# Flowspec (Global IPv4/6PE w/ Redirect)

**Topology**: ine-spv4

<figure><img src="/files/YO8OBAhbO1WxXqZOOhZ0" alt=""><figcaption></figcaption></figure>

Load **flowspec.global.redir.init.cfg**

```
#IOS-XE
config replace flash:flowspec.global.redir.init.cfg
 
#IOS-XR (XRv1 only)
configure
load bootflash:flowspec.global.redir.init.cfg
commit replace
y
```

R1 and R7 are all dual-stacked internet peers in the global table. IPv6 uses 6PE in the core.

All flowspec BGP peerings are already pre-established.

R8 is an “analysis box.” Your task is to redirect DDoS traffic sourced from 1.1.1.1/32 and 2001:1::1/128 to R8 (8.8.8.8 and 2001:8::8) using flowspec. XR1 is the flowspec controller.

## Answer <a href="#id-6a7820ac-c14d-44da-9367-68fa961d0a50" id="id-6a7820ac-c14d-44da-9367-68fa961d0a50"></a>

```

#XR1
class-map type traffic match-all CM_FLOWSPEC_V4_R1
 match source-address ipv4 1.1.1.1 255.255.255.255
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R1
 match source-address ipv6 2001:1::1/128
 end-class-map
!
policy-map type pbr PM_FLOWSPEC_V4
 class type traffic CM_FLOWSPEC_V4_R1
  redirect ipv4 nexthop 8.8.8.8
 end-policy-map
!
policy-map type pbr PM_FLOWSPEC_V6
 class type traffic CM_FLOWSPEC_V6_R1
  redirect ipv6 nexthop 2001:8::8
 end-policy-map
!
flowspec
 address-family ipv4
  service-policy type pbr PM_FLOWSPEC_V4
 !
 address-family ipv6
  service-policy type pbr PM_FLOWSPEC_V6
```

## Explanation <a href="#bd664fb6-65ba-42c8-a08f-ae1f110cf27e" id="bd664fb6-65ba-42c8-a08f-ae1f110cf27e"></a>

Flowspec can not only drop/police traffic, but it can redirect traffic. This is very useful for designs in which you have a DDoS analysis device. Instead of just simply dropping the traffic, you can redirect traffic to this analysis box.

To do so, we simply use a “redirect” action on the policy-map, instead of a “drop” or “police” action. First we define the traffic (sourced from R1):

```
#XR1
class-map type traffic match-all CM_FLOWSPEC_V4_R1
 match source-address ipv4 1.1.1.1 255.255.255.255
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R1
 match source-address ipv6 2001:1::1/128
 end-class-map
```

Then we define the “redirect” action in the policy-map:

```
#XR1
policy-map type pbr PM_FLOWSPEC_V4
 class type traffic CM_FLOWSPEC_V4_R1
  redirect ipv4 nexthop 8.8.8.8
 end-policy-map
!
policy-map type pbr PM_FLOWSPEC_V6
 class type traffic CM_FLOWSPEC_V6_R1
  redirect ipv6 nexthop 2001:8::8
 end-policy-map
```

Finally, the service-policy is applied to the flowspec process:

```
#XR1
flowspec
 address-family ipv4
  service-policy type pbr PM_FLOWSPEC_V4
 !
 address-family ipv6
  service-policy type pbr PM_FLOWSPEC_V6
```

## Verification <a href="#id-10ef4bc5-38cc-46ca-b636-27a0cec05923" id="id-10ef4bc5-38cc-46ca-b636-27a0cec05923"></a>

On R2, notice that the flowspec NLRIs now have a nexthop. Previously, these all had a nexthop of 0.0.0.0, because the action was to drop the traffic.

<div align="left"><figure><img src="/files/jwSiijf8bl75wT5c4q8Z" alt=""><figcaption></figcaption></figure></div>

We can verify in the flowspec table on R2 that the action is now to redirect to this nexthop address, instead of dropping the traffic:

<div align="left"><figure><img src="/files/1ozl3QX6VBCxTX6XO8yf" alt=""><figcaption></figcaption></figure></div>

If we ping 7.7.7.7 from R1, we should see hits on the IPv4 flowspec policy:

```
#R1
ping 7.7.7.7 so lo0 repeat 3
```

Now R2 shows 3 hits for the IPv4 flowspec policy:

<div align="left"><figure><img src="/files/HNsi5Jjn8AeOMfbu6Zsn" alt=""><figcaption></figcaption></figure></div>

Additionally, we see ACL log entries on R8, proving that it received the traffic. (An ACL was applied to Gi2.58 in the initial config file). Use **term mon** on R8, or **show logging**.

<div align="left"><figure><img src="/files/QhEt6r5R2P7B18GiPUaP" alt=""><figcaption></figcaption></figure></div>

Notice that on R1, the pings time out completely. The packet is not copied, as in R-SPAN. Instead it is literally redirected to R8.

<div align="left"><figure><img src="/files/HEG4ks83eBIzMLkuLStZ" alt=""><figcaption></figcaption></figure></div>

Let’s try it with IPv6 now:

```
#R1
ping 2001:7::7 so lo0 repeat 3
```

We again see logs on R8:

```
*Mar 30 14:54:08.166: %FMANFP-6-IPV6ACCESSLOGDP: R0/0: fman_fp_image: list LOG_ICMPV6 permitted icmpv6 2001:1::1 -> 2001:7::7 (0/32768), 1 packet
```

Note that on version 17.x I found the pings actually worked. This must be a bug. But on 16.9.8 the IPv6 redirect is working properly.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ccie-sp.gitbook.io/ccie-spv5.1-labs/labs/bgp/flowspec-global-ipv4-6pe-w-redirect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.