BGP Flowspec Commands

Define a traffic class and associate rules by using match sub-commands, after the class-map type traffic command is typed in. The created c class-map can be removed with No form of this command. Only match-all criteria (match all match items configured in a class-map) is supported in BGP Flowspec.

Command Syntax

class-map type traffic match-all CLASS_MAP_NAME

no class-map type traffic CLASS_MAP_NAME

Parameters

CLASS_MAP_NAME

a class-map-name to define.

Command Mode

Configure mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

drop

When an attached class-map is matched, the matched packet drops.

Command Syntax

drop

no drop

Parameters

None

Command Mode

policy-map class mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config-pmap-pbr-c)#drop

flowspec

This command is executed in the global configuration, and enter default VRF mode.

Command Syntax

flowspec

no flowspec

Parameters

None

Command Mode

Configure mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#flowspec

hardware filter ipv4-bgp-flowspec

Use this command to enable ipv4 BGP flowspec feature in hardware. Unless it is enabled, the all flowspec routes are not set to hardware, while the all BGP operations are done not related to this command.

Command Syntax

hardware filter ipv4-bgp-flowspec enable

hardware filter ipv4-bgp-flowspec disable

Parameters

None

Command Mode

Configure mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#hardware-profile filter ipv4-bgp-flowspec enable

ipv4 flowspec-disable

Use this command to disable BGP FlowSpec on a per-port basis. This is achieved by installing a high-priority FlowSpec rule that matches a specific FIB ID and Layer 3 (L3) interface, but with no action defined. This rule takes precedence over regular FlowSpec rules, ensuring that packets received on the specified L3 interface do not match any other FlowSpec rules. As a result, the FlowSpec functionality is effectively disabled for those specific ports. This feature is useful for environments where certain ports need to be excluded from BGP FlowSpec rule enforcement while maintaining regular network operations.

Note: This feature can be applied to any L3 interfaces, specifically on the following types:

• Physical interfaces: Direct physical network interfaces.

• Link Aggregation Group (LAG) interfaces: Bundled multiple network connections to act as a single interface.

• Virtual Local Area Network (VLAN) interfaces: Logical interfaces representing VLANs.

• Sub-interfaces: Logical interfaces created on a physical or VLAN interface for managing traffic separately.

Use no form of this command to enable BGP FlowSpec on a per-port basis.

Command Syntax

ipv4 flowspec-disable

no ipv4 flowspec-disable

Parameters

None

Default

None

Command Mode

Interface mode

Applicability

This command was introduced in OcNOS version 6.6.0.

Examples

In the following scenario, define traffic classes and policy maps to handle traffic flows. Enable FlowSpec and apply the policy maps to control traffic behavior. When disabling FlowSpec on VLAN and Port-Channel interfaces (vlan1.100 and po1), the system installs disabling rules with higher priority for the interfaces vlan1.100 and po1. This ensures that regular FlowSpec rules do not apply to vlan1.100 and po1.

