CCIE SPv5.1 Labs
  • Intro
    • Setup
  • Purpose
  • Video Demonstration
  • Containerlab Tips
  • Labs
    • ISIS
      • Start
      • Topology
      • Prefix Suppression
      • Hello padding
      • Overload Bit
      • LSP size
      • Default metric
      • Hello/Hold Timer
      • Mesh groups
      • Prefix Summarization
      • Default Route Preference
      • ISIS Timers
      • Log Neighbor Changes
      • Troubleshooting 1 - No routes
      • Troubleshooting 2 - Adjacency
      • IPv6 Single Topology
      • IPv6 Single Topology Challenge
      • IPv6 Multi Topology
      • IPv6 Single to Multi Topology
      • Wide Metrics Explained
      • Route Filtering
      • Backdoor Link
      • Non-Optimal Intra-Area routing
      • Multi Area
      • Authentication
      • Conditional ATT Bit
      • Troubleshooting iBGP
      • Troubleshooting TE Tunnel
    • LDP
      • Start
      • Topology
      • LDP and ECMP
      • LDP and Static Routes
      • LDP Timers
      • LDP Authentication
      • LDP Session Protection
      • LDP/IGP Sync (OSPF)
      • LDP/IGP Sync (ISIS)
      • LDP Local Allocation Filtering
      • LDP Conditional Label Advertisement
      • LDP Inbound Label Advertisement Filtering
      • LDP Label Advertisement Filtering Challenge
      • LDP Implicit Withdraw
      • LDP Transport Address Troubleshooting
      • LDP Static Labels
    • MPLS-TE
      • Start
      • Topology
      • Basic TE Tunnel w/ OSPF
      • Basic TE Tunnel w/ ISIS
      • TE Tunnel using Admin Weight
      • TE Tunnel using Link Affinity
      • TE Tunnel with Explicit-Null
      • TE Tunnel with Conditional Attributes
      • RSVP message pacing
      • Reoptimization timer
      • IGP TE Flooding Thresholds
      • CSPF Tiebreakers
      • TE Tunnel Preemption
      • TE Tunnel Soft Preemption
      • Tunneling LDP inside RSVP
      • PE to P TE Tunnel
      • Autoroute Announce Metric (XE)
      • Autoroute Announce Metric (XR)
      • Autoroute Announce Absolute Metric
      • Autoroute Announce Backup Path
      • Forwarding Adjacency
      • Forwarding Adjacency with OSPF
      • TE Tunnels with UCMP
      • Auto-Bandwidth
      • FRR Link Protection (XE, BFD)
      • FRR Link Protection (XE, RSVP Hellos)
      • FRR Node Protection (XR)
      • FRR Path Protection
      • FRR Multiple Backup Tunnels (Node Protection)
      • FRR Multiple Backup Tunnels (Link Protection)
      • FRR Multiple Backup Tunnels (Backwidth/Link Protection)
      • FRR Backup Auto-Tunnels
      • FRR Backup Auto-Tunnels with SRLG
      • Full Mesh Auto-Tunnels
      • Full Mesh Dynamic Auto-Tunnels
      • One-Hop Auto-Tunnels
      • CBTS/PBTS
      • Traditional DS-TE
      • IETF DS-TE with MAM
      • IETF DS-TE with RDM
      • RDM w/ FRR Troubleshooting
      • Per-VRF TE Tunnels
      • Tactical TE Issues
      • Multicast and MPLS-TE
    • SR
      • Start
      • Topology
