BGP Flowspec VPNv4

Introduction

This document provide an sample configuration for setting up BGP Flowspec over the MPLS backbone especially within the edge VRFs. Most examples only show configuration with the global default routing table, this document shows how to configure Flowspec for MPLS.

BGP Flowspec VPNv4

  • Flowspec defines a way to spread filtering policy (ACL like) using BGP to edge devices for DDoS mitigation.
  • It defines a new route type which is a rule that has a matching part and an action part.
    • Matching - is encoded into the new Flowspec NLRI fields. Matching include src/dst/port…etc.
    • Action - is encoded into a BGP Ext Community. Actions can be policy, drop, redirect…etc.
  • The policy is defined in a policy-map using the type pbr.
  • Classes are defined using the class-map type traffic.
  • Architecturally Flowspec consists of a Controller and a Clients.
    • The controller is where new filtering policies are configured and distributed to clients.
    • The clients receive filtering policy, apply them to hardware and filter base on traffic.

Configuration

  • Configuring the clients:
    • Enable flowspec address family under the VRF.
    • Specify import route-target.
    • Enable address-family ipv4 flowspec under BGP.
    • Enable address-family vpnv4 flowspec under BGP.
    • Enable address-family ipv4 flowspec within the vrf's configuring of BGP.
    • Enable address-family vpnv4 flowspec under the BGP neighbor to MPLS backbone.
  • Sample configuration:
  • Configuring the controller:
    • Enable flowspec address family under the VRF.
    • Specify export route-target.
    • Enable address-family ipv4 flowspec under BGP.
    • Enable address-family vpnv4 flowspec under BGP.
    • Enable address-family ipv4 flowspec within the vrf's configuring of BGP.
    • Enable address-family vpnv4 flowspec under the BGP neighbor to MPLS backbone.
  • Sample configuration:
  • Configuring the Flowspec policy:
    • Add VRF and address-family ipv4 under the flowspec configuration mode.
    • Define a class-map type traffic to classify filtering flows.
    • Define a policy-map type pbr to associate with each class-map and assign action to each flow.
    • Assign the policy-map under the flowspec vrf configuration mode.
  • Sample Configuration:

Troubleshooting

  • Check the flows spec configuration.
show run flowspec
  • Check that the vrf is configured with correct address-family and import/exports.
show run vrf PUBLIC address-family ipv4 flowspec
  • Verify that the flowspec routes are in the local BGP vrf table.
show bgp vrf PUBLIC ipv4 flowspec
  • Check for detailed flowspec routes.
  • Verify that it has a RT attached to it and the it has the extended community for FLOWSPEC's actions.
show bgp vrf PUBLIC ipv4 flowspec Dest:50.62.80.13/32/48
  • Check if there any BGP neighbors with this SAFI configured and up.
show bgp vpnv4 flowspec summary
  • Verify advertised/received MP-BGP capabilities.
show bgp vpnv4 flowspec neighbors 10.1.1.20 | begin capability
  • Check for installed routes/policy and traffic matches.
sh flowspec vrf PUBLIC ipv4 detail

Additional Resources

Implementing BGP Flowspec - Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.2.x
ASR9000/XR: Understanding BGP flowspec (BGP-FS) - Cisco Support Community

Comments

rating: +1+x
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License