Configure BGP Flowspec Rules

BGP flowspec rules consist of match criteria and traffic actions that are configured under a route-map sequence number. Each sequence number or stanza in the route map becomes a flowspec rule.

About this task

The following task shows how to configure a selection of BGP flowspec rules. Your configuration may involve different combinations of match criteria and traffic filtering actions.

Procedure

  1. From privileged EXEC mode, enter global configuration mode.
    device# configure terminal
  2. Create a route map for BGP flowspec rules that allows a matching pattern.
    device(config)# route-map flowspec_map permit 56
    This example creates a route map named flowspec_map that allows a matching pattern and enters configuration mode for the route-map sequence number 56.
    Note

    Note

    Route-map deny sequences are not advertised as flowspec rules and deny configurations are ignored.
  3. Configure matching based on destination prefix.
    device(config-route-map-flowspec_map/permit/56)# match ip destination-address 10.2.3.0/24
  4. Configure matching based on protocol number.
    device(config-route-map-flowspec_map/permit/56)# match protocol eq 30
  5. Configure matching based on a range of protocol numbers.
    device(config-route-map-flowspec_map/permit/56)# match protocol range 40 50
  6. Configure matching based on traffic having all specified TCP flags.
    device(config-route-map-flowspec_map/permit/56)# match tcp-flags all not-fin ack
    In this example, because the all option is specified, a match occurs when traffic matches all of the specified options (not-fin and ack).
  7. Configure matching based on traffic having any of the specified TCP flags.
    device(config-route-map-flowspec_map/permit/56)# match tcp-flags any cwr urg
    Because the any option is specified in this example, a match occurs when traffic matches any other specified option: cwr or urg.
  8. Configure matching based on traffic having an ICMP type that is not equal to 5.
    device(config-route-map-flowspec_map/permit/56)# match ip icmp-type neq 5
  9. Configure a committed information rate (CIR) action.
    device(config-route-map-flowspec_map/permit/56)# set police cir 0
  10. Configure a mirroring destination.
    device(config-route-map-flowspec_map/permit/56)# set ip mirror 10.67.67.9
  11. Return to privileged EXEC mode.
    device(config-route-map-flowspec_map/permit/56)# end
  12. If you configured a route map for the first time, activate the BGP flowspec rules. For more information, see Distribute BGP Flowspec Rules.

Example

The following example summarizes the commands in this task.

device# configure terminal
device(config)# route-map flowspec_map permit 56
device(config-route-map-flowspec_map/permit/56)# match ip destination-address 10.2.3.0/24
device(config-route-map-flowspec_map/permit/56)# match protocol eq 30
device(config-route-map-flowspec_map/permit/56)# match protocol range 40 50
device(config-route-map-flowspec_map/permit/56)# match tcp-flags all not-fin ack
device(config-route-map-flowspec_map/permit/56)# match tcp-flags any cwr urg
device(config-route-map-flowspec_map/permit/56)# match ip icmp-type neq 5
device(config-route-map-flowspec_map/permit/56)# set police cir 0
device(config-route-map-flowspec_map/permit/56)# set ip mirror 10.67.67.9