BGP Flowspec Commands

This module provides command line interface (CLI) commands for configuring BGP Flowspec on the Cisco CRS Router.

class-map type traffic (BGP-flowspec)

To define a traffic class and the associated rules that match packets to the class, use the class-map type traffic command inGlobal configuration mode. To remove an existing class map from the router, use the no form of this command.

class-map type traffic match-all class-map-name

Syntax Description

match-all

Specifies a match on all of the match criteria.

class-map-name

Name of the class for the class map.

Command Default

None

Command Modes

Global configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to specify class305 as the name of a class and defines a class map for this class.

RP/0/RP0/CPU0:router# config
RP/0/RP0/CPU0:router(config)# class-map type traffic match-all class305
RP/0/RP0/CPU0:router(config-cmap)# match destination-address ipv4 59.2.1.2 255.255.255.0
  

class type traffic

To associate a previously configured traffic class with the policy map, and to enter the configuration mode for the specified system class, use the class type traffic command in the policy map configuration mode.

class type traffic class-name

Syntax Description

class-name

Name of the class for the class map. The class name is used for the class map and to configure policy for the class in the policy map.

Command Default

None

Command Modes

Policy map configuration mode

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to associate a class map with the policy map:

RP/0/RP0/CPU0:router# config
RP/0/RP0/CPU0:router(config)# policy-map type pbr p1
RP/0/RP0/CPU0:router(config-pmap)# class type traffic c1
RP/0/RP0/CPU0:router(config-pmap-c)# set dscp 34 

drop (BGP-flowspec)

To configure a traffic class to discard packets belonging to a specific class, use the drop command in policy-map class configuration mode. To disable the packet discarding action in a traffic class, use the no form of this command.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Default

Disabled

Command Modes

Policy-map class configuration (config-pmap-c)

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to discard packets:
RP/0/RP0/CPU0:router#config
RP/0/RP0/CPU0:router(config)# policy -map type pbr match_dest_110.1.1.x_drop
RP/0/RP0/CPU0:router(config-pmap)# class type traffic match_dest_110.1.1.x
RP/0/RP0/CPU0:router(config-pmap-c)# drop
  

flowspec

To enter BGP flowspec configuration mode, use the flowspec command in Global configuration mode.

flowspec

Syntax Description

This command has no keywords or arguments.

Command Default

No default behavior or values

Command Modes

Global configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example show how to enter flowspec configuration mode.

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# flowspec
RP/0/RP0/CPU0:router(config-flowspec)# 

flowspec disable

To disable flowspec configuration on all interfaces, use the flowspec disable command in interface configuration mode.

ipv4 | ipv6flowspec disable

Syntax Description

ipv4

Specifies IPv4 interfaces.

ipv6

Specifies IPv6 interfaces.

Command Default

No default behavior or values

Command Modes

Interface configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to disable flowspec configuration on all interfaces.

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface GigabitEthernet 0/2/0/2
RP/0/RP0/CPU0:router(config-if)# ipv4 flowspec disable

local-install

To apply local installation of flowspec policy on all interfaces, use the local-install command in appropriate command mode.

local-install interface-all

Syntax Description

interface-all

Installs flowspec policy on all interfaces.

Command Default

No default behavior or values

Command Modes

IPv4 address family configuration

IPv6 address family configuration

VRF IPv4 address family configuration

VRF IPv6 address family configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example show how to install flowspec policy on all interfaces under flowspec subaddress family configuration mode.

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# flowspec
RP/0/RP0/CPU0:router(config-flowspec)# address-family ipv4
RP/0/RP0/CPU0:router(config-flowspec-af)# local-install interface-all

match destination-address

To identify a specific destination IP address explicitly as a match criterion in a class map, use the match destination-address command in the class map configuration mode. To remove a specific destination IP address from the matching criteria for a class map, use the no form of this command.

match destination-address {ipv4 | ipv6} address

no match destination-address {ipv4 | ipv6} address

Syntax Description

ipv4

Indicates an IPv4 address.

ipv6

Indicates an IPv6 address.

address

Specifies a destination address.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match a destination ipv4 address:


RP/0/RP0/CPU0:router(config)#class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match destination-address ipv4 59.2.1.2 255.255.255.0

match destination-port

To identify a specific destination port as the match criterion for a class map, use the match destination-port command in class map configuration mode. To remove destination port-based match criteria from a class map, use the no form of this command.

match destination-port {destination-port-value | | [min-value - max-value]}

no match destination-port {destination-port-value | | [min-value - max-value]}

Syntax Description

destination-port-value

A port Number. Range is from 0 to 65535.

min-value

Lower limit of destination port range to match. Value range is 0 to 65535.

max-value

Upper limit of destination port range to match. Value range is 0 to 65535.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

The min-value and max-value variables were added.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match a destination port:

RP/0/RP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match destination-port 1
  

match dscp

To identify specific IP differentiated services code point (DSCP) values as match criteria for a class map, use the match dscp command in class map configuration mode. To remove a DSCP value from a class map, use the no form of this command.

match dscp { [ipv4 | | ipv6] dscp-value [dscp-value1 . . . dscp-value7] | | [min-value - max-value]}

no match dscp { [ipv4 | | ipv6] dscp-value [dscp-value1 . . . dscp-value7] | | [min-value - max-value]}

Syntax Description

not

(Optional) Negates the specified match result.

ipv4

(Optional) Specifies the IPv4 DSCP value.

ipv6

(Optional) Specifies the IPv6 DSCP value.

dscp-value

IP DSCP value identifier that specifies the exact value or a range of values. Range is 0 - 63. Up to eight IP DSCP values can be specified to match packets. Reserved keywords can be specified instead of numeric values. Table 1 describes the reserved keywords.

min-value

Lower limit of DSCP range to match. Value range is 0 - 63.

max-value

Upper limit of DSCP range to match. Value range is 0 - 63.

Command Default

Matching on IP Version 4 (IPv4) and IPv6 packets is the default.

Command Modes

Class map configuration

Command History

Release

Modification

Release 2.0

This command was introduced.

Release 3.2

The ipv6 and ipv4 keywords were added.

Release 3.3.0

The not keyword was added.

Release 5.2.0

The min-value and max-value variables were added.

Usage Guidelines

The match dscp command specifies a DSCP value that is used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.

To use the match dscp command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. If you specify more than one match dscp command in a class map, only the last command entered applies.

The match dscp command examines the higher-order six bits in the type of service (ToS) byte of the IP header. Only one of the eight values is needed to yield a match (OR operation).

The command supports only eight IP DSCP values. If you try to configure more match statements after all the eight values are matched, the statements get rejected.

The IP DSCP value is used as a matching criterion only. The value has no mathematical significance. For instance, the IP DSCP value 2 is not greater than 1. The value simply indicates that a packet marked with the IP DSCP value of 2 should be treated differently than a packet marked with an IP DSCP value of 1. The treatment of these marked packets is defined by the user through the setting of policies in policy map class configuration mode.

Table 1. IP DSCP Reserved Keywords

DSCP Value

Reserved Keyword

0

default

10

AF11

12

AF12

14

AF13

18

AF21

20

AF22

22

AF23

26

AF31

28

AF32

30

AF33

34

AF41

36

AF42

38

AF43

46

EF

8

CS1

16

CS2

24

CS3

32

CS4

40

CS5

48

CS6

56

CS7

ipv4

ipv4 dscp

ipv6

ipv6 dscp

Task ID

Task ID

Operations

qos

read, write

This example shows how to configure the service policy called policy1 and attach service policy policy1 to an interface. In this example, class map dscp14 evaluates all packets entering Packet-over-SONET/SDH (POS) interface 0/1/0/0for an IP DSCP value of 14. If the incoming packet has been marked with the IP DSCP value of 14, the packet is queued to the class queue with the bandwidth setting of 300 kbps.


