Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
3495
Views
5
Helpful
0
Comments

NCS5500 BGP flowspec packet matching criteria

yosef_manasseh
Cisco Employee
Cisco Employee
‎05-22-2018 11:35 PM

The following article will show you available packet matching criteria that can be configured on an NCS5500 platform as part of BGP flowspec feature.
In this regards, NCS5500 will act as a BGP flowspec server and advertise the criteria to its BGP neighbors.

General discussion about BGP flowspec feature on NCS5500 is outside of the scope of this article but is discussed on following page:

https://supportforums.cisco.com/t5/service-providers-blogs/bgp-flowspec-implementation-on-ncs5500-platforms/ba-p/3387443

Same configuration should be applicable as well on ASR9K and CRS.

 

Update 4/15/2021, this article will not be updated anymore going forward.
The information in this document is accurate as of IOS XR 7.0.12.
Newer version of IOS XR might have new features / enhancements that are not covered in this doc.
Whenever in doubt, please reach out to your friendly TAC team for assistance.



config example for Type 1 (Destination address) criteria

... match specific host

class-map type traffic match-all ipv4_type1_dip
 match destination-address ipv4 200.255.4.2/32
 end-class-map
!

class-map type traffic match-all ipv6_type1_dip
 match destination-address ipv6 200:242:250::1/128
 end-class-map
!

... match all hosts in range

class-map type traffic match-all ipv4_type1_dip
 match destination-address ipv4 200.255.4.0/24
 end-class-map
!

 

Note:

When we're defining host range instead of specific host in flowspec Type 1 advertisement, we need to make sure that there is an existing BGP route for that destination address on client router.
This pre-existing BGP route can be an exact match as the flowspec route (200.255.4.0/24 in this example) or it can be a less specific match (e.g. 200.255.4.0/23, 200.255.4.0/22, etc).
If on client side we only have more specific match (e.g. 200.255.4.0/25, 200.255.4.0/26, etc), the client router will still accept the flowspec but it will report the flowspec-path to be invalid and will NOT program it to LC.

 


config example for Type 2 (Source address) criteria

... match specific host

class-map type traffic match-all ipv4_type2_sip
 match source-address ipv4 200.255.3.2/32
 end-class-map
!

class-map type traffic match-all ipv6_type2_sip
 match source-address ipv6 200:255:3::12/128
 end-class-map
!

... match all hosts in range

class-map type traffic match-all ipv4_type2_sip
 match source-address ipv4 200.255.3.0/24
 end-class-map
!

 


config example for Type 3 (IP protocol) criteria

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

... match specific protocol

class-map type traffic match-all type3_prot
 match protocol tcp
 end-class-map
!

... X or Y

class-map type traffic match-all type3_prot
 match protocol tcp udp
 end-class-map
!

... X to Y

class-map type traffic match-all type3_prot
 match protocol 7-17
 end-class-map
!

 

 

config example for Type 4 (TCP port or UDP port) criteria

class-map type traffic match-any type4_prot
 match source-port 80
 match destination-port 80
 end-class-map
!

the above will fail to commit and it's a known limitation for IOS XR based routers.

commit error message:

!!% Policy manager does not support this feature: Match all is the only mode supported for match type "source-port" in class-map type "traffic"

 

 

 

config example for Type 5 (destination port) criteria

... specific port

class-map type traffic match-all type6_dp
 match destination-port 80
 end-class-map
!

... port x or port y

class-map type traffic match-all type6_dp
 match destination-port 1026 1025
 end-class-map
!

... port range

class-map type traffic match-all type6_dp
 match destination-port 80-1026
 end-class-map
!

 

 

 config example for Type 6 (Source port) criteria

... specific port

class-map type traffic match-all ipv4_type6_sp
 match source-port 1026
 end-class-map
!

... port x or port y

class-map type traffic match-all ipv4_type6_sp
 match source-port 80 1026
 end-class-map
!

... port range

class-map type traffic match-all ipv4_type6_sp
 match source-port 80-1026
 end-class-map
!

 

 

 config example for Type 7 (ICMP type) criteria

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6

... specific ICMP type

class-map type traffic match-all icmp_type_3
 match ipv4 icmp-type 3
 end-class-map
!

... ICMP type range is NOT supported

class-map type traffic match-all ipv6_icmp_type_and_code
 match ipv6 icmp-type 4-255
 end-class-map
!
error message will be printed when trying to commit the config:

!!% 'FlowSpec' detected the 'warning' condition 'FS MGR': Operation not supported

... multiple ICMP type can be configured and advertised, but client that runs IOS-XR will not apply the rule

class-map type traffic match-all ipv6_icmp_type
 match ipv6 icmp-type 1 4
 end-class-map
!

