BGP Flowspec Considerations
When a device is downgraded to a release
that is earlier than 18r.2.00, the BGP flowspec feature does not work.
Data plane considerations
- Only non-VPN IPv4 BGP flowspec is
supported.
- Match types other than the 12 BGP flowspec
NLRI sub-component types described in Distribution of Flowspec Rules by BGP are considered unknown. A flowspec NLRI that contains an unknown match type
is considered invalid and is not advertised or installed in the hardware.
- The following TCP flags are not supported:
- Explicit Congestion
Notification Echo (ECE)
- Congestion Window Reduced
(CWR)
- Two-byte TCP flags are not
supported.
- When a TCP flag sub-component is larger than
one byte, a RASlog message is triggered and it is not installed in the hardware.
However, it is advertised to peer devices.
- Only the IsF bit is supported for BGP
flowspec NLRI sub-component type 12 (Fragment). DF, FF, and LF bit functionality
is not supported.
- When the match criteria of a stanza in a
flowspec route map requires an NLRI length that is greater than 4095, the route
map is not installed or advertised by BGP.
- Actions other than the four BGP flowspec
traffic filtering actions described in BGP Flowspec Traffic Filtering Actions are considered unknown. For a flowspec NLRI that contains an unknown action:
- The unknown action
(user-defined extended community or unknown action) is not
installed.
- The remaining flowspec
rules are installed.
- The flowspec NLRI is
advertised to peers with the unknown extended communities.
- Copy or mirror action is not
supported.
- When a rate-limiting action is set under a BGP flowspec rule, the operational
rate value may differ from the rate value specified in the flowspec rule because
operational values are selected in multiples of 22 kbits per second.
Note
When
the rate-limiting action under a BGP flowspec rule is set to a value that is
lower than 22 kbits per second, matched data traffic is dropped.
- With the default TCAM profile, BGP flowspec
routes configured with the following match criteria can be advertised but not
installed in the hardware:
- IP fragment
- Packet length
- ICMP code
- ICMP type
To maximize the BGP flowspec match criteria and actions supported in the
hardware, a BGP flowspec profile must first be enabled in the hardware by the
profile tcam
border-routing command.
- Traffic-marking (set dscp) is not supported in the default TCAM profile.
- With the default TCAM profile, flowspec can be used only when there are no
user-defined VRFs.
- BGP flowspec rules are applied on
all Layer 3 interfaces of the specified VRF.
- IPv4 BGP flowspec rules are applied only to
IPv4 data traffic. They are not applied to IPv6 data traffic.
- CAM sharing is not supported in the border
routing TCAM profile.
- Several match commands, such as match dscp, support
a range
option. Use the range
option with caution because many TCAM entries may be created when the rules are
expanded.
- Redirection to multiple nexthop addresses is
not supported. When multiple redirect nexthops are configured, only the first
valid, reachable nexthop is used. If the first nexthop becomes invalid or
unreachable, then the next configured, valid, reachable nexthop is used.
- Matching of traffic flow with
subsequent flowspec rules (terminal-action) is not supported.
- Each flowspec rule may be expanded to several
access control list (ACL) rules in TCAM. When TCAM is full, a RASlog message is
displayed. However, the BGP transit functionality of advertising and receiving
flowspec rules can continue when TCAM is full or a flowspec rule is not
installed in TCAM.
- BGP flowspec rules are prioritized over
policy-based routing rules. Policy-based routing rules are prioritized over ACL
rules.
Control plane considerations
- A maximum of 1,000 (configured and received)
flowspec rules is a best practice.
Note
In BGP RIB-in, there is no
hard-coded limit for BGP flowspec routes. When sufficient memory exists, BGP
RIB-in receives more routes. However, a maximum of 1,000 routes is a best
practice.
- Any match criterion or traffic action in a BGP flowspec route that is not
supported in the hardware is still received and advertised by BGP.
- Dampening and soft reconfiguration is not
supported for the BGP flowspec address family.
- The nexthop path attribute is not added to
BGP flowspec routes by default.
