Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
173
Views
1
Helpful
3
Replies

How does BGP flowspec work

carl.townshend
Level 1
Level 1

‎01-14-2026 01:45 AM

Hi All

I am aware of BGP flowspec, you have a server (flowspec controller) and clients which are the bgp neighbors to the controller?

How does it actually work in practice? do all the ISP routers send netflow information to the controller and based on some thresholds of the flows, the controller would then send a flowspec message to the neighbors telling them to do something? 

I have seen on my Cisco training material they configured the policy maps etc on the client routers beforehand, surely the policies would be dynamic and sent from the controller?

Can anyone assist pls?

Cheers

0 Helpful
3 Replies 3

M02@rt37
VIP
VIP

‎01-14-2026 05:19 AM

Hello @carl.townshend 

BGP Flowspec is simply a way to distribute trafic filtering rules using BGP, not a trafic analysis or monitoring system...

One device ? yes, often called a Flowspec controller, but usually just a router !!! It originates flowspec routes that describe what trafic to match and what action to take, and all other routers that peer with it enforce those rules locally; routers do not send netflow data to Flowspec, and Flowspec itself does not detect attacks trafic detection is typically done separately using netflow, which then trigger the injection of flowspec routes!!! 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

carl.townshend
Level 1
Level 1
In response to M02@rt37

‎01-15-2026 12:07 AM

Hi

So the controller, would this be my router? or a central router in the ISP?

How does the trigger work? would it be a seperate TMS (Threat management server) ? would this server then tell the flowspec controller to push the routes to the other bgp neighbors to it ?

0 Helpful

M02@rt37
VIP
VIP
In response to carl.townshend

‎01-15-2026 12:39 AM - edited ‎01-15-2026 12:40 AM

Hello @carl.townshend 

The "controller" is simply whoever originates flowspec routes into BGP. So it can be a dedicated router, yes! but also a "central" ISP router or a server/Vm running BGP.

Don't forget that flowspec has no trigger mechanism. Triggers come from outside systems as Netflow/sflow, could be also DDoS detection platorms as Arbor... these systems analyze trafic and decide if this trafic should be dropped ou rate-limited! That system then either inject flowpsec routes directly via BGP or tells a BGP-speaking device to do so... and all BGP neighbors receive and enforce the rules locally !

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card