Disabling FlowSpec on VLAN and Port-Channel Interfaces

OcNOS(config)#interface po1

OcNOS(config-if)#ip address 100.1.1.4/24

OcNOS(config-if)#ipv4 flowspec-disable

OcNOS(config-if)#commit

OcNOS(config-if)#exit

OcNOS(config)#interface vlan1.100

OcNOS(config-if)#ip address 200.1.1.4/24

OcNOS(config-if)#ipv4 flowspec-disable

OcNOS(config-if)#commit

OcNOS(config-if)#end

Snippet Configuration

OcNOS#show running-config

! Software version: EC_AS5912-54X-XP-6.5.3 09/19/2024 09:56:53

! Last configuration change at 05:43:39 UTC Tue Sep 24 2024 by ocnos

feature netconf-ssh vrf management

feature netconf-tls vrf management

no feature netconf-ssh

no feature netconf-tls

service password-encryption

snmp-server enable traps link linkDown

snmp-server enable traps link linkUp

hardware-profile filter ipv4-bgp-flowspec enable

hardware-profile statistics ingress-acl enable

qos enable

hostname R4

no ip domain-lookup

ip domain-lookup vrf management

bridge 1 protocol rstp vlan-bridge

tfo Disable

errdisable cause stp-bpdu-guard

no feature telnet vrf management

no feature telnet

feature ssh vrf management

no feature ssh

feature dns relay

ip dns relay

ipv6 dns relay

feature ntp vrf management

ntp enable vrf management

class-map type traffic match-all clas1

match destination-address ipv4 100.1.1.0/24

class-map type traffic match-all clas2

match destination-address ipv4 200.1.1.0/24

policy-map type pbr pol1

class type traffic clas1

drop

policy-map type pbr pol2

class type traffic clas2

drop

flowspec

local-install interface-all

address-family ipv4

service-policy type pbr pol1

service-policy type pbr pol2

exit

vlan database

vlan 100-1000 bridge 1

ip vrf management

interface po1

ip address 100.1.1.4/24

ipv4 flowspec-disable

interface ce49

interface ce50

channel-group 1 mode active

interface ce51

channel-group 1 mode active

interface ce52

interface ce53

switchport

bridge-group 1

switchport mode trunk

switchport trunk allowed vlan add 100

interface ce54

interface eth0

ip vrf forwarding management

ip address 10.14.110.108/24

interface lo

ip address 127.0.0.1/8

ipv6 address ::1/128

interface lo.management

ip vrf forwarding management

ip address 127.0.0.1/8

ipv6 address ::1/128

interface vlan1.100

ip address 200.1.1.4/24

ipv4 flowspec-disable

exit

router bgp 100

ip route vrf management 0.0.0.0/0 10.14.110.1 eth0

end

Validation

To verify the installation of FlowSpec rules, use the show hsl bgp-flowspec-rules fib-id all detail command.

1. When traffic arrives at vlan1.100 or po1, the system first matches the high-priority disabling rules (rules 1 and 2). These rules prevent further FlowSpec rules from being applied to traffic on the VLAN and Port-Channel interfaces.

2. For other interfaces, the system applies the regular FlowSpec rules. If the traffic matches the criteria defined in the class-map type clas1 or clas2 (rules 3 and 4), it will be dropped.

The prioritization of the disabling rules for vlan1.100 and po1 ensures these interfaces are effectively excluded from FlowSpec processing.

OcNOS#show hsl bgp-flowspec-rules fib-id all detail

<<< HSL BGP Flowspec information >>>

rule processing type: all rules install

Table Full: FALSE

<<< fib ID: 0 >>>

Total number of rules installed: 4

Rules installed to hw: 4

Ruules not installed to hw: 0

Table Full: FALSE

<<< rule number: 1 >>>

priority: 1

disabled_interface: vlan1.100 (ifindex:10205)

<<< Traffic Filters >>>

<<< Actions >>>

<<< rule number: 2 >>>

priority: 2

disabled_interface: po1 (ifindex:100001)

<<< Traffic Filters >>>

<<< Actions >>>

<<< rule number: 3 >>>

priority: 3

<<< Traffic Filters >>>

destination ip address: 100.1.1.0/24

<<< Actions >>>

traffic_rate: 0 pps

<<< rule number: 4 >>>

priority: 4

<<< Traffic Filters >>>

destination ip address: 200.1.1.0/24

<<< Actions >>>

traffic_rate: 0 pps

local-install

Specify whether or not, the attached service policy is installed to a local node. By default, not installed. This command can be taken effect for all address-families by specifying it before entering address-family configuration mode, or for a specific address-family when the mode is address-family configuration.

