BGP Flowspec Considerations

When a device is downgraded to a release that is earlier than 18r.2.00, the BGP flowspec feature does not work.

Data plane considerations

Only non-VPN IPv4 BGP flowspec is supported.
Match types other than the 12 BGP flowspec NLRI sub-component types described in Distribution of Flowspec Rules by BGP are considered unknown. A flowspec NLRI that contains an unknown match type is considered invalid and is not advertised or installed in the hardware.
The following TCP flags are not supported:
- Explicit Congestion Notification Echo (ECE)
- Congestion Window Reduced (CWR)
Two-byte TCP flags are not supported.
When a TCP flag sub-component is larger than one byte, a RASlog message is triggered and it is not installed in the hardware. However, it is advertised to peer devices.
Only the IsF bit is supported for BGP flowspec NLRI sub-component type 12 (Fragment). DF, FF, and LF bit functionality is not supported.
When the match criteria of a stanza in a flowspec route map requires an NLRI length that is greater than 4095, the route map is not installed or advertised by BGP.
Actions other than the four BGP flowspec traffic filtering actions described in BGP Flowspec Traffic Filtering Actions are considered unknown. For a flowspec NLRI that contains an unknown action:
- The unknown action (user-defined extended community or unknown action) is not installed.
- The remaining flowspec rules are installed.
- The flowspec NLRI is advertised to peers with the unknown extended communities.
Copy or mirror action is not supported.
When a rate-limiting action is set under a BGP flowspec rule, the operational rate value may differ from the rate value specified in the flowspec rule because operational values are selected in multiples of 22 kbits per second.
Note
When the rate-limiting action under a BGP flowspec rule is set to a value that is lower than 22 kbits per second, matched data traffic is dropped.
With the default TCAM profile, BGP flowspec routes configured with the following match criteria can be advertised but not installed in the hardware:
- IP fragment
- Packet length
- ICMP code
- ICMP type
To maximize the BGP flowspec match criteria and actions supported in the hardware, a BGP flowspec profile must first be enabled in the hardware by the profile tcam border-routing command.
Traffic-marking (set dscp) is not supported in the default TCAM profile.
With the default TCAM profile, flowspec can be used only when there are no user-defined VRFs.
BGP flowspec rules are applied on all Layer 3 interfaces of the specified VRF.
IPv4 BGP flowspec rules are applied only to IPv4 data traffic. They are not applied to IPv6 data traffic.
CAM sharing is not supported in the border routing TCAM profile.
Several match commands, such as match dscp, support a range option. Use the range option with caution because many TCAM entries may be created when the rules are expanded.
Redirection to multiple nexthop addresses is not supported. When multiple redirect nexthops are configured, only the first valid, reachable nexthop is used. If the first nexthop becomes invalid or unreachable, then the next configured, valid, reachable nexthop is used.
Matching of traffic flow with subsequent flowspec rules (terminal-action) is not supported.
Each flowspec rule may be expanded to several access control list (ACL) rules in TCAM. When TCAM is full, a RASlog message is displayed. However, the BGP transit functionality of advertising and receiving flowspec rules can continue when TCAM is full or a flowspec rule is not installed in TCAM.
BGP flowspec rules are prioritized over policy-based routing rules. Policy-based routing rules are prioritized over ACL rules.

Control plane considerations

A maximum of 1,000 (configured and received) flowspec rules is a best practice.
Note
In BGP RIB-in, there is no hard-coded limit for BGP flowspec routes. When sufficient memory exists, BGP RIB-in receives more routes. However, a maximum of 1,000 routes is a best practice.
Any match criterion or traffic action in a BGP flowspec route that is not supported in the hardware is still received and advertised by BGP.
Dampening and soft reconfiguration is not supported for the BGP flowspec address family.
The nexthop path attribute is not added to BGP flowspec routes by default.