BGP FlowSpec Route-reflector Support

Similar documents
BGP Support for Next-Hop Address Tracking

BGP Link Bandwidth. Finding Feature Information. Prerequisites for BGP Link Bandwidth

APNIC elearning: BGP Basics. Contact: erou03_v1.0

basic BGP in Huawei CLI

BGP Link Bandwidth. Finding Feature Information. Contents

BGP Attributes and Path Selection

MPLS VPN Route Target Rewrite

How To Import Ipv4 From Global To Global On Cisco Vrf.Net (Vf) On A Vf-Net (Virtual Private Network) On Ipv2 (Vfs) On An Ipv3 (Vv

Lab 10: Confi guring Basic Border Gateway Protocol

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

APNIC elearning: BGP Attributes

This feature was introduced. This feature was integrated in Cisco IOS Release 12.2(11)T.

Understanding Route Aggregation in BGP

Flow-Based per Port-Channel Load Balancing

Configuring a Load-Balancing Scheme

BGP Multipath Load Sharing for Both ebgp and ibgp in an MPLS-VPN

BGP Best Path Selection Algorithm

Community tools to fight against DDoS

BSCI Module 6 BGP. Configuring Basic BGP. BSCI Module 6

VRRPv3: Object Tracking Integration

Application Note. Failover through BGP route health injection

Configuring a Load-Balancing Scheme

BGP Terminology, Concepts, and Operation. Chapter , Cisco Systems, Inc. All rights reserved. Cisco Public

IPv6 over MPLS VPN. Contents. Prerequisites. Document ID: Requirements

MPLS VPN - Route Target Rewrite

Using the Border Gateway Protocol for Interdomain Routing

BGP Router Startup Message Flow

UPDATE = [Withdrawn prefixes (Optional)] + [Path Attributes] + [NLRIs].

NAT TCP SIP ALG Support

BGP Basics. BGP Uses TCP 179 ibgp - BGP Peers in the same AS ebgp - BGP Peers in different AS's Private BGP ASN. BGP Router Processes

Configuring and Testing Border Gateway Protocol (BGP) on Basis of Cisco Hardware and Linux Gentoo with Quagga Package (Zebra)

Routing Protocol - BGP

Lab 4.2 Challenge Lab: Implementing MPLS VPNs

Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software

Configuring a Load-Balancing Scheme

Image Verification. Finding Feature Information. Restrictions for Image Verification

Configuring BGP. Cisco s BGP Implementation

MPLS-based Layer 3 VPNs

Configuring IKEv2 Load Balancer

BGP: Frequently Asked Questions

BGP overview BGP operations BGP messages BGP decision algorithm BGP states

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

Implementing MPLS VPNs over IP Tunnels

MPLS. Cisco MPLS. Cisco Router Challenge 227. MPLS Introduction. The most up-to-date version of this test is at:

MPLS/VPN Overview Cisco Systems, Inc. All rights reserved. 1

DHCP Server Port-Based Address Allocation

Multihomed BGP Configurations

How To Understand Bg

Configuring Aggressive Load Balancing

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

Firewall Stateful Inspection of ICMP

NetFlow v9 Export Format

Multiprotocol Label Switching Load Balancing

Introduction Inter-AS L3VPN

Analyzing Capabilities of Commercial and Open-Source Routers to Implement Atomic BGP

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Border Gateway Protocol (BGP)

Tutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia

Border Gateway Protocol BGP4 (2)

Notice the router names, as these are often used in MPLS terminology. The Customer Edge router a router that directly connects to a customer network.