Command Syntax

local-install interface-all

no local-install

Parameters

None

Command Mode

Flowspec, flowspec address family and flowspec-vrfmode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

config)#flowspec

(config-flowspec)#local-install interface-all

(config-flowspec)#address-family ipv4

(config-flowspec-af)#local-install interface-all

(config-flowspec-af)#exit

(config-flowspec)#vrf VRF1

(config-flowspec-vrf)#local-install interface-all

match dscp

Use this command to match DSCP value.

Command Syntax

match dscp [DSCP_VALUE|DSCP_VALUE_RANGE][,...,[DSCP_VALUE|DSCP_VALUE_RANGE]]

no match dscp

Parameters

DSCP_CODE_VALUE

A class-map-name to define.

DSCP_CODE_VALUE_RANGE

A range in a form of range: MIN_VALU-MAX_VALUE. e.g. 10-3e

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match dscp 1c

match destination-address

IP destination address to match. It can be specified with prefix and netmask bits.

Command Syntax

match destination-address ipv4 A.B.C.D/M

no match destination-address

Parameters

A.B.C.D/M

A.B.C.D is prefix and M is netmask bits.

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match destination-address ipv4 1.1.1.1/32

match destination-port

Use this command to match TCP/UDP destination port number(s).

Command Syntax

match destination_port [PORT_NUMBER|PORT_RANGE][,...,[PORT_NUMBER|PORT_RANGE]]

no match destination_port

Parameters

PORT_NUMBER

A port number in 1-65535

PORT_NUMBER_RANGE

A range in a form of range: MIN_VALUE-MAX_VALUE. e.g. 10-100

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

match fragment-type

Use this command to match fragment type.

Command Syntax

match fragment-type FRAGMENT_TYPE

no match fragment-type

Parameters

FRAGMENT_TYPE

lf: Last fragment

ff: First fragment

isf: Is s fragment other than the first

df: Don't fragment

lf-ff-isf: When one of lf, ff, and isf is true to match, it matches.

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match fragment-type lf

match icmp-code

Use this command to match the ICMP code.

Command Syntax

match ipv4 icmp-code [ICMP_TYPE_VALUE|ICMP_TYPE_VALUE_RANGE] [,...,[ICMP_TYPE_VALUE|ICMP_TYPE_VALUE_RANGE]]

no match ipv4 icmp-code

Parameters

ICMP_CODE_VALUE

ICMP code number in 0-255

ICMP_CODE_VALUE_RANGE

A range in a form of range: MIN_VALU-MAX_VALUE. e.g. 10-100

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match ipv4 icmp-type 10

(config-cmap-tr)#match ipv4 icmp-code 20

match icmp-type

Use this command to match TCP/UDP destination port number(s).

Command Syntax

match ipv4 icmp-type [ICMP_TYPE_VALUE|ICMP_TYPE_VALUE_RANGE] [,...,[ICMP_TYPE_VALUE|ICMP_TYPE_VALUE_RANGE]]

no match ipv4 icmp-type

Parameters

ICMP_TYPE_VALUE

ICMP code number in 0-255

ICMP_TYPE_VALUE_RANGE

A range in a form of range: MIN_VALU-MAX_VALUE. e.g. 10-100

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match ipv4 icmp-type 10

match packet-length

Use this command to match packet length.

Command Syntax

match packet-length [PACKET_LENGTH_VALUE|PACKET_LENGTH_VALUE_RANGE]

[,...,[PACKET_LENGTH_VALUE|PACKET_LENGTH_VALUE_RANGE]]

no match packet-length

Parameters

PACKET_LENGTH_VALUE

ICMP code number in 0-255

PACKET_LENGTH_VALUE_RANGE

A range in a form of range: MIN_VALU-MAX_VALUE. e.g. 10-100

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match packet-length 70-100

match port

Use this command to match TCP/UDP port number(s).

