flowspec validation

Configures Border Gateway Protocol flow specification (BGP flowspec) route validation at address-family level.

Syntax

flowspec validation [ redirect ]
no flowspec validation [ redirect ]

Command Default

Flowspec validation is enabled.

Parameters

redirect
Specifies only validation of the redirect IP nexthop address.

Modes

BGP address-family IPv4 flowspec configuration mode

Usage Guidelines

Flowspec validation can be configured at neighbor, peer-group, or address-family level with the neighbor-level configuration prioritized over peer-group level configuration and the peer-group level configuration prioritized over the address-family level configuration.

Use the flowspec validation command to configure flowspec validation at address-family level. To configure flowspec validation at neighbor or peer-group level, refer to the neighbor flowspec validation command.

By default, flowspec validation is enabled. Use the no form of the flowspec validation command to completely disable flowspec validation at address-family level. To only disable redirect IP nexthop validation at address-family level, use the no form of the flowspec validation command specifying the redirect opton.

Only one flowspec validation configuration is allowed at a time. Configuration operates as follows:
  • When complete flowspec validation is aleady disabled, issuing the no flowspec validation command specifying the redirect option has no impact; complete flowspec validation remains disabled.
  • When the redirect option is already disabled, issuing the no flowspec validation command without the redirect option changes the configuration to complete flowspec validation disabled.

Examples

The following example shows how to disable IPv4 flowspec validation. In this example and because the redirect option is specified, only redirect IP nexthop validation is disabled for the IPv4 address-family in the default VRF.

device# configure terminal
device(config)# router bgp
device(config-bgp-router)# address-family ipv4 flowspec 
device(config-bgp-ipv4fs)# no flowspec validation redirect
When flowspec validation is already completely disabled, issuing the no flowspec validation specifying the redirect option does not change the configuration. The following example shows how to completely disable flowspec validation for the IPv4 address family in a VRF named red and to verify the configuration. The no flowspec validation command is then issued specifying the redirect option, and the configuration is again displayed to show that flowspec validation remains completely disabled.
device(config)# configure terminal
device(config)# router bgp 
device(config-bgp-router)# address-family ipv4 flowspec vrf red 
device(config-bgp-ipv4fs-vrf)# no flowspec validation        !completely disables flowspec validation!
device(config-bgp-ipv4fs-vrf)# end
device(config)# show running-configuration router bgp address-family ipv4 flowspec vrf red 
!
router bgp 
  address-family ipv4 flowspec vrf red 
  no flowspec validation
!
device(config)# configure terminal 
device(config)# router bgp 
device(config-bgp-router)# address-family ipv4 flowspec vrf red 
device(config-bgp-ipv4fs-vrf)# no flowspec validation redirect 
device(config-bgp-ipv4fs-vrf)# end
device(config)# show running-configuration router bgp address-family ipv4 flowspec vrf red 
!
router bgp 
  address-family ipv4 flowspec vrf red 
  no flowspec validation                        !flowspec validation remains completely disabled!
!
9036689-01 Rev AA