Update a Previously Distributed Route Map

By default, updates to a previously distributed BGP flowspec route map are applied after a delay of 10 seconds. To send fewer changes to the hardware when making multiple updates, you can configure a longer delay.

The following task shows how to configure a delay of 500 seconds and updates a selection of rules. Your configuration may involve different combinations of match criteria and traffic filtering actions.

  1. From privileged EXEC mode, enter global configuration mode.
    device# configure terminal
  2. Configure the delay period that should elapse before application of changes to BGP flowspec route-map rules.
    device(config)# filter-change-update-delay 500
    This example configures a delay period of 500 seconds.
  3. Enter configuration mode for a sequence number in a previously distributed BGP flowspec route map.
    device(config)# route-map flowspec_map permit 56
    This example enters configuration mode for sequence number 56 under a route map named flowspec_map.
  4. Configure matching based on the source address.
    device(config-route-map-flowspec_map/permit/56)# match ipv4 source-address 10.3.2.0/24
  5. Configure matching based on port number.
    device(config-route-map-flowspec_map/permit/56)# match port lt 40

    This example specifies that matching occurs when the source or destination port number is less than 40.

    device(config-route-map-flowspec_map/permit/56)# match port neq 30 67 89
    

    This example specifies that matching occurs when the source or destination port number is not equal to 30, 67, and 89.

    When both of these configurations are applied, matching occurs when the source or destination port number is less than 40 or is not equal to 30 and 67 and 89.
  6. Configure matching based on fragment type.
    device(config-route-map-flowspec_map/permit/56)# match fragment-type all first-fragment

    This example specifies that matching occurs when the traffic fragment type is first-fragment.

    device(config-route-map-flowspec_map/permit/56)# match fragment-type any dont-fragment not-last-fragment

    This example specifies that matching occurs when the traffic fragment type is either dont-fragment or not-last-fragment.

    When both of these configurations are applied, matching occurs when the fragment type is equal to first-fragment, or dont-fragment, or not-last-fragment.
  7. Enable traffic sampling.
    device(config-route-map-flowspec_map/permit/56)# set sflow
    
  8. Configure a nexthop address.
    device(config-route-map-flowspec_map/permit/56)# set ip nexthop 10.89.89.7
    
  9. Return to privileged EXEC mode.
    device(config-route-map-flowspec_map/permit/56)# end
    
  10. Revert the delay to the default of 10 seconds.
    device# clear filter-change-update
    
    You can revert to the default when, for example, you do not want a long delay because you are installing changes in the hardware.

The following example summarizes the commands in this task.

device# configure terminal
device(config)# route-map flowspec_map permit 56# filter-change-update-delay 500
device(config)# route-map flowspec_map permit 56# route-map flowspec_map permit 56
device(config-route-map-flowspec_map/permit/56)# match ipv4 source-address 10.3.2.0/24 
device(config-route-map-flowspec_map/permit/56)# match port neq 30 67 89
device(config-route-map-flowspec_map/permit/56)# match port lt 40
device(config-route-map-flowspec_map/permit/56)# match fragment-type all first-fragment
device(config-route-map-flowspec_map/permit/56)# match fragment-type any dont-fragment not-last-fragment
device(config-route-map-flowspec_map/permit/56)# set set sflow
device(config-route-map-flowspec_map/permit/56)# set ip nexthop 10.89.89.7
device(config-route-map-flowspec_map/permit/56)# end
device# clear filter-change-update