Command Syntax

match port [PORT_NUMBER|PORT_RANGE][,...,[PORT_NUMBER|PORT_RANGE]]

no match port

Parameters

PORT_NUMBER

A port number in 1-65535

PORT_NUMBER_RANGE

A range in a form of range: MIN_VALUE-MAX_VALUE. e.g. 10-100

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match port 1000-2000

match protocol

Use this command to match Protocol number(s).

Command Syntax

match protocol [IP_PROTOCOL_NUM|IP_PROTOCOL_NUMBER_RANGE][,...,[IP_PRTOCOL_NUMBER|IP_PROTOCOL_NUMBER_RANGE]]

no match protocol

Parameters

IP_PRTOCOL_NUMBER

IP protocol number in 0-255

IP_PROTOCOL_NUMBER_RANGE

A range in a form of range: MIN_VALUE-MAX_VALUE. e.g. 10-100

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match protocol 122

match source-address

IP source address to match. It can be specified with prefix and netmask bits.

Command Syntax

match source-address ipv4 A.B.C.D/M

no match source-address

Parameters

A.B.C.D/M

A.B.C.D is prefix and M is netmask bits.

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match source-address ipv4 2.2.2.2/32

match source-port

Use the command to match TCP/UDP source port number(s).

Command Syntax

match source_port [PORT_NUMBER|PORT_RANGE][,...,[PORT_NUMBER|PORT_RANGE]]

no match source_port

Parameters

PORT_NUMBER

A port number in 1-65535

PORT_NUMBER_RANGE

A range in a form of range: MIN_VALU-MAX_VALUE. e.g. 10-100

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

match tcp-flag

Use the command to match TCP flag.

Command Syntax

match ipv4 tcp-flag TCP_FLAG_VALUE bitmask TCP_FLAG_BITMASK

no match ipv4 tcp-flag bitmask

Parameters

TCP_FLAG_VALUE

TCP flag value in hexadecimal (0-fff)

TCP_FLAG_BITMASK

TCP flag bitmask in hexadecimal (0-fff)

Command Mode

Class-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#class-map type traffic match-all test1

(config-cmap-tr)#match tcp-flag 2e bit-mask 3f

neighbor flowspec-vaildation-disable

The following parameters can be configured with neighbor command in address-family for BGP Flowspec. The flowspec-vaildation-disable is a parameter for BGP Flowspec. When it is specified, BGP Flowspec validation is disabled. By default, this parameter is enabled.

Command Syntax

neighbor A.B.C.D flowspec-vaildation-disable

Parameters

A.B.C.D

IPv4 address

Command Mode

Router address family mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config-router)#address-family ipv4 flowspec

(config-router-af)#neighbor 1.1.1.1 flowspec-validation-disable

policy-map

Create or modify a policy map with a pbr type that can be attached as a service policy, and proceed to a mode to enter class command after this command is typed in. Multiple class-map can be linked to a created policy-map. To delete a policy-map, use the no form of this command.

Command Syntax

policy-map type pbr POLICY_MAP_NAME

no policy-map type pbr POLICY_MAP_NAME

Parameters

POLICY_MAP_NAME

A name for a creating modifying policy-map.

Command Mode

Configure mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#policy-map type pbr

(config)#policy-map type pbr test2

police rate

Use this command to set a rate applied for matched packets.

Command Syntax

police rate RATE_VALUE [pps|bps]

no police rate

Parameters

RATE_VALUE

rate value specified in 1-1000000000.

pps

A unit for RATE_VALUE: pps mean packets per second.

bps

A unit for RATE_VALUE: bps mean bit per second.

Command Mode

Policy-map class mode

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

7017(config-pmap-pbr-c)#police rate

7017(config-pmap-pbr-c)#police rate 100000000 bps

policy-map class type traffic

Attach a class to a policy-map created by policy-map command. This command enters policy-map mode.

Command Syntax

class type traffic CLASS_MAP_NAME

no class type traffic CLASS_MAP_NAME

Parameters

CLASS_MAP_NAME

A name for class-map already created with class-map command.

