Hi All,
I was testing on an IOS-XRv image, to then put into production on a pair of NCS5508 flowspec routers. A question that arose me, is whether the route validation defined in RFC5575 can be turned on.
A flow specification NLRI must be validated such that it is
considered feasible if and only if:
a) The originator of the flow specification matches the originator of
the best-match unicast route for the destination prefix embedded
in the flow specification.
b) There are no more specific unicast routes, when compared with the
flow destination prefix, that have been received from a different
neighboring AS than the best-match unicast route, which has been
determined in step a).
By default I see that it is not on, I managed to have this same effect using a route map defining the destination prefix of the routes that I learn; but I have some clients with many networks so I would prefer to do this automatically.
As an Example y learn from a CE with IP 200.40.65.142 only the route 143.208.148.0/22, and learn 177.22.60.0/22 from another neighbor.
RP/0/RP0/CPU0:PE2#sho bgp vrf Internet neighbors 200.40.65.142 received routes
Thu Feb 1 14:11:08.918 UTC
BGP VRF Internet, state: Active
BGP Route Distinguisher: 57167:56057
VRF ID: 0x60000001
BGP router identifier 172.16.0.2, local AS number 57167
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000001 RD version: 22
BGP main routing table version 22
BGP NSR Initial initsync version 2 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 57167:56057 (default for vrf Internet)
* 143.208.148.0/22 200.40.65.142 0 0 264092 i
RP/0/RP0/CPU0:PE2#sho route vrf Internet 177.22.60.1
Thu Feb 1 14:27:46.077 UTC
Routing entry for 177.22.60.0/22
Known via "bgp 57167", distance 200, metric 0
Tag 52953, type internal
Installed Jan 29 18:22:46.117 for 2d20h
Routing Descriptor Blocks
172.16.0.3, from 172.16.0.3
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0
No advertising protos.
RP/0/RP0/CPU0:PE2#sho route vrf Internet 2.2.2.2
Thu Feb 1 14:28:03.071 UTC
% Network not in table
RP/0/RP0/CPU0:PE2#sho route vrf Internet 143.208.148.2
Thu Feb 1 14:28:09.656 UTC
Routing entry for 143.208.148.0/22
Known via "bgp 57167", distance 20, metric 0
Tag 264092, type external
Installed Jan 30 20:49:12.741 for 1d17h
Routing Descriptor Blocks
200.40.65.142, from 200.40.65.142, BGP external
Route metric is 0
No advertising protos.
Processed 1 prefixes, 1 paths
RP/0/RP0/CPU0:PE2#sho bgp vrf Internet ipv4 flowspec neighbors 200.40.65.142 received routes
Thu Feb 1 14:10:39.581 UTC
BGP VRF Internet, state: Active
BGP Route Distinguisher: 57167:56057
VRF ID: 0x60000001
BGP router identifier 172.16.0.2, local AS number 57167
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0200001 RD version: 22
BGP main routing table version 22
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 57167:56057 (default for vrf Internet)
* Dest:2.2.2.2/32,Proto:=6|=23/88
0.0.0.0 0 264092 i
* Dest:143.208.148.2/32/48
0.0.0.0 0 264092 i
* Dest:177.22.60.1/32,Proto:=6|=53/88
0.0.0.0 0 264092 i
RP/0/RP0/CPU0:PE2#sho flowspec vrf Internet afi-all detail
Thu Feb 1 14:17:41.063 UTC
VRF: Internet AFI: IPv4
Flow :Dest:2.2.2.2/32,Proto:=6|=23
Actions :Traffic-rate: 0 bps (bgp.1)
Flow :Dest:143.208.148.2/32
Actions :Traffic-rate: 0 bps (bgp.1)
Flow :Dest:177.22.60.1/32,Proto:=6|=53
Actions :Traffic-rate: 0 bps (bgp.1)
If the validation is ok, the only valid flow would be
Flow :Dest:143.208.148.2/32
Actions :Traffic-rate: 0 bps (bgp.1)
I will appreciate if someone could help me
Regards
Accepted Solutions
