12-06-2022 12:16 AM
Hi All ,
Very much appreciate the help if anyone is helping on this !!
I have a question regarding the BGP FlowSpec on CSR1000v. The issues when RouteReflector advertise the flowspec to BorderRouter, the action is change from POLICE to TRANSMIT. Topology and Output as below.
DDOS detection device ---iBGP flowspec-- > RouterReflector --iBGP flowspec--> BorderRouter
=====RouteReflector========
Route-Reflector#show bgp ipv4 flowspec detail
BGP routing table entry for Dest:188.188.188.188/32, version 54
Paths: (1 available, best #1, table IPv4-Flowspec-BGP-Table)
Advertised to update-groups:
1
Refresh Epoch 1
Local, (Received from a RR-client)
0.0.0.0 from 172.16.20.201 (172.16.20.201)
Origin IGP, localpref 100, valid, internal, best
Extended Community: FLOWSPEC Traffic-rate:0,0
rx pathid: 0, tx pathid: 0x0
Route-Reflector#
Route-Reflector#show flowspec ipv4
AFI: IPv4
Flow :Dest:188.188.188.188/32
Actions :Traffic-rate: 0 bps (bgp.1)
======BorderRouter========
CSR-BorderRouter#show bgp ipv4 flowspec detail
BGP routing table entry for Dest:188.188.188.188/32, version 20
Paths: (1 available, best #1, table IPv4-Flowspec-BGP-Table)
Not advertised to any peer
Refresh Epoch 2
Local, (received & used)
0.0.0.0 from 172.16.20.209 (172.16.20.209)
Origin IGP, localpref 100, valid, internal, best
missing the extended community string
Originator: 172.16.20.201, Cluster list: 172.16.20.209
rx pathid: 0, tx pathid: 0x0
CSR-BorderRouter#show flowspec ipv4
AFI: IPv4
Flow :Dest:188.188.188.188/32
Actions :transmit (bgp.1) ---> the action had changed from police to transmit
CSR-BorderRouter#
12-06-2022 02:08 PM - edited 12-07-2022 11:58 AM
Hi @mengkiat ,
The BGP path received on the border router from the route reflector is indeed missing the extended community, which explains the abnormal behavior experienced on the border router. On the route reflector, you need to configure "neighbor <border router address> send-community extended" to make sure the extended community is received on the border router.
router bgp xxx
address-family ipv4 flowspec
neighbor <border router address> send-community extended
Regards,
12-21-2022 09:37 AM
Hi @mengkiat ,
Have you had a chance to test the proposed solution? Could you please let us know if it solved your issue.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide