show ip flowspec rules

Displays Border Gateway Protocol flow specification (BGP flowspec) rules that are considered for installation into the hardware.

Syntax

show ip flowspec rules [ detail ] [ local | remote ] [ vrf vrf-name ]

Parameters

detail
Specifies the display of detailed information which includes statistics for flowspec rules.
local
Specifies the display of only local flowspec rules.
remote
Specifies the display of only remote flowspec rules.
vrf vrf-name
Specifies the display of flowspec rule information for a VRF instance.

Modes

Privileged EXEC mode

Usage Guidelines

When a VRF is not specified, the show ip flowspec rules command displays information for the default VRF.

Displayed rules are sorted according to the sorting algorithm described in RFC 5575.

Output

The show ip flowspec rules command displays the following information:

Output field Description
VRF Name of a VRF instance
Total number of Flowspec rules Number of configured flowspec rules
Origin
Active Installation status of the BGP flowspec rule in the hardware. Values include:
  • Yes—The complete rule is installed
  • Yes (Match criteria contains expressions that always evaluate to FALSE)—Partial match criteria are installed
  • No (Match criteria always evaluates to FALSE)—The rule is not installed
  • No (Rule contains unsupported match criteria or actions or no TCAM space available)—The rule was passed to the hardware but could not be installed.
  • No (invalid Match combinations)—Different Layer 4 protocol types (for example, ICMP type and port) are used in match criteria.
Match Match criteria
Dst Destination prefix
Src Source prefix
Protocol IP protocol for IPv4
Port Port number
DPort Desination port number
SPort Source port number
ICMP-type Internet Control Message Protocol type
ICMP-Code ICMP code
TCP-flags TCP flags (CWR, ECE, URG, ACK, PSH, RST, SYN, FIN)
Pkt-length Packet length
DSCP IP Differentiated Services Code Point
Fragment Fragment (DF, FF, IsF, DF)
Actions Traffic filtering actions
Traffic-rate Traffic-rate
Traffic-action Traffic-action
Redirect IP Nexthop Redirect IP Nexthop
Traffic-remarketing (DSCP) Traffic-remarketing (DSCP)
Statistics Statistics
Matched Number of packets or bytes that match the flowspec rule
Transmitted Number of packets matching the flowspec rule that are transmitted
Dropped Number of packets matching the flowspec rule that are dropped

Examples

The following example shows how to display BGP flowspec rule information for the default VRF.

device# show ip flowspec rules

VRF :default-vrf VRF ID : 1
Total number of Rules: 2

1  Origin: Remote(51.51.51.254) Active: No (unsupported match/action type OR No TCAM space available)
   Match:
      Dst          51.0.0.0/8
      DPort        =64051
   Actions:
      Traffic-rate  asn:51 rate 51000000 bytes/sec (operational-rate 51328125 bytes/sec)

2  Origin: Remote(61.61.61.1) Active: Yes
   Match:
      DPort        <9876
   Actions:
      Traffic-rate  asn:111 rate 187500 bytes/sec (operational-rate 186750 bytes/sec)

The following example shows how to display detailed BGP flowspec rule information for the default VRF.

device# show ip flowspec rules detail 

VRF :default-vrf 
Total number of Rules: 2 

1 Origin: Local(flowmap:23) Active: Yes 
  Match: 
     DSCP         <60 
  Actions: 
     Traffic-rate asn 666, rate 125000 bits/sec(operational-rate 132000 bits/sec) 

  Statistic       packets/bytes 
  -------------   ------------ 
    Matched       17412786/12589441782 
    Transmitted   1453/1048023
    dropped       17411333/12588393759 

2 Origin: Remote (50.50.50.254) Active: No (invalid Match combinations) 
  Match: 
     Dst 91.92.93.0/24 
     Src 70.70.70.0/24 
     Protocol >=50 & <=67 
     Port !=90 
     DPort >909 
     SPort <65530 | >2 
     ICMP-type <=78 
     ICMP-code >=90 
     TCP-flags (Syn & Ack & Urg) 
     Pkt-length =9887 | =50 
     DSCP <60 
     Fragment !(DF & FF) 
  Actions: 
     Traffic-rate            asn:50, rate 4800000 bits/sec(operational-rate 4400000 bits/sec) 
     Traffic-action          terminal-action 
     Traffic-action          sample 
     Redirect IP Nexthop     (redirect)1.2.3.4 
     Redirect IP Nexthop     (mirror)1.2.3.4 
     Traffic-remarking(DSCP) 56
9036956-02 Rev AA