Command Mode

Policy-map mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#policy-map type pbr test2

(config-pmap-pbr)#class type traffic test1

redirect

Set a VRF redirected to for matched packets.

Command Syntax

redirect ipv4 extcommunity rt ROUTE_TARGET

no redirect ipv4 extcommunity rt

Parameters

ROUTE_TARGET

Specify a route target, Two formats can be used:

AS number:index, e.g. 100:10

IPv4 address: index, e.g. 2.2.2.2:10.

Command Mode

policy-map class mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config-pmap-pbr-c)#redirect ipv4 extcommunity rt 100:10

set dscp

Set a DSCP value to a matched packet to mark with it.

Command Syntax

set dscp DSCP_VALUE

no set dscp

Parameters

DSCP_VALUE

DSCP value in hexadecimal (0-3f)

Command Mode

policy-map class mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config-pmap-pbr-c)#set dscp 3f

service-policy type pbr

Attach/detach a service policy to BGP component. The attached policy is locally installed optionally by typing local-install command, as well as a BGP Flowspec route is injected to a BGP component.

Command Syntax

service-policy type pbr POLICY_MAP_NAME

no service-policy type pbr POLICY_MAP_NAME

Parameters

POLICY_MAP_NAME

Name of the policy map.

Command Mode

Flowspec address family mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

(config)#flowspec

(config-flowspec)#local-install interface-all

(config-flowspec)#address-family ipv4

(config-flowspec-af)#service-policy type pbr test1

show hsl bgp-flowspec-rules fib-id

Use these commands to display the BGP FlowSpec rules for FIB IDs.

Command Syntax

show hsl bgp-flowspec-rules fib-id (<0-255>|all) (detail|)

Parameters

fib-id <0-255>

Specifies the FIB ID range.

fib-id all

Displays rule for all the FIB IDs.

fib-id detail

(Optional) Displays the detailed information of the FlowSpec rules.

Default

None

Command Mode

Executive mode

Applicability

Introduced in OcNOS version 6.3.0.

Examples

OcNOS#show hsl bgp-flowspec-rules fib-id all detail

<<< HSL BGP Flowspec information >>>

rule processing type: all rules install

Table Full: FALSE

<<< fib ID: 0 >>>

Total number of rules installed: 6

Rules installed to hw: 6

Ruules not installed to hw: 0

Table Full: FALSE

<<< rule number: 1 >>>

priority: 1

disabled_interface: vlan1.100 (ifindex:10154)

<<< Traffic Filters >>>

<<< Actions >>>

<<< rule number: 2 >>>

priority: 2

disabled_interface: vlan1.200 (ifindex:25200)

<<< Traffic Filters >>>

<<< Actions >>>

<<< rule number: 3 >>>

priority: 3

<<< Traffic Filters >>>

destination ip address: 100.1.1.0/24

<<< Actions >>>

traffic_rate: 0 pls

<<< rule number: 4 >>>

priority: 4

<<< Traffic Filters >>>

destination ip address: 200.1.1.0/24

<<< Actions >>>

traffic_rate: 0 pps

<<< rule number: 5 >>>

priority: 5

<<< Traffic Filters >>>

destination ip address: 200.2.1.0/24

<<< Actions >>>

traffic_rate: 0 pps

<<< rule number: 6 >>>

priority: 6

<<< Traffic Filters >>>

destination ip address: 200.3.1.0/24

<<< Actions >>>

traffic_rate: 0

show ip bgp

Use these commands to show the output.