      • Basic SR with ISIS
      • Basic SR with OSPF
      • SRGB Modifcation
      • SR with ExpNull
      • SR Anycast SID
      • SR Adjacency SID
      • SR LAN Adjacency SID (Walkthrough)
      • SR and RSVP-TE interaction
      • SR Basic Inter-area with ISIS
      • SR Basic Inter-area with OSPF
      • SR Basic Inter-IGP (redistribution)
      • SR Basic Inter-AS using BGP
      • SR BGP Data Center (eBGP)
      • SR BGP Data Center (iBGP)
      • LFA
      • LFA Tiebreakers (ISIS)
      • LFA Tiebreakers (OSPF)
      • Remote LFA
      • RLFA Tiebreakers?
      • TI-LFA
      • Remote LFA or TILFA?
      • TI-LFA Node Protection
      • TI-LFA SRLG Protection
      • TI-LFA Protection Priorities (ISIS)
      • TI-LFA Protection Priorities (OSPF)
      • Microloop Avoidance
      • SR/LDP Interworking
      • SR/LDP SRMS OSPF Inter-Area
      • SR/LDP Design Challenge #1
      • SR/LDP Design Challenge #2
      • Migrate LDP to SR (ISIS)
      • OAM with SR
      • SR-MPLS using IPv6
      • Basic SR-TE with AS
      • Basic SR-TE with AS and ODN
      • SR-TE with AS Primary/Secondary Paths
      • SR-TE Dynamic Policies
      • SR-TE Dynamic Policy with Margin
      • SR-TE Explicit Paths
      • SR-TE Disjoint Planes using Anycast SIDs
      • SR-TE Flex-Algo w/ Latency
      • SR-TE Flex-Algo w/ Affinity
      • SR-TE Disjoint Planes using Flex-Algo
      • SR-TE BSIDs
      • SR-TE RSVP-TE Stitching
      • SR-TE Autoroute Include
      • SR Inter-IGP using PCE
      • SR-TE PCC Features
      • SR-TE PCE Instantiated Policy
      • SR-TE PCE Redundancy
      • SR-TE PCE Redundancy w/ Sync
      • SR-TE Basic BGP EPE
      • SR-TE BGP EPE for Unified MPLS
      • SR-TE Disjoint Paths
      • SR Converged SDN Transport Challenge
      • SR OAM DPM
      • SR OAM Tools
      • Performance-Measurement (Interface Delay)
    • SRv6
      • Start
      • Topology
      • Basic SRv6
      • SRv6 uSID
      • SRv6 uSID w/ EVPN-VPWS and BGP IPv4/IPv6
      • SRv6 uSID w/ SR-TE
      • SRv6 uSID w/ SR-TE Explicit Paths
      • SRv6 uSID w/ L3 IGW
      • SRv6 uSID w/ Dual-Connected PE
      • SRv6 uSID w/ Flex Algo
      • SRv6 uSID - Scale (Pt. 1)
      • SRv6 uSID - Scale (Pt. 2)
      • SRv6 uSID - Scale (Pt. 3) (UPA Walkthrough)
      • SRv6 uSID - Scale (Pt. 4) (Flex Algo)
      • SRv6 uSID w/ TI-LFA
    • Multicast
      • Start
      • Topology
      • Basic PIM-SSM
      • PIM-SSM Static Mapping
      • Basic PIM-SM
      • PIM-SM with Anycast RP
      • PIM-SM with Auto-RP
      • PIM-SM with BSR
      • PIM-SM with BSR for IPv6
      • PIM-BiDir
      • PIM-BiDir for IPv6
      • PIM-BiDir with Phantom RP
      • PIM Security
      • PIM Boundaries with AutoRP
      • PIM Boundaries with BSR
      • PIM-SM IPv6 using Embedded RP
      • PIM SSM Range Note
      • PIM RPF Troubleshooting #1
      • PIM RPF Troubleshooting #2
      • PIM RP Troubleshooting
