The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Border Gateway
Protocol (BGP) flow specification client feature enables a device to perform
the role of a BGP flow specification client and receive flow specification
rules from a BGP flow specification controller. Flow specification rules
contain a set of match criteria and actions (also called
flows). The
flows are configured on a controller (device), which advertises the flows to
the client device, or specific interfaces on the client.
Attention
IOS XE software supports BGP flow specification client
function and does not support BGP flow specification controller function.
Prerequisites for
BGP Flow Specification Client
Identify and configure flow
specification rules on the controller.
Note
When the flow specification client is enabled, the matching
criteria and corresponding actions in the controller’s flows are remotely
injected into the client device, and the flows are programmed into the platform
hardware of the client device.
Restrictions for
BGP Flow Specification Client
In Cisco IOS 15.5(S) release, BGP flow
specification is supported only on a BGP flow specification client and route
reflector.
Mixing of address family
matches and actions is not supported in flow specification rules. For example,
IPv4 matches cannot be combined with IPv6 actions and vice versa.
Information About BGP Flow Specification Client
BGP Flow
Specification Model
The BGP protocol is
used for flow specifications due to unique advantages it offers. The three
elements that are used to route flow specifications through BGP enabled devices
are: controller, client, and route-reflector (which is optional). This document
is specific to the client element function.
Though devices with
the IOS XE software (such as ASR 1000, and so on) can perform BGP flow
specification client role and not the controller role, a brief outline of the
BGP flow specification process is given below for better understanding.
The BGP flow
specification functionality allows you to rapidly deploy and propagate
filtering and policing functionality among a large number of BGP peer devices
to mitigate the effects of a distributed denial-of-service (DDoS) attack over
your network.
The BGP flow
specification model comprises of a client and a controller (route-reflector
usage is optional). The controller is responsible for sending or injecting the
flow specification NRLI entry. The client (acting as a BGP speaker) receives
the NRLI and programs the hardware forwarding to act on the instruction from
the controller. An illustration of this model is provided below.
In the above
topology, the controller on the left-hand side injects the flow specification
NRLI into the client on the right-hand side. The client receives the
information, sends it to the flow specification manager component, configures
the ePBR (Enhanced Policy Based Routing) infrastructure, which in turn programs
the platform hardware of the device. This way, you can create rules to handle
DDoS attacks on your network.
Sample Flow
Specification Client Configuration
First, associate the
device to a BGP autonomous system and enable flow specification policy mapping
capability for various address families. Then, identify a neighbor (through its
IP address) as a BGP peer and enable the capability to exchange information
between the devices through theneighbor
activate command. This way, flow specification information can be
exchanged between the client, controller, and any other flow specification
client device.
The flow
specification NLRI type consists of several optional sub-components. A specific
packet is considered to match the flow specification when it matches the
intersection (AND) of all the components present in the specification. The
following are the supported component types or tuples that you can define:
BGP
Flowspec NLRI Type
QoS
Matching Field (IPv6)
QoS
Matching Field (IPv4)
Input
Value
Type 1
IPv6
destination address
IPv4
destination address
Prefix
length
Type 2
IPv6
source address
IPv4
source address
Prefix
length
Type 3
IPv6 next
header
IPv4
protocol
Multi-value range
Type 4
IPv6
source or destination port
IPv4
source or destination port
Multi-value range
Type 5
IPv6
destination port
IPv4
destination port
Multi-value range
Type 6
IPv6
source port
IPv4
source port
Multi-value range
Type 7
IPv6 ICMP
type
IPv4 ICMP
type
Multi-value range
Type 8
IPv6 ICMP
code
IPv4 ICMP
code
Multi-value range
Type 9
IPv6 TCP
flags
IPv4 TCP
flags (2 bytes include reserved bits)
Bit mask
Type 10
IPv6
packet length
IPv4
packet length
Multi-value range
Type 11
IPv6
traffic class
IPv4
DSCP
Multi-value range
Type 12
Reserved
IPv4
fragment bits
Bit
mask
How to Configure BGP Flow Specification Client
Configuring a
Device As a Flow Specification Client and Establishing a BGP Peer Relationship
With Neighbor
The following task
explains configuration of a device as a BGP flow specification client. A device
interface within a VRF instance can also perform the role of a BGP flow
specification client.
Before you begin
Before configuring
a device as a flow specification client, it is a good practice to identify and
configure the flow specification controller device (and a route reflector, if
required). When flow specification rules are configured on the controller, the
rules are remotely injected into the client and the matching criteria and
corresponding actions are programmed into the platform hardware of the client.