Module 7. Routing and Congestion Control. Version 2 CSE IIT, Kharagpur

How To Set Up Bgg On A Network With A Network On A Pb Or Pb On A Pc Or Ipa On A Bg On Pc Or Pv On A Ipa (Netb) On A Router On A 2

Monitoring and Troubleshooting BGP Neighbor Sessions

RADIUS Server Load Balancing

Advanced BGP Policy. Advanced Topics

netkit lab bgp: multi-homed Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

Edge-1#show ip route Routing entry for /24. Known via "bgp 65001", distance 200, metric 0. Tag 65300, type internal

Firewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos

Configuring DNS. Finding Feature Information

Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export

Cisco IOS Flexible NetFlow Technology

no aggregate-address address mask [as-set] [summary-only] [suppress-map map-name] [advertise-map map-name] [attribute-map map-name]

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Inter-Autonomous Systems for MPLS VPNs

Chapter 6: Implementing a Border Gateway Protocol Solution for ISP Connectivity

Configuring BGP. The Cisco BGP Implementation

NetFlow Configuration Guide, Cisco IOS Release 15M&T

BGP-4 Case Studies. Nenad Krajnovic.

- Border Gateway Protocol -

BGP4 Case Studies/Tutorial

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Router and Routing Basics

Configuring Aggressive Load Balancing

E : Internet Routing

BGP Advanced Features and Enhancements

Using OSPF in an MPLS VPN Environment

Gateway of last resort is to network

BGP FORGOTTEN BUT USEFUL FEATURES. Piotr Wojciechowski (CCIE #25543)

Controlling Access to a Virtual Terminal Line

Border Gateway Protocol (BGP-4)

Simple Multihoming. ISP/IXP Workshops

Virtual Fragmentation Reassembly

Module 12 Multihoming to the Same ISP

MPLS Configration 事 例

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Configuring VoIP Call Setup Monitoring

HTTP 1.1 Web Server and Client

Transcription:

The BGP (Border Gateway Protocol) Flowspec (Flow Specification) Route Reflector feature enables service providers to control traffic flows in their network. This helps in filtering traffic and helps in taking action against distributed denial of service (DDoS) mitigation by dropping the DDoS traffic or diverting it to an analyzer. BGP flow specification provides a mechanism to encode flow specification rules for traffic flows that can be distributed as BGP Network Layer Reachability Information (NLRI). Finding Feature Information, page 1 Restrictions for, page 1 Information About, page 2 How to Configure, page 3 Configuration Examples for, page 10 Additional References for, page 11 Feature Information for, page 12 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for In Cisco IOS 15.5(S) release, BGP flow specification is supported only on a route reflector. Mixing of address family matches and actions is not supported in flow spec rules. For example, IPv4 matches cannot be combined with IPv6 actions and vice versa. 1

Information About Information About Overview of Flowspec Flowspec specifies procedures for the distribution of flow specification rules as Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) that can be used in any application. It also defines application for the purpose of packet filtering in order to mitigate distributed denial of service attacks. A flow specification rule consists of a matching part encoded in the BGP NLRI field and an action part encoded as BGP extended community as defined in the RFC 5575. A flow specification rule is a set of data (represented in an n-tuple) consisting of several matching criteria that can be applied to IP packet data. BGP flow specification rules are internally converted to equivalent Cisco Common Classification Policy Language (C3PL) representing corresponding match and action parameters. In Cisco IOS 15.5(S) release, Flowspec supports following functions for the BGP route reflector: Flowspec rules defined in RFC 5575 IPv6 extensions Redirect IP extensions BGP flowspec validation Matching Criteria The following table lists the various Flowspec tuples that are supported for BGP. BGP Flowspec NLRI Type QoS Matching Field (IPv6) QoS Matching Field (IPv4) Input Value Type 1 IPv6 destination address IPv4 destination address Prefix length Type 2 IPv6 source address IPv4 source address Prefix length Type 3 IPv6 next header IPv4 protocol Type 4 IPv6 source or destination port IPv4 source or destination port Type 5 IPv6 destination port IPv4 destination port Type 6 IPv6 source port IPv4 source port Type 7 IPv6 ICMP type IPv4 ICMP type Type 8 IPv6 ICMP code IPv4 ICMP code Type 9 IPv6 TCP flags IPv4 TCP flags (2 bytes include reserved bits) Bit mask 2

How to Configure BGP Flowspec NLRI Type QoS Matching Field (IPv6) QoS Matching Field (IPv4) Input Value Type 10 IPv6 packet length IPv4 packet length Type 11 IPv6 traffic class IPv4 DSCP Type 12 Reserved IPv4 fragment bits Bit mask Type 13 IPv6 flow label How to Configure Configuring Perform this task to configure BGP FlowSpec on a route reflector. This task specifies only the IPv4 address family but, other address families are also supported for BGP flow specifications. Before You Begin Configure a BGP route reflector. SUMMARY STEPS 1. enable 2. configure terminal 3. router bgp autonomous-system-number 4. neighbor ip-address remote-as autonomous-system-number 5. address-family {ipv4 ipv6 vpnv4 vpnv6} flowspec 6. neighbor ip-address activate 7. neighbor ip-address route-reflector-client 8. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Device# configure terminal 3

Disabling BGP FlowSpec Validation Step 3 Step 4 Command or Action router bgp autonomous-system-number Device(config)# router bgp 1 neighbor ip-address remote-as autonomous-system-number Purpose Enters router configuration mode for the BGP routing process. Adds an entry to the BGP or multiprotocol BGP neighbor table. Step 5 Device(config-router)# neighbor 10.1.1.1 remote-as 1 address-family {ipv4 ipv6 vpnv4 vpnv6} flowspec Device(config-router)# address-family ipv4 flowspec Specifies the address family and enters address family configuration mode. Flowspec is supported on IPv4, IPv6, VPNv4 and VPNv6 address families. Step 6 neighbor ip-address activate Enables the exchange of information with a BGP neighbor. Step 7 Step 8 Device(config-router-af)# neighbor 10.1.1.1 activate neighbor ip-address route-reflector-client Device(config-router-af)# neighbor 10.1.1.1 route-reflector-client end Device(config-router-af)# end Configures the router as a BGP route reflector and configures the specified neighbor as its client. (Optional) Exits address family configuration mode and returns to privileged EXEC mode. Disabling BGP FlowSpec Validation Perform this task if you want to disable the BGP flow specification validations for ebgp peers. The validations are enabled by default. To know more about BGP flow specification validations, see RFC 5575 (draft-ietf-idr-bgp-flowspec-oid-01-revised Validation Procedure for BGP Flow Specifications). 4

Verifying SUMMARY STEPS 1. enable 2. configure terminal 3. router bgp autonomous-system-number 4. address-family {ipv4 ipv6 vpnv4 vpnv6} flowspec 5. neighbor ip-address validation off DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Device# configure terminal router bgp autonomous-system-number Device(config)# router bgp 1 address-family {ipv4 ipv6 vpnv4 vpnv6} flowspec Device(config-router)# address-family ipv4 flowspec Enters router configuration mode for the BGP routing process. Specifies the address family and enters address family configuration mode. Flowspec is supported on IPv4, IPv6, VPNv4 and VPNv6 address families. Step 5 neighbor ip-address validation off Disables validation of flow specification for ebgp peers. Device(config-router-af)# neighbor 10.1.1.1 validation off Verifying The show commands can be entered in any order. Before You Begin Configure BGP FlowSec on a route reflector. 5

Verifying SUMMARY STEPS 1. show bgp ipv4 flowspec 2. show bgp ipv4 flowspec detail 3. show bgp ipv4 flowspec summary 4. show bgp ipv6 flowspec 5. show bgp ipv6 flowspec detail 6. show bgp ipv6 flowspec summary 7. show bgp vpnv4 flowspec 8. show bgp vpnv4 flowspec all detail 9. show bgp vpnv6 flowspec 10. show bgp vpnv6 flowspec all detail DETAILED STEPS Step 1 show bgp ipv4 flowspec This command displays the IPv4 flowspec routes. Device# show bgp ipv4 flowspec BGP table version is 3, local router ID is 10.10.10.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i Dest:2.2.2.0/24 10.0.101.1 100 0 i *>i Dest:3.3.3.0/24 10.0.101.1 100 0 i Step 2 show bgp ipv4 flowspec detail This command displays the detailed information about IPv4 flowspec routes. Device# show bgp ipv4 flowspec detail BGP routing table entry for Dest:2.2.2.0/24, version 2 Paths: (1 available, best #1, table IPv4-Flowspec-BGP-Table) Advertised to update-groups: 1 Refresh Epoch 1 Local, (Received from a RR-client) 10.0.101.1 from 10.0.101.1 (10.0.101.1) Origin IGP, localpref 100, valid, internal, best Extended Community: FLOWSPEC Redirect-IP:0x000000000001 rx pathid: 0, tx pathid: 0x0 BGP routing table entry for Dest:3.3.3.0/24, version 3 Paths: (1 available, best #1, table IPv4-Flowspec-BGP-Table) Advertised to update-groups: 1 Refresh Epoch 1 Local, (Received from a RR-client) 6