      • PIM Duplicate Traffic Troubleshooting
      • Using IOS-XR as a Sender/Receiver
      • PIM-SM without Receiver IGMP Joins
      • RP Discovery Methods
      • Basic Interdomain Multicast w/o MSDP
      • Basic Interdomain Multicast w/ MSDP
      • MSDP Filtering
      • MSDP Flood Reduction
      • MSDP Default Peer
      • MSDP RPF Check (IOS-XR)
      • MSDP RPF Check (IOS-XE)
      • Interdomain MBGP Policies
      • PIM Boundaries using MSDP
    • MVPN
      • Start
      • Topology
      • Profile 0
      • Profile 0 with data MDTs
      • Profile 1
      • Profile 1 w/ Redundant Roots
      • Profile 1 with data MDTs
      • Profile 6
      • Profile 7
      • Profile 3
      • Profile 3 with S-PMSI
      • Profile 11
      • Profile 11 with S-PMSI
      • Profile 11 w/ Receiver-only Sites
      • Profile 9 with S-PMSI
      • Profile 12
      • Profile 13
      • UMH (Upstream Multicast Hop) Challenge
      • Profile 13 w/ Configuration Knobs
      • Profile 13 w/ PE RP
      • Profile 12 w/ PE Anycast RP
      • Profile 14 (Partitioned MDT)
      • Profile 14 with Extranet option #1
      • Profile 14 with Extranet option #2
      • Profile 14 w/ IPv6
      • Profile 17
      • Profile 19
      • Profile 21
    • MVPN SR
      • Start
      • Topology
      • Profile 27
      • Profile 27 w/ Constraints
      • Profile 27 w/ FRR
      • Profile 28
      • Profile 28 w/ Constraints and FRR
      • Profile 28 w/ Data MDTs
      • Profile 29
    • VPWS
      • Start
      • Topology
      • Basic VPWS
      • VPWS with Tag Manipulation
      • Redundant VPWS
      • Redundant VPWS (IOS-XR)
      • VPWS with PW interfaces
      • Manual VPWS
      • VPWS with Sequencing
      • Pseudowire Logging
      • VPWS with FAT-PW
      • MS-PS (Pseudowire stitching)
      • VPWS with BGP AD
    • VPLS
      • Start
      • Topology
      • Basic VPLS with LDP
      • VPLS with LDP and BGP
      • VPLS with BGP only
      • Hub and Spoke VPLS
      • Tunnel L2 Protocols over VPLS
      • Basic H-VPLS
      • H-VPLS with BGP
      • H-VPLS with QinQ
      • H-VPLS with Redundancy
      • VPLS with Routing
      • VPLS MAC Protection
      • Basic E-TREE
      • VPLS with LDP/BGP-AD and XRv RR
      • VPLS with BGP and XRv RR
      • VPLS with Storm Control
    • EVPN
      • Start
      • Topology
      • EVPN VPWS
      • EVPN VPWS Multihomed
      • EVPN VPWS Multihomed Single-Active
      • Basic Single-homed EVPN E-LAN
      • EVPN E-LAN Service Label Allocation
      • EVPN E-LAN Ethernet Tag
      • EVPN E-LAN Multihomed
      • EVPN E-LAN on XRv
      • EVPN IRB
      • EVPN-VPWS Multihomed IOS-XR (All-Active)
      • EVPN-VPWS Multihomed IOS-XR (Port-Active)
      • EVPN-VPWS Multihomed IOS-XR (Single-Active)
      • EVPN-VPWS Multihomed IOS-XR (Non-Bundle)
      • PBB-EVPN (Informational)
    • BGP Multi-Homing (XE)
      • Start
      • Topology
      • Lab1 ECMP
      • Lab2 UCMP