Command Syntax

show ip bgp flowspec

show ip bgp flowspec summary (vrf (VRFNAME|all|default))

show ip bgp (ipv4|vpnv4) flowspec (detail|)

show ip bgp (ipv4|vpnv4) flowspec (vrf (VRFNAME|all|default)) (detail|)

show ip bgp vpnv4 flowspec rd WORD (detail|)

Parameters

None

Command Mode

Executive mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

#show ip bgp flowspec

BGP router identifier 19.19.19.19, local AS number 100

BGP table version is 7

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd

1.1.1.1 4 100 40 35 7 0 0 00:04:51 1

Total number of neighbors 1

Total number of Established sessions 1

BGP router identifier 4.4.4.4, local AS number 100

BGP VRF VRF1 Route Distinguisher: 100:10

BGP table version is 1

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd

200.2.1.2 4 65530 0 0 0 0 0 never Connect

Total number of neighbors 1

Total number of Established sessions 0

show ip bgp flowspec summary vrf VRF1

BGP router identifier 4.4.4.4, local AS number 100

BGP VRF VRF1 Route Distinguisher: 100:10

BGP table version is 1

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd

200.2.1.2 4 65530 0 0 0 0 0 never Idle

Total number of neighbors 1

Total number of Established sessions 0

#show ip bgp flowspec summary vrf all

BGP router identifier 4.4.4.4, local AS number 100

BGP VRF VRF1 Route Distinguisher: 100:10

BGP table version is 1

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd

200.2.1.2 4 65530 0 0 0 0 0 never Connect

Total number of neighbors 1

Total number of Established sessions 0

BGP router identifier 19.19.19.19, local AS number 100

BGP table version is 7

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd

1.1.1.1 4 100 41 37 7 0 0 00:05:31 1

Total number of neighbors 1

Total number of Established sessions 1

#show ip bgp flowspec summary vrf default

BGP router identifier 19.19.19.19, local AS number 100

BGP table version is 7

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd

1.1.1.1 4 100 42 37 7 0 0 00:05:37 1

Total number of neighbors 1

Total number of Established sessions 1

#show ip bgp ipv4 flowspec

detail summary vrf

#show ip bgp ipv4 flowspec vrf all

BGP table version is 1, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal,

l - labeled, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

BGP Route Table for VRF VRF1

*>i flowspec/368 1.1.1.1 0 100 0 i

Total number of prefixes 1

*>i flowspec/368 1.1.1.1 0 100 0 i

Total number of prefixes 1

#show ip bgp ipv4 flowspec vrf all detail

BGP table version is 1, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal,

l - labeled, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

BGP Route Table for VRF VRF1

*>i flowspec/368 1.1.1.1 0 100 0 i

FlowSpec:

destination ip address: 1.1.1.1/32

source ip address: 2.2.2.2/32

IP protocol:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:122

TCP/UDP port:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:1000

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:2000

ICMP type:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:10

ICMP code:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:20

TCP flags:

e:0 a:0 len:0 not:0 m:1 data:0x2e

e:1 a:1 len:0 not:1 m:0 data:0x11

Packet length:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:70

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:100

DSCP:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:0x1c

fragment:

e:1 a:0 len:0 not:0 m:1 data:0x8

FlowSpec Actions:

traffic_rate: 100000000 bps

rt_redirect: as_type: as 100:10 vrf_id:2 fib_id:2

Total number of prefixes 1

*>i flowspec/368 1.1.1.1 0 100 0 i

FlowSpec:

destination ip address: 1.1.1.1/32

source ip address: 2.2.2.2/32

IP protocol:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:122

TCP/UDP port:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:1000

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:2000

ICMP type:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:10

ICMP code:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:20

TCP flags:

e:0 a:0 len:0 not:0 m:1 data:0x2e

e:1 a:1 len:0 not:1 m:0 data:0x11

Packet length:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:70

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:100

DSCP:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:0x1c

fragment:

e:1 a:0 len:0 not:0 m:1 data:0x8

FlowSpec Actions:

traffic_rate: 0 pps

Total number of prefixes 1

#show ip bgp vpnv4 flowspec vrf VRF1

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal, l - labeled

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:10 (Default for VRF VRF1)

*>i flowspec/368 1.1.1.1 0 100 0 i

Announced routes count = 0

Accepted routes count = 1

#show ip bgp vpnv4 flowspec vrf VRF1 detail

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal, l - labeled

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:10 (Default for VRF VRF1)

*>i flowspec/368 1.1.1.1 0 100 0 i

FlowSpec:

destination ip address: 1.1.1.1/32

source ip address: 2.2.2.2/32

IP protocol:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:122

TCP/UDP port:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:1000

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:2000

ICMP type:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:10

ICMP code:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:20

TCP flags:

e:0 a:0 len:0 not:0 m:1 data:0x2e

e:1 a:1 len:0 not:1 m:0 data:0x11

Packet length:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:70

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:100

DSCP:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:0x1c

fragment:

e:1 a:0 len:0 not:0 m:1 data:0x8

FlowSpec Actions:

traffic_rate: 100000000 bps

rt_redirect: as_type: as 100:10 vrf_id:2 fib_id:2

Announced routes count = 0

Accepted routes count = 1

#show ip bgp vpnv4 flowspec rd 100:10

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal, l - labeled

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:10 (Default for VRF VRF1)

*>i flowspec/368 1.1.1.1 0 100 0 i

Announced routes count = 0

Accepted routes count = 1

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal, l - labeled

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:10

*>i flowspec/368 1.1.1.1 0 100 0 i

Announced routes count = 0

Accepted routes count = 1

#show ip bgp vpnv4 flowspec rd 100:10 detail

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal, l - labeled

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:10 (Default for VRF VRF1)

*>i flowspec/368 1.1.1.1 0 100 0 i

FlowSpec:

destination ip address: 1.1.1.1/32

source ip address: 2.2.2.2/32

IP protocol:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:122

TCP/UDP port:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:1000

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:2000

ICMP type:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:10

ICMP code:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:20

TCP flags:

e:0 a:0 len:0 not:0 m:1 data:0x2e

e:1 a:1 len:0 not:1 m:0 data:0x11

Packet length:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:70

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:100

DSCP:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:0x1c

fragment:

e:1 a:0 len:0 not:0 m:1 data:0x8

FlowSpec Actions:

traffic_rate: 100000000 bps

rt_redirect: as_type: as 100:10 vrf_id:2 fib_id:2

Announced routes count = 0

Accepted routes count = 1

Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal, l - labeled

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:10

*>i flowspec/368 1.1.1.1 0 100 0 i

FlowSpec:

destination ip address: 1.1.1.1/32

source ip address: 2.2.2.2/32

IP protocol:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:122

TCP/UDP port:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:1000

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:2000

ICMP type:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:10

ICMP code:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:20

TCP flags:

e:0 a:0 len:0 not:0 m:1 data:0x2e

e:1 a:1 len:0 not:1 m:0 data:0x11

Packet length:

e:0 a:0 len:1 lt:0 gt:1 eq:1 data:70

e:1 a:1 len:1 lt:1 gt:0 eq:1 data:100

DSCP:

e:1 a:0 len:0 lt:0 gt:0 eq:1 data:0x1c

fragment:

e:1 a:0 len:0 not:0 m:1 data:0x8

FlowSpec Actions:

traffic_rate: 100000000 bps

rt_redirect: as_type: as 100:10 vrf_id:2 fib_id:2

Announced routes count = 0

Accepted routes count = 1

vrf

Specify a VRF to configure service policies. This command is executed in the default vrf mode, and enter vrf mode. address-family, local-install and service-policy commands can be executed in the same way (stated in address-family, locall-install, and service-policy type pbr) executed in the default vrf mode.

Command Syntax

vrf VRF_NAME

no vrf VRF_NAME

Parameters

VRF_NAME

A vrf name already created

Command Mode

Flowspec mode.

Applicability

This command was introduced in OcNOS version 6.3.0.

Examples

7017(config)#flowspec

7017(config-flowspec)#vrf VRF1