface-all


16.    exit

Device> enable

Device# configure terminal 

Device(config)# flowspec  

Device(config-flowspec)# address-family ipv4  

Device(config-flowspec-af)# local-install interface-all

Device(config-flowspec-af)# exit

Device(config-flowspec)# address-family ipv6  

Device(config-flowspec-af)# local-install interface-all

Device(config-flowspec-af)# exit

Device(config-flowspec)# vrf vrf10

Device(config-flowspec-vrf)# address-family ipv4  

Device(config-flowspec-vrf-af)# local-install interface-all

Device(config-flowspec-vrf-af)# exit

Device(config-flowspec-vrf)# address-family ipv6  

Device(config-flowspec-vrf-af)# local-install interface-all

Device(config-flowspec-vrf-af)# exit

1.    show flowspec summary


2.    show bgp ipv4 flowspec


3.    show flowspec vrf vrf-name afi-all

Device # show flowspec summary

FlowSpec Manager Summary:
Tables: 2
Flows: 1

Device # show bgp ipv4 flowspec 

Dest:192.0.2.0/24, Source:10.1.1.0/24, DPort:>=120&<=130,SPort:>=25&<=30,DSCP:=30/208
BGP routing table entry for Dest:192.0.2.0/24, Source:10.1.1.0/24,Proto:=47,DPort:>=120&<=130,SPort:>=25&<=30,DSCP:=30/208 <snip>
Paths: (1 available, best #1)
  Advertised to update-groups (with more than one peer):
    0.3
  Path #1: Received by speaker 0
  Advertised to update-groups (with more than one peer):
0.3 Local
0.0.0.0 from 0.0.0.0 (3.3.3.3)
Origin IGP, localpref 100, valid, redistributed, best, group-best
Received Path ID 0, Local Path ID 1, version 42
Extended community: FLOWSPEC Traffic-rate:100,0

Device # show flowspec vrf vrf100 afi-all 

VRF: vrf100     AFI: IPv4
    Flow         :DPort:=101,SPort:=101,TCPFlags:~0xFF,Length:>=100&<=1500,DSCP:=63
    Actions      :Redirect: VRF vrf200 Route-target: ASN2-200:2  (bgp.1)
    Flow         :DPort:=102,SPort:=102,TCPFlags:~0xFF,Length:>=100&<=1500,DSCP:=63
    Actions      :Redirect: VRF vrf200 Route-target: ASN2-200:2  (bgp.1)