      • Lab3 Backup Path
      • Lab4 Shadow Session
      • Lab5 Shadow RR
      • Lab6 RR with Add-Path
      • Lab7 MPLS + Add Path ECMP
      • Lab8 MPLS + Shadow RR
      • Lab9 MPLS + RDs + UCMP
    • BGP Multi-Homing (XR)
      • Start
      • Topology
      • Lab1 ECMP
      • Lab2 UCMP
      • Lab3 Backup Path
      • Lab4 “Shadow Session”
      • Lab5 “Shadow RR”
      • Lab6 RR with Add-Path
      • Lab7 MPLS + Add Path ECMP
      • Lab8 MPLS + “Shadow RR”
      • Lab9 MPLS + RDs + UCMP
      • Lab10 MPLS + Same RD + Add-Path + UCMP
      • Lab11 MPLS + Same RD + Add-Path + Repair Path
    • BGP
      • Start
      • Conditional Advertisement
      • Aggregation and Deaggregation
      • Local AS
      • BGP QoS Policy Propagation
      • Non-Optimal eBGP Routing
      • Multihomed Enterprise Challenge
      • Provider Communities
      • Destination-Based RTBH
      • Destination-Based RTBH (Community-Based)
      • Source-Based RTBH
      • Source-Based RTBH (Community-Based)
      • Multihomed Enterprise Challenge (XRv)
      • Provider Communities (XRv)
      • DMZ Link BW Lab1
      • DMZ Link BW Lab2
      • PIC Edge in the Global Table
      • PIC Edge Troubleshooting
      • PIC Edge for VPNv4
      • AIGP
      • AIGP Translation
      • Cost-Community (iBGP)
      • Cost-Community (confed eBGP)
      • Destination-Based RTBH (VRF Provider-triggered)
      • Destination-Based RTBH (VRF CE-triggered)
      • Source-Based RTBH (VRF Provider-triggered)
      • Flowspec (Global IPv4/6PE)
      • Flowspec (VRF)
      • Flowspec (Global IPv4/6PE w/ Redirect)
      • Flowspec (Global IPv4/6PE w/ Redirect) T-Shoot
      • Flowspec (VRF w/ Redirect)
      • Flowspec (Global IPv4/6PE w/ CE Advertisement)
    • Intra-AS L3VPN
      • Start
      • Partitioned RRs
      • Partitioned RRs with IOS-XR
      • RT Filter
      • Non-Optimal Multi-Homed Routing
      • Troubleshoot #1 (BGP)
      • Troubleshoot #2 (OSPF)
      • Troubleshoot #3 (OSPF)
      • Troubleshoot #4 (OSPF Inter-AS)
      • VRF to Global Internet Access (IOS-XE)
      • VRF to Global Internet Access (IOS-XR)
    • Inter-AS L3VPN
      • Start
      • Inter-AS Option A
      • Inter-AS Option B
      • Inter-AS Option C
      • Inter-AS Option AB (D)
      • CSC
      • CSC with Option AB (D)
      • Inter-AS Option C - iBGP LU
      • Inter-AS Option B w/ RT Rewrite
      • Inter-AS Option C w/ RT Rewrite
      • Inter-AS Option A Multi-Homed
      • Inter-AS Option B Multi-Homed
      • Inter-AS Option C Multi-Homed
    • Russo Inter-AS
      • Start
      • Topology
      • Option A L3NNI
      • Option A L2NNI
      • Option A mVPN
      • Option B L3NNI
      • Option B mVPN
      • Option C L3NNI
      • Option C L3NNI w/ L2VPN
      • Option C mVPN
    • BGP RPKI
      • Start
      • RPKI on IOS-XE (Enabling the feature)
      • RPKI on IOS-XE (Validation)
      • RPKI on IOS-XR (Enabling the feature)