SUMMARY STEPS
enable
configure terminal
router bgpas-number
address-family{ ipv4| ipv6} flowspec
neighbor
ip-address
activate
exit
address-family{ ipv4| ipv6} flowspecvrfvrf-name
neighbor
ip-address
remote-asas-number
neighbor
ip-address
activate
exit
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter your password if
prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global
configuration mode
Step 3
router bgpas-number
Example:
Device(config)# router bgp 100
Specifies the
autonomous system number and enters the BGP configuration mode, allowing you to
configure the BGP routing process.
Step 4
address-family{ ipv4| ipv6} flowspec
Example:
Device(config-bgp)# address-family ipv4 flowspec
Specifies
either the IPv4 or IPv6 address family and enters BGP address family
configuration mode, and initializes the global address family for flow
specification policy mapping.
Step 5
neighbor
ip-address
activate
Example:
Device(config-bgp-af)# neighbor 10.1.1.1 activate
Places the
device in neighbor configuration mode for BGP routing and configures the
neighbor IP address as a BGP peer. Enables the device to advertise (and receive
information), including its IP address, to its BGP neighbor.
Step 6
exit
Example:
Device(config-bgp-af)# exit
Exits BGP
address family configuration mode and enters BGP configuration mode.
Specifies
either the IPv4 or IPv6 address family for the VRF, enters BGP address family
configuration mode, and initializes the global address family for flow
specification policy mapping.
Places the
device in neighbor configuration mode for BGP routing and configures the
neighbor (IP address) as a BGP peer. The
remote-as
keyword assigns the specified remote autonomous system number to the neighbor.
Enables the
device to advertise (and receive information), including its IP address, to its
BGP neighbor.
Step 10
exit
Example:
Device(config-bgp-af)# exit
Exits BGP
address family configuration mode and enters BGP configuration mode.
Configuring a Flow
Specification Policy On All Interfaces Of a Device
The following
configuration task explains flow specification policy configuration on all
interfaces of a device for the IPv4 and IPv6 address families, and on
interfaces within a VRF instance.
SUMMARY STEPS
enable
configure terminal
flowspec
address-family ipv4
local-install interface-all
exit
address-family ipv6
local-install interface-all
exit
vrfvrf-name
address-family ipv4
local-install interface-all
exit
address-family ipv6
local-install
interface-all
exit
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter your password if
prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global
configuration mode
Step 3
flowspec
Example:
Device(config)# flowspec
Enters
flowspec configuration mode.
Step 4
address-family ipv4
Example:
Device(config-flowspec)# address-family ipv4
Specifies the
IPv4 address family and enters flow specification address family configuration
mode.
Provides a
summary of the flow specification rules present on the node.
In this
example, the
Tables
field indicates that the flow specification policy mapping capability is
enabled for IPv4 and IPv6 address families.
The
Flows
field indicates that a single flow has been defined across the entire table.
Step 2
show bgp ipv4 flowspec
Example:
Device # show bgp ipv4 flowspec
Dest:192.0.2.0/24, Source:10.1.1.0/24, DPort:>=120&<=130,SPort:>=25&<=30,DSCP:=30/208 BGP routing table entry for Dest:192.0.2.0/24, Source:10.1.1.0/24,Proto:=47,DPort:>=120&<=130,SPort:>=25&<=30,DSCP:=30/208 <snip>
Paths: (1 available, best #1)
Advertised to update-groups (with more than one peer):
0.3
Path #1: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.3 Local
0.0.0.0 from 0.0.0.0 (3.3.3.3) Origin IGP, localpref 100, valid, redistributed, best, group-best
Received Path ID 0, Local Path ID 1, version 42
Extended community: FLOWSPEC Traffic-rate:100,0
Use this
command to verify if a flow specification rule configured on the flow
specification controller (device) is available on the BGP side. In this
example,
redistributed indicates that the flow specification rule is
not internally originated, but one that has been redistributed from the flow
specification process to BGP. The extended community (the BGP attribute used to
send the match and action criteria to peer devices) that is configured is also
displayed.
In this
example, the action defined is to rate limit the traffic.
The
Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues with
Cisco products and technologies.
To
receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access
to most tools on the Cisco Support website requires a Cisco.com user ID and
password.
Feature
Information for BGP Flow Specification Client
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature
Information for BGP Flow Specification Client
Feature Name
Releases
Feature
Information
BGP Flow
Specification Client
Cisco IOS XE
3.15S
The BGP flow
specification client feature enables a device to perform the role of a BGP flow
specification client and receive flow specification rules from a BGP flow
specification controller.
The
following command was introduced or modified:
flowspec,
local-install
interface-all.