Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
5
Helpful
3
Replies

Asr9k flowspec

Rafi Shemesh
Level 1
Level 1

‎10-21-2015 10:58 PM - edited ‎03-05-2019 02:33 AM

Hi,

I read Xander document about flowspec, it was very helpful (thanks), but i neeed to ask something

1. I have version 5.1.3, and i saw in the blog that cisco start support asr9k flowspec only in version 5.2 i search it in cisco feature navigate but i didn't find it is it true ?

2.In client server mode the client will be the "server" and the provider will be the client ?

3.Are these settings ok ?

applicable to both client and server, we need to enable the new address family for advertisement
 
router bgp 100
 address-family ipv4 flowspec
 address-family ipv6 flowspec
 
 
neighbor 1.1.1.1
  remote-as 100
  address-family ipv4 flowspec
  ! Ties it to a neighbor configuration
  address-family ipv6 flowspec
 
 
 
 
Server configuration
 
class-map
class-map type traffic match-all udp53-protect
match destination-address ipv4 2.2.0.0/16
match protocol 17
match destination-port 53
end-class-map
 
policy-map
policy-map type pbr udp53-protect-pbr
class type traffic udp53-protect
action police rate 1000000000 (1G)
class class-default  (maybe i have to build class-default)
end-policy-map
 
The following ties the flowspec to the PBR policies defined earlier
 
flowspec
local-install interface-all
address-family ipv4
service-policy type pbr udp53-protect-pbr
 
Regards
Rafi

 

Labels:
0 Helpful
3 Replies 3

Vinit Jain
Cisco Employee
Cisco Employee

‎10-22-2015 04:05 PM

Hello Rafi

Regarding the 1st question, the support for BGP FlowSpec was introduced in XR 5.2.0 release. So even if you have the cli available in early release, I dont think the configuration might work properly.

Regarding the 2nd question, the Provider edge is the controller. Thus the server.

The below CCO document has the information about both the questions.

http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-2/routing/configuration/guide/b_routing_cg52xcrs/b_routing_cg52xcrs_chapter_011.html

I will look into the configuration and let you know if its fine.

Regards

Vinit

 

Thanks
--Vinit

Rafi Shemesh
Level 1
Level 1
In response to Vinit Jain

‎10-22-2015 10:52 PM

Hi Vinit,

Thank you for your replay,

I probably missed something, about question 2

I have bgp peer to my isp provider, from what i understand all the class-map, policy-map should be on my router and isp provider need to configure only this

applicable to both client and server, we need to enable the new address family for advertisement
 
router bgp 100
 address-family ipv4 flowspec
 address-family ipv6 flowspec
 
 
neighbor 1.1.1.1
  remote-as 100
  address-family ipv4 flowspec
  ! Ties it to a neighbor configuration
  address-family ipv6 flowspec
 
So my router "tell" to provider router what to do when my router "see" udp 53 traffic
 
If this is not right can you please explain me again because this what i understand from the pdf.
 
 
Thanks
Rafi
0 Helpful

Rafi Shemesh
Level 1
Level 1
In response to Rafi Shemesh

‎10-23-2015 12:31 PM

Hi Vinit,

In this link they explain that the server (controller) is on the customer side, they also said that the ISP must trust his costumer so this is the reason that usually the controller on the isp side ?

Lets say that my isp trust me can i (the customer) be the controller ?

http://gurudatt28227.blogspot.co.il/

 

Regrads

Rafi

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card