      • Enable SSH in Routinator
      • RPKI on IOS-XR (Validation)
      • RPKI on IOS-XR (RPKI Routes)
      • RPKI on IOS-XR (VRF)
      • RPKI iBGP Mesh (No Signaling)
      • RPKI iBGP Mesh (iBGP Signaling)
    • NAT
      • Start
      • Egress PE NAT44
      • NAT44 within an INET VRF
      • Internet Reachability between VRFs
      • CGNAT
      • NAT64 Stateful
      • NAT64 Stateful w/ Static NAT
      • NAT64 Stateless
      • MAP-T BR
    • BFD
      • Start
      • Topology
      • OSPF Hellos
      • ISIS Hellos
      • BGP Keepalives
      • PIM Hellos
      • Basic BFD for all protocols
      • BFD Asymmetric Timers
      • BFD Templates
      • BFD Tshoot #1
      • BFD for Static Routes
      • BFD Multi-Hop
      • BFD for VPNv4 Static Routes
      • BFD for VPNv6 Static Routes
      • BFD for Pseudowires
    • QoS
      • Start
      • QoS on IOS-XE
      • Advanced QoS on IOS-XE Pt. 1
      • Advanced QoS on IOS-XE Pt. 2
      • MPLS QoS Design
      • Notes - QoS on IOS-XR
    • NSO
      • Start
      • Basic NSO Usage
      • Basic NSO Template Service
      • Advanced NSO Template Service
      • Advanced NSO Template Service #2
      • NSO Template vs. Template Service
      • NSO API using Python
      • NSO API using Python #2
      • NSO API using Python #3
      • Using a NETCONF NED
      • Python Service
      • Nano Services
    • MDT
      • Start
      • MDT Server Setup
      • Basic Dial-Out
      • Filtering Data using XPATH
      • Finding the correct YANG model
      • Finding the correct YANG model #2
      • Event-Driven MDT
      • Basic Dial-In using gNMI
      • Dial-Out with TLS
      • Dial-In with TLS
      • Dial-In with two-way TLS
    • App-Hosting
      • Start
      • Lab - iperf3 Docker Container
      • Notes - LXC Container
      • Notes - Native Applications
      • Notes - Process Scripts
    • ZTP
      • Notes - Classic ZTP
      • Notes - Secure ZTP
    • L2 Connectivity Notes
      • 802.1ad (Q-in-Q)
      • MST-AG
      • MC-LAG
      • G.8032
    • Ethernet OAM
      • Start
      • Topology
      • CFM
      • y1731
      • Notes - y1564
    • Security
      • Start
      • Notes - Security ACLs
      • Notes - Hybrid ACLs
      • Notes - MPP (IOS-XR)
      • Notes - MPP (IOS-XE)
      • Notes - CoPP (IOS-XE)
      • Notes - LPTS (IOS-XR)
      • Notes - WAN MACsec White Paper
      • Notes - WAN MACsec Config Guide
      • Notes - AAA
      • Notes - uRPF
      • Notes - VTY lines (IOS-XR)
      • Lab - uRPF
      • Lab - MPP
      • Lab - AAA (IOS-XE)
      • Lab - AAA (IOS-XR)
      • Lab - CoPP and LPTS
    • Assurance
      • Start
      • Notes - Syslog on IOS-XE
      • Notes - Syslog on IOS-XR
      • Notes - SNMP Traps
      • Syslog (IOS-XR)
      • RMON
      • Netflow (IOS-XE)
      • Netflow (IOS-XR)
Powered by GitBook
On this page
  • Answer
  • Explanation
  1. Labs
  2. BGP

