Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
2
Replies

CSR1000v bgp flowspec - action change when advertise to router

mengkiat
Level 1
Level 1

‎12-06-2022 12:16 AM

Hi All ,

Very much appreciate the help if anyone is helping on this !!

I have a question regarding the BGP FlowSpec on CSR1000v. The issues when RouteReflector advertise the flowspec to BorderRouter, the action is change from POLICE to TRANSMIT. Topology and Output as below. 

DDOS detection device ---iBGP flowspec-- > RouterReflector --iBGP flowspec--> BorderRouter

=====RouteReflector========

Route-Reflector#show bgp ipv4 flowspec detail
BGP routing table entry for Dest:188.188.188.188/32, version 54
Paths: (1 available, best #1, table IPv4-Flowspec-BGP-Table)
Advertised to update-groups:
1
Refresh Epoch 1
Local, (Received from a RR-client)
0.0.0.0 from 172.16.20.201 (172.16.20.201)
Origin IGP, localpref 100, valid, internal, best
Extended Community: FLOWSPEC Traffic-rate:0,0
rx pathid: 0, tx pathid: 0x0
Route-Reflector#

Route-Reflector#show flowspec ipv4
AFI: IPv4
Flow :Dest:188.188.188.188/32
Actions :Traffic-rate: 0 bps (bgp.1)

======BorderRouter========

CSR-BorderRouter#show bgp ipv4 flowspec detail
BGP routing table entry for Dest:188.188.188.188/32, version 20
Paths: (1 available, best #1, table IPv4-Flowspec-BGP-Table)
Not advertised to any peer
Refresh Epoch 2
Local, (received & used)
0.0.0.0 from 172.16.20.209 (172.16.20.209)
Origin IGP, localpref 100, valid, internal, best

missing the extended community string
Originator: 172.16.20.201, Cluster list: 172.16.20.209
rx pathid: 0, tx pathid: 0x0

CSR-BorderRouter#show flowspec ipv4
AFI: IPv4
Flow :Dest:188.188.188.188/32
Actions :transmit (bgp.1)   ---> the action had changed from police to transmit

CSR-BorderRouter#

0 Helpful
2 Replies 2

Harold Ritter
Level 12
Level 12

‎12-06-2022 02:08 PM - edited ‎12-07-2022 11:58 AM

Hi @mengkiat ,

The BGP path received on the border router from the route reflector is indeed missing the extended community, which explains the abnormal behavior experienced on the border router. On the route reflector, you need to configure "neighbor <border router address> send-community extended" to make sure the extended community is received on the border router. 

router bgp xxx

address-family ipv4 flowspec

neighbor <border router address> send-community extended

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Harold Ritter
Level 12
Level 12

‎12-21-2022 09:37 AM

Hi @mengkiat ,

Have you had a chance to test the proposed solution? Could you please let us know if it solved your issue.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card