Verifying 10.0.101.1 from 10.0.101.1 (10.0.101.1) Origin IGP, localpref 100, valid, internal, best rx pathid: 0, tx pathid: 0x0 Step 3 show bgp ipv4 flowspec summary This command displays the IPv4 flowspec neighbors. Device# show bgp ipv4 flowspec summary BGP router identifier 10.10.10.2, local AS number 239 BGP table version is 3, main routing table version 3 2 network entries using 16608 bytes of memory 2 path entries using 152 bytes of memory 2/2 BGP path/bestpath attribute entries using 304 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 2 BGP extended community entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 17136 total bytes of memory BGP activity 18/0 prefixes, 18/0 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.101.1 4 239 70 24 3 0 0 00:10:58 2 10.0.101.2 4 239 0 0 1 0 0 never Idle 10.0.101.3 4 240 0 0 1 0 0 never Idle 10.10.10.1 4 239 19 23 3 0 0 00:10:53 Step 4 show bgp ipv6 flowspec This command displays the IPv6 flowspec routes. Device# show bgp ipv6 flowspec BGP table version is 2, local router ID is 10.10.10.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i Dest:3::/0-24,Source:4::/0-24 FEC0::1001 100 0 i Step 5 show bgp ipv6 flowspec detail This command displays the detailed information about IPv6 flowspec routes. Device# show bgp ipv6 flowspec detail BGP routing table entry for Dest:3::/0-24,Source:4::/0-24, version 2 Paths: (1 available, best #1, table Global-Flowspecv6-Table) Advertised to update-groups: 2 Refresh Epoch 1 Local FEC0::1001 from FEC0::1001 (10.0.101.2) 7

Verifying Origin IGP, localpref 100, valid, internal, best rx pathid: 0, tx pathid: 0x0 Step 6 show bgp ipv6 flowspec summary This command displays the IPv6 flowspec neighbors. Device# show bgp ipv6 flowspec summary BGP router identifier 10.10.10.2, local AS number 239 BGP table version is 3, main routing table version 3 2 network entries using 16608 bytes of memory 2 path entries using 152 bytes of memory 2/2 BGP path/bestpath attribute entries using 304 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 2 BGP extended community entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 17136 total bytes of memory BGP activity 18/0 prefixes, 18/0 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.101.1 4 239 70 24 3 0 0 00:10:58 2 10.0.101.2 4 239 0 0 1 0 0 never Idle 10.0.101.3 4 240 0 0 1 0 0 never Idle 10.10.10.1 4 239 19 23 3 0 0 00:10:53 Step 7 show bgp vpnv4 flowspec This command displays the VPNv4 flowspec neighbors. Device# show bgp vpnv4 flowspec BGP table version is 2, local router ID is 10.10.10.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 200:200 *>i Dest:10.0.1.0/24 10.0.101.1 100 0 i Step 8 show bgp vpnv4 flowspec all detail This command displays the VPNv4 flowspec details. Device# show bgp vpnv4 flowspec all detail Route Distinguisher: 200:200 BGP routing table entry for 200:200:Dest:10.0.1.0/24, version 2 Paths: (1 available, best #1, table VPNv4-Flowspec-BGP-Table) Advertised to update-groups: 3 Refresh Epoch 1 Local 10.0.101.1 (via default) from 10.0.101.1 (10.0.101.1) 8

Verifying Origin IGP, localpref 100, valid, internal, best Extended Community: RT:100:100 rx pathid: 0, tx pathid: 0x0 Step 9 show bgp vpnv6 flowspec This command displays the VPNv6 flowspec neighbors. Device# show bgp vpnv6 flowspec BGP table version is 2, local router ID is 10.10.10.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP,? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 200:200 *>i SPort:=20640 FEC0::1001 100 0 i Step 10 show bgp vpnv6 flowspec all detail This command displays the VPNv6 flowspec details. Device# show bgp vpnv6 flowspec all detail Route Distinguisher: 200:200 BGP routing table entry for 200:200:SPort:=20640, version 2 Paths: (1 available, best #1, table VPNv6-Flowspec-BGP-Table) Advertised to update-groups: 3 Refresh Epoch 1 Local FEC0::1001 (via default) from FEC0::1001 (10.0.101.2) Origin IGP, localpref 100, valid, internal, best Extended Community: RT:100:100 rx pathid: 0, tx pathid: 0x0 9

Configuration Examples for Configuration Examples for BGP FlowSpec Route-reflector Support Configuring BGP FlowSpec on Route Reflector Configure BGP route reflector and inject flowspec in the route reflector. Figure 1: BGP Route Reflector Topology! Configure the topology!configure the interfaces on RR RR> enable RR# configure terminal RR(config)# interface E0/0 RR(config-if)# ip address 10.0.0.1 255.224.0.0 RR(config-if)# no shutdown RR(config-if)# exit RR(config)# interface S2/0 RR(config-if)# ip address 10.32.0.1 255.224.0.0 RR(config-if)# no shutdown RR(config-if)# exit RR(config)# interface S3/0 RR(config-if)# ip address 10.64.0.1 255.224.0.0 RR(config-if)# no shutdown!configure RR as the route reflector with S2/0(R1) and S2/0 (R2) as the neighbors RR(config)# router bgp 333 RR(config-router)# no synchronization RR(config-router)# network 10.0.0.0 mask 255.224.0.0 RR(config-router)# network 10.64.0.0 mask 255.224.0.0 RR(config-router)# network 10.32.0.0 mask 255.224.0.0 RR(config-router)# neighbor 10.64.0.2 remote-as 333 RR(config-router)# neighbor 10.32.0.2 remote-as 333 10

Additional References for!configure flowspec on route reflector RR(config-router)# address-family ipv4 flowspec RR(configure-router-af)# neighbor 10.64.0.2 activate RR(config-router)# neighbor 10.64.0.2 route-reflector-client RR(configure-router-af)# neighbor 10.32.0.2 activate RR(config-router)# neighbor 10.32.0.2 route-reflector-client!verify the configuration RR> show bgp ipv4 flowspec Additional References for BGP FlowSpec Route-reflector Support Related Documents Related Topic Cisco IOS commands BGP commands Document Title Cisco IOS Master Command List, All Releases Cisco IOS IP Routing: BGP Command Reference Standards and RFCs Standard/RFC RFC 5575 Title Dissemination of Flow Specification Rules Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Link http://www.cisco.com/cisco/web/support/index.html 11

Feature Information for Feature Information for The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Table 1: Feature Information for Feature Name BGP FlowSpec Route-reflector Support BGP FlowSpec Route-reflector Support Releases 15.5(1)S Cisco IOS XE Release 3.14 Feature Information The BGP FlowSpec Route-reflector Support feature enables services providers to control traffic flows in their network and mitigate DDoS attack. The following command was introduced by this feature: address-family {ipv4 ipv6 vpnv4 vpnv6} flowspec. The BGP FlowSpec Route-reflector Support feature enables services providers to control traffic flows in their network and mitigate DDoS attack. This feature was introduced on the Cisco ASR 1000 Series Routers. The following command was introduced by this feature: address-family {ipv4 ipv6 vpnv4 vpnv6} flowspec. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information