Tuesday, December 1, 2020

BGP Flowspec Question

I am having a bit issue with regards to announcing bgp flowspec rules.

I am trying to announce to different types of rules but for some reason, when one rule is in place and when i announce 2nd rule, the initial rule is withdrawn.

For Ex:

1st Rule Announced for BGP Flowspec Rate-Limit to 100Mbps to 2.2.2.2/32

cisco_router#sh bgp flow-spec ipv4 destination 2.2.2.2/32 detail

BGP Flow Specification rules for VRF default

Router identifier 7.7.0.4, local AS number xxxx

BGP Flow Specification Matching Rule for 2.2.2.2/32;*;

Rule identifier: 140589008397264

Matching Rule:

Destination Prefix: 2.2.2.2/32

Source Prefix: *

Paths: 1 available

64512

from 10.252.152.188 (10.252.152.188)

Origin INCOMPLETE, metric -, localpref 100, weight 0, valid, external, best

Actions: Police: 10 kbps (1.25 kBps)

When i try to announce a Flowspec Redirect to Next Hop, the Flowspec Rate-Limit is replaced.

cisco_router#sh bgp flow-spec ipv4 destination 2.2.2.2/32 detail

BGP Flow Specification rules for VRF default

Router identifier 7.7.0.4, local AS number xxxx

BGP Flow Specification Matching Rule for 2.2.2.2/32;*;

Rule identifier: 140589008397264

Matching Rule:

Destination Prefix: 2.2.2.2/32

Source Prefix: *

Paths: 1 available

64512

from 10.252.152.188 (10.252.152.188)

Origin INCOMPLETE, metric -, localpref 100, weight 0, valid, external, best

Actions: Redirect IP: 1.1.1.1

**when i withdraw the Nexthop Redirect rule, there no longer any rules for the prefix while the flowspec rate-limit rule is still being announced from its bgp peer.

Have anyone experienced this in the past or can explain why this is happening?

Also I tested this with more specific like adding protocol to the flowspec rate-limit and this does NOT happen it is only happening to less specific flowspec announcement which is what i am looking to do. I am looking to basically limit all traffic to a dest prefix.



No comments:

Post a Comment