RP/0/RP0/CPU0:fretta-50#sh flowspec ipv6 inter   

AFI: IPv6
  Flow           :ICMPType:=1|=4
    Actions      :Traffic-rate: 0 bps  (bgp.1)
      Client Version: 0
      Local:          FALSE
      Unsupported:    FALSE
      RT:
        VRF Name Cfg:   0x00
        RT Cfg:         0x00
        RT Registered:  0x00
        RT Resolved:    0x00
    Class handles:
    Class Handle Version:     0
    Sequence:                 1024
    Match Unsupported:        ICMP type count exceeded

 

 

 

 config example for Type 8 (ICMP code) criteria

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6

... ICMP code must be configured along with ICMP type

class-map type traffic match-all icmp_code_0
 match ipv4 icmp-code 0 <----     Match Unsupported:        ICMP code without ICMP type
 end-class-map
!

class-map type traffic match-all icmp_type_3
 match ipv4 icmp-type 3
 match ipv4 icmp-code 0
 end-class-map
!

class-map type traffic match-all ipv6_icmp_type_and_code
 match ipv6 icmp-type 4
 match ipv6 icmp-code 1
 end-class-map
!

... multiple ICMP code can be configured and advertised, but client that runs IOS-XR will not apply the rule

class-map type traffic match-all ipv4_type8_icmp_code
 match ipv4 icmp-type 3
 match ipv4 icmp-code 0 4
 end-class-map
!

RP/0/RP0/CPU0:flowspec_client#sh flowspec afi-all internal    

AFI: IPv4
  Flow           :ICMPType:=3,ICMPCode:=0|=4
    Actions      :Traffic-rate: 500000000 bps DSCP: af33 Nexthop: 200.255.9.2  (bgp.1)
      Client Version: 0
      Local:          FALSE
      Unsupported:    FALSE
      RT:
        VRF Name Cfg:   0x00
        RT Cfg:         0x00
        RT Registered:  0x00
        RT Resolved:    0x00
    Class handles:
    Class Handle Version:     0
    Sequence:                 512
    Match Unsupported:        ICMP code count exceeded

... ICMP code range is NOT supported

class-map type traffic match-all ipv6_icmp_type_and_code
 match ipv6 icmp-code 1-2
 end-class-map
!

error message will be printed when trying to commit the config:

!!% 'FlowSpec' detected the 'warning' condition 'FS MGR': Operation not supported

 

 

 

 config example for Type 9 (TCP flags) criteria

http://rapid.web.unc.edu/resources/tcp-flag-key/

class-map type traffic match-all tcp_flag_syn
 match tcp-flag 2
 end-class-map
!

 

 

 config example for Type 10 : total IP packet length (excluding Layer 2 but including IP header) criteria


note:
If you're dealing with ingress vlan traffic, here's what your L2 header would look like:

  1. eth header: 18B
  2. dot1q header: 4B
    total L2 header = 22B

... specific value

class-map type traffic match-all ipv4_type10_total_pkt_len
 match packet length 1000
 end-class-map
!

... X or Y
    
class-map type traffic match-all ipv4_type10_total_pkt_len
 match packet length 1100 1000
 end-class-map
!

... range X to Y

class-map type traffic match-all ipv4_type10_total_pkt_len
 match packet length 1001-1100
 end-class-map
!

 

 

 config example for Type 11 (DSCP) criteria

https://www.tucny.com/Home/dscp-tos

... specific DSCP

class-map type traffic match-all type11_dscp
 match dscp 22
 end-class-map
!

... range X to Y

class-map type traffic match-all type11_dscp
 match dscp 10-22
 end-class-map
!

 

 

 config example for Type 12 (IPv4 Fragmentation bits) criteria

https://en.wikipedia.org/wiki/IPv4#Fragmentation_and_reassembly

 

Fragmented packets IP header:

First fragment packet : "MF flag 1" and "Fragment offset 0"
Last fragment packet : MF flag 0" and "Fragment offset some value"
Other fragment packets : "MF flag 1" and "Fragment offset some value"


... DF packets

class-map type traffic match-all type12_frag_bits
 match fragment-type dont-fragment
 end-class-map
!

... Last fragment packets

class-map type traffic match-all type12_frag_bits
 match fragment-type  last-fragment
 end-class-map
!

... Fragmented packets

class-map type traffic match-all type12_frag_bits
 match fragment-type  is-fragment
 end-class-map
!

"is-fragment" will match all type of fragmented packets: first fragment, last fragment, and other fragments.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents