In order to configure an IPv4 flowspec engine, use the following configuration. As of today, it is only possible to configure flowspec on default VRF. To enter the BGP flowspec sub-context:
vrouter running bgp# neighbor A.B.C.D remote-as AS vrouter running bgp# neighbor A.B.C.D address-family ipv4-flowspec vrouter running ipv4-flowspec# enabled true
- The remote Autonomous system ID associated with neighbor
- The remote BGP peer to peer with BGP flowspec address family support
routing bgp as 5 neighbor 188.8.131.52 remote-as 2 neighbor 184.108.40.206 address-family ipv4 flowspec ..
Flowspec Per Interface¶
One nice feature to use is the ability to apply flowspec to a specific interface, instead of applying it to the whole machine. Despite the following IETF draft idr flowspec interface set is not implemented, it is possible to manually limit flowspec application to some incoming interfaces. Actually, not using it can result to some unexpected behaviour like accounting twice the traffic, or slow down the traffic (filtering costs). To limit flowspec to one specific interface, use the following command, under BGP flowspec family.
routing bgp address-family ipv4-flowspec enabled true local-install eth1
By default, Flowspec is activated on all interfaces. Installing it to a named interface will result in allowing only this interface. Reversely, enabling any interface will flush all previously configured interfaces.
Flowspec redirect IP¶
Flowspec provides also the ability for traffic to be redirected according to nexthop IP information. BGP flowspec entries have a BGP extended community option, that tells that the flowspec information should be redirected to the IP contained in the nexthop attribute of the BGP update received. Using that option to redirect traffic simply consists in ensuring that the IP information is reachable through using the routing table logic. For instance, create a static route
vrf vrf0 routing static ipv4-route 220.127.116.11/32 next-hop 10.1.2.3