Solved: Can't get BGP to propagate Flowspec rules

Richard Compton · ‎04-19-2016

Hi, I have two XRv routers running 5.3.2. One of them (router A) has a BGP session with a Linux VM running ExaBGP which is advertising the Flowspec rule. In this router A I can see the Flowspec rule. I am trying to get this router A to propagate this rule to router B but it doesn't seem to be working. Does ExaBGP have to advertise that flowspec rule to both routers? Here's my config:

Router A:

router bgp 65111

 address-family ipv4 flowspec

 neighbor 51.128.0.110
  remote-as 65111
  password encrypted -removed-
  description ExaBGP server advertising flowspec rule
  address-family ipv4 unicast
  !
  address-family ipv4 flowspec

 neighbor 51.128.0.112
  remote-as 65111
  password encrypted -removed-
  description Router B
  address-family ipv4 unicast
  !
  address-family ipv4 flowspec

  !
 !
!
flowspec

Router B:

router bgp 65111
 !
 address-family ipv4 flowspec

 !
 neighbor 51.128.0.109
  remote-as 65111
  password encrypted -removed-
  description Router A
  address-family ipv4 unicast
  !
  address-family ipv4 flowspec
  !
 !
!
flowspec

I can see the rule in Router A:

RP/0/0/CPU0:flowspec-rtr01#show bgp ipv4 flowspec 
Tue Apr 19 15:11:08.772 UTC
BGP router identifier 51.128.0.109, local AS number 65111
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0   RD version: 15
BGP main routing table version 15
BGP NSR Initial initsync version 2 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*>iDest:192.168.0.2/32,Source:10.0.0.1/32,Proto:=6,DPort:=3128,SPort:>1024,TCPFlags:=0x02/208
                      0.0.0.0                       100      0 i

Processed 1 prefixes, 1 paths

But no rule in Router B. Any help would be appreciated. Thanks in advance!

Fredrik Lönnman · ‎04-19-2016

I'd say you'll have to follow regular iBGP rules and have Router A be a route reflector to Router B, or peer directly ExaBGP<->Router B.

View solution in original post

Fredrik Lönnman · ‎04-19-2016

I'd say you'll have to follow regular iBGP rules and have Router A be a route reflector to Router B, or peer directly ExaBGP<->Router B.

Nicolas Fevrier · ‎04-22-2016

Hi Rich,

to follow up on our discussion this morning, you will need to configure some routers as RR if you want the rules to be propagated.

Let me us know how your tests go,

thanks,

N.

Richard Compton · ‎04-22-2016

In Router A under the neighbor statement for Router B in the section "address-family ipv4 flowspec" I added "route-reflector-client" and now I am seeing the rule in Router B.