RP/0/RP0/CPU0:router(config)# class-map dscp14
RP/0/RP0/CPU0:router(config-cmap)# match dscp ipv4 14
RP/0/RP0/CPU0:router(config-cmap)# exit

RP/0/RP0/CPU0:router(config)# policy-map policy1
RP/0/RP0/CPU0:router(config-pmap)# class dscp14
RP/0/RP0/CPU0:router(config-pmap-c)# bandwidth 300
RP/0/RP0/CPU0:router(config-pmap-c)# exit
RP/0/RP0/CPU0:router(config-pmap)# exit

RP/0/RP0/CPU0:router(config)# interface pos 0/1/0/0
RP/0/RP0/CPU0:router(config-if)# service-policy input policy1

match fragment-type

To identify a fragment-type as the match criterion for a class map, use the match fragment-type command in class map configuration mode. To remove fragment-type match criteria from a class map, use the no form of this command.

match fragment type [dont-fragment] [first-fragment] [is-fragment] [last-fragment]

no match fragment type [dont-fragment] [first-fragment] [is-fragment] [last-fragment]

Syntax Description

dont-fragment

Matches dont-fragment bit.

first-fragment

Matches first-fragment bit.

is-fragment

Matches is-fragment bit.

last-fragment

Matches last-fragment bit.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match a fragment-type:

RP/0/RP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match fragment-type is-fragment
  

match icmp code

To identify an ICMP (Internet Control Message Protocol) code as the match criterion for a class map, use the match icmp type command in the class map configuration mode. To remove the icmp code-based match criteria from a class map, use the no form of this command.

match {ipv4 | ipv6} icmp-code {value | [min-value - max-value]}

no match {ipv4 | ipv6} icmp-code {value | [min-value - max-value]}

Syntax Description

ipv4

Indicates an IPv4 ICMP code.

ipv6

Indicates an IPv6 ICMP code.

min-value

Lower limit of ICMP type range to match. Value range is 0 to 255.

max-value

Upper limit of ICMP type range to match. Value range is 0 to 255.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match an IPv4 ICMP code:

RP/0/RP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match ipv4 icmp-code 1
  

match icmp type

To identify an ICMP (Internet Control Message Protocol) type as the match criterion for a class map, use the match icmp type command in class map configuration mode. To remove the icmp type-based match criteria from a class map, use the no form of this command.

match {ipv4 | ipv6} icmp-type {value | [min-value - max-value]}

no match {ipv4 | ipv6} icmp-type {value | [min-value - max-value]}

Syntax Description

ipv4

Indicates an IPv4 ICMP type.

ipv6

Indicates an IPv6 ICMP type.

min-value

Lower limit of ICMP type range to match. Value range is 0 to 255.

max-value

Upper limit of ICMP type range to match. Value range is 0 to 255.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match an IPv4 ICMP type:

RP/0/RP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match ipv4 icmp-type 1
  

match packet length

To specify the packet length in the IP header as a match criterion in a class map, use the match packet length command in class-map configuration mode. To remove a previously specified packet length as a match criterion, use the no form of this command.

match packet length {value | | [min-value - max-value]}

no match packet length {value | | [min-value - max-value]}

Syntax Description

value

IP packet length. Range is from 0 to 65535.

min-value

Minimum length value to match. Value range is 0 to 65535.

max-value

Minimum length value to match. Value range is 0 to 65535.

Command Default

No default behavior or values.

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match a packet length value:

RP/0/RP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match packet length 3
  

match protocol

To identify a specific protocol as the match criterion for a class map, use the match protocol command in class map configuration mode. To remove protocol-based match criteria from a class map, use the no form of this command.

match [not] protocol {protocol-value [protocol-value1 . . . protocol-value7] | | [min-value - max-value]}

no match [not] protocol {protocol-value [protocol-value1 . . . protocol-value7] | | [ min-value - max-value]}

Syntax Description

not

(Optional) Negates the specified match result.

protocol-value

A protocol identifier. A single value for protocol-value (any combination of numbers and names) can be matched in one match statement.

min-value

Lower limit of protocol range to match. Value range is 0 - 255.

max-value

Upper limit of protocol range to match. Value range is 0 - 255.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release

Modification

Release 2.0

This command was introduced.

Release 3.3.0

The not keyword was added.

Release 5.2.0

The min-value and max-value variables were added.

Usage Guidelines

Definitions of traffic classes are based on match criteria, including protocols, access control lists (ACLs), input interfaces, QoS labels, and experimental (EXP) field values. Packets satisfying the match criteria for a class constitute the traffic for that class.

The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map. Available protocol names are listed in the table that follows.

The protocol-value argument supports a range of protocol numbers. After you identify the class, you may use the match protocol command to configure its match criteria.

Table 2. Protocol Names and Descriptions

Name

Description

ahp

Authentication Header Protocol

eigrp

Cisco Enhanced Interior Gateway Routing Protocol

esp

Encapsulation Security Payload

gre

Cisco Generic Routing Encapsulation Tunneling

icmp

Internet Control Message Protocol

igmp

Internet Gateway Message Protocol

igrp

Cisco IGRP Routing protocol

ipinip

IP in IP tunneling

ipv4

Any IPv4 protocol

ipv6

Any IPv6 protocol

mpls

Any MPLS packet

nos

KA9Q NOS Compatible IP over IP Tunneling

ospf

Open Shortest Path First, Routing Protocol

pcp

Payload Compression Protocol

pim

Protocol Independent Multicast

sctp

Stream Control Transmission Protocol

tcp

Transport Control Protocol

udp

User Datagram Protocol

Task ID

Task ID

Operations

qos

read, write

In this example, all TCP packets belong to class class1:


RP/0/RP0/CPU0:router(config)# class-map class1
RP/0/RP0/CPU0:router(config-cmap)# match protocol tcp
  

match source-address

To identify a specific source IP address explicitly as a match criterion in a class map, use the match source-address command in the class map configuration mode. To remove a specific source IP address from the matching criteria for a class map, use the no form of this command.

match source-address {ipv4 | | ipv6} address

no match source-address {ipv4 | | ipv6} address

Syntax Description

ipv4

Indicates an IPv4 address.

ipv6

Indicates an IPv6 address.

address

Specifies a source address.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match a source ipv4 address:


RP/0/RP0/CPU0:router(config)#class-map type traffic match-all A
RP/0/RP0/CPU0:router(config-cmap)# match source-address ipv4 59.2.1.2 255.255.255.0

match source-port

To identify a specific source port as the match criterion for a class map, use the match source port command in class map configuration mode. To remove source port-based match criteria from a class map, use the no form of this command.

match source-port {source-port-value | | [min-value - max-value]}

no match source-port {source-port-value | | [min-value - max-value]}

Syntax Description

source-port-value

A port Number. Range is from 0 to 65535.

min-value

Lower limit of source port range to match. Value range is 0 to 65535.

max-value

Upper limit of source port range to match. Value range is 0 to 65535.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match a source port:

RP/0/RP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match source-port 1
  

match tcp flag

To identify a TCP flag as the match criterion for a class map, use the match tcp flag command in class map configuration mode. To remove the tcp flag based match criteria from a class map, use the no form of this command.

match tcp-flag value any

no match tcp-flag valueany

Syntax Description

value

TCP flag value. Range is from 1 to 4095 (hexadecimal).

any

Specifies a match based on any bit in the TCP flag.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to match a TCP flag:

RP/0/RP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RP0/CPU0:router(config-cmap)# match tcp flag 2 any
  

policy-map

To create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in Global Configuration mode mode. To delete a policy map, use the no form of this command.

policy-map [type qos] policy-name

no policy-map [type qos] policy-name

Syntax Description

type qos

(Optional) Specifies type of the service policy.

qos

(Optional) Specifies a quality-of-service (QoS) policy map.

pbr

(Optional) Specifies a policy-based routing (PBR) policy map.

policy-name

Name of the policy map.

Command Default

A policy map does not exist until one is configured. Because a policy map is applied to an interface, no restrictions on the flow of data are applied to any interface until a policy map is created.

Type is QoS when not specified.

Command Modes

Global Configuration mode

Command History

Release

Modification

Release 2.0

This command was introduced.

Release 3.3.0

Maximum number of classes permitted per policy map was increased to 32.

Release 3.6.0

The type qos keywords were added.

Maximum number of classes permitted per policy map was increased to 512.

Release 5.2.0

The pbr keyword was added.

Usage Guidelines

Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you can configure policies for classes whose match criteria are defined in a class map. Entering the policy-map command enables policy map configuration mode in which you can configure or modify the class policies for that policy map.

You can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure the match criteria for a class. Because you can configure a maximum of 1024 classes in one policy map, no policy map can contain more than 1024 class policies. The maximum number of 1024 classes per policy includes the implicit default class and its child policies.

A single policy map can be attached to multiple interfaces concurrently.

Task ID

Task ID

Operations

qos

read, write

These examples show how to create a policy map called policy1 and configures two class policies included in that policy map. The policy map is defined to contain policy specification for class1 and the default class (called class-default) to which packets that do not satisfy configured match criteria are directed. Class1 specifies policy for traffic that matches access control list 136.


RP/0/RP0/CPU0:router(config)# class-map class1
RP/0/RP0/CPU0:router(config-cmap)# match access-group ipv4 136

RP/0/RP0/CPU0:router(config)# policy-map policy1
RP/0/RP0/CPU0:router(config-pmap)# class class1

RP/0/RP0/CPU0:router(config-pmap-c)# police cir 250
RP/0/RP0/CPU0:router(config-pmap-c)# set precedence 3
RP/0/RP0/CPU0:router(config-pmap-c)# exit

RP/0/RP0/CPU0:router(config-pmap)# class class-default
RP/0/RP0/CPU0:router(config-pmap-c)# queue-limit bytes 1000000
  

redirect (BGP Flowspec)

To route the policy based routing (PBR) traffic to distributed denial-of-service scrubber (DDoS), use the redirect command in policy-map configuration mode. To return the PBR traffic to normal route, use the no form of this command.

redirect {default-route | nexthop } {IPv4-address | IPv6-address | route-target {AS-number: index | IPv4-address: index } | vrf vrf-name}

no redirect [ default-route | nexthop ]

Syntax Description

default-route

Forwards to the default nexthop for this packet

nexthop

Forwards to specified nexthop

IPv4 address

Input IPv4 Nexthop address

IPv6 address

Input IPv6 Nexthop address

route-target

Enter specific route-target string

AS-number: index

Enter 2-byte or 4-byte autonomous system number (AS) and index in hexa decimal or decimal format.

IPv4-address: index

Enter IPv4 address and index in hexa decimal or decimal format.

vrfvrf-name

Enter specific VRF name for the nexthop.

Command Default

None

Command Modes

Policy-map configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The example shows how to redirect PBR traffic to virtual routing and forwarding (VRF) instance:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# policy-map type pbr test1
RP/0/RP0/CPU0:router(config-pmap)# class type traffic test1
RP/0/RP0/CPU0:router(config-pmap-c)# redirect nexthot vrf vrf1

service-policy

To configure service policy on a flowspec subaddress family interface, use the service-policy command in appropriate command mode.

service-policy type pbr policy-name

Syntax Description

type

Specifies type of the service policy.

pbr

Specifies a policy-based routing (PBR) policy map.

policy-name

Name of the policy map.

Command Default

No default behavior or values

Command Modes

IPv4 address family configuration

IPv6 address family configuration

VRF IPv4 address family configuration

VRF IPv6 address family configuration

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows how to setup service policy.

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# flowspec
RP/0/RP0/CPU0:router(config-flowspec)# address-family ipv4
RP/0/RP0/CPU0:router(config-flowspec-af)# service-policy type pbr policy100

show flowspec

To display flowspec policy information for an interface, use the show flowspec command in EXEC mode.

show flowspec {afi-all | client | ipv4 | ipv6 | summary | vrf}

Syntax Description

afi-all

Displays flowspec policy applied on IPv4 and IPv6 interfaces.

client

Displays flowspec client interfaces.

ipv4

Displays flowspec policy applied on IPv4 interfaces.

ipv6

Displays flowspec policy applied on IPv6 interfaces.

summary

Displays flowspec policy summary on all interfaces.

vrf

Displays flowspec policy applied on VRF interfaces.

Command Default

No default behavior or values

Command Modes

EXEC

Command History

Release Modification

Release 5.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

This example shows sample output from show flowspec command when vrf , ipv4 and summary keywords are used.

RP/0/RP0/CPU0:router# show flowspec vrf vrf1 ipv4 summary
Mon May 19 12:59:41.226 PDT
Flowspec VRF+AFI table summary:
VRF: vrf1
  AFI: IPv4
    Total Flows:              3
    Total Service Policies:   1