Flowspec (VRF)

PreviousFlowspec (Global IPv4/6PE)NextFlowspec (Global IPv4/6PE w/ Redirect)

Last updated 19 days ago

Topology: ine-spv4

Load flowspec.vrf.init.cfg

#IOS-XE
config replace flash:flowspec.vrf.init.cfg
 
#IOS-XR (XRv1 only)
configure
load bootflash:flowspec.vrf.init.cfg
commit replace
y

R1, R7 and R8 are all dual-stacked internet peers. Internet is running in an INET vrf in the core.

Configure source-based RTBH within the core so that traffic sourced from 1.1.1.1/32 and 2001:1::1/128 is dropped. Also configure destination-based RTBH so that traffic destined to 8.8.8.9/32 and 2001:8::9/128 is dropped at the edge. Use XR1 as the central policy control router using flowspec.

Answer

#R2, R4, R5
flowspec
 vrf INET
  address-family ipv4
   local-install interface-all
  address-family ipv6
   local-install interface-all
!
router bgp 100
 add vpnv4 flowspec
   neighbor 3.3.3.3 activate
 add vpnv6 flowspec
   neighbor 3.3.3.3 activate

#R3
router bgp 100
 neighbor 19.19.19.19 inherit peer-session IBGP
 !
 add vpnv4 flowspec
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
  neighbor 2.2.2.2 inherit peer-policy IBGP
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
  neighbor 4.4.4.4 inherit peer-policy IBGP
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
  neighbor 5.5.5.5 inherit peer-policy IBGP
  neighbor 19.19.19.19 activate
  neighbor 19.19.19.19 send-community extended
  neighbor 19.19.19.19 inherit peer-policy IBGP
 !
 add vpnv6 flowspec
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
  neighbor 2.2.2.2 inherit peer-policy IBGP
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
  neighbor 4.4.4.4 inherit peer-policy IBGP
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
  neighbor 5.5.5.5 inherit peer-policy IBGP
  neighbor 19.19.19.19 activate
  neighbor 19.19.19.19 send-community extended
  neighbor 19.19.19.19 inherit peer-policy IBGP
  
#XR1
vrf INET
 address-family ipv4 flowspec
  import route-target
   100:100
  export route-target
   100:100
 !
 address-family ipv6 flowspec
  import route-target
   100:100
  export route-target
   100:100
!
router bgp 100
 address-family vpnv4 flowspec
 !
 address-family vpnv6 flowspec
 !
 neighbor 3.3.3.3
  remote-as 100
  update-source Loopback0
  address-family vpnv4 flowspec
  !
  address-family vpnv6 flowspec
  !
 !
 vrf INET
  rd 100:100
  add ipv4 flowspec
  add ipv6 flowspec
!
class-map type traffic match-all CM_FLOWSPEC_V4_R1
 match source-address ipv4 1.1.1.1 255.255.255.255
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V4_R8
 match destination-address ipv4 8.8.8.9 255.255.255.255
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R1
 match source-address ipv6 2001:1::1/128
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R8
 match destination-address ipv6 2001:8::9/128
 end-class-map
!
!
policy-map type pbr PM_FLOWSPEC_V4
 class type traffic CM_FLOWSPEC_V4_R1
  drop
 !
 class type traffic CM_FLOWSPEC_V4_R8
  drop
 !
 class type traffic class-default
 !
 end-policy-map
!
policy-map type pbr PM_FLOWSPEC_V6
 class type traffic CM_FLOWSPEC_V6_R1
  drop
 !
 class type traffic CM_FLOWSPEC_V6_R8
  drop
!
flowspec
 vrf INET
  address-family ipv4
   service-policy type pbr PM_FLOWSPEC_V4
  !
  address-family ipv6
   service-policy type pbr PM_FLOWSPEC_V6

Explanation

Running flowspec for VPNv4/v6 is extremely similar to flowspec for regular IPv4/IPv6. This makes it very easy to implement one or the other without having to worry about caveats. It also removes the complexity of using dummy null0 routes on IOS-XE in the global VRF for VPNv4/v6 nexthops in order to discard the traffic.

To begin, we must configure peering for vpnv4/v6 flowspec instead of ipv4/v6 flowspec:

#R2, R4, R5
router bgp 100
 add vpnv4 flowspec
   neighbor 3.3.3.3 activate
 add vpnv6 flowspec
   neighbor 3.3.3.3 activate

#R3
router bgp 100
 neighbor 19.19.19.19 inherit peer-session IBGP
 !
 add vpnv4 flowspec
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
  neighbor 2.2.2.2 inherit peer-policy IBGP
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
  neighbor 4.4.4.4 inherit peer-policy IBGP
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
  neighbor 5.5.5.5 inherit peer-policy IBGP
  neighbor 19.19.19.19 activate
  neighbor 19.19.19.19 send-community extended
  neighbor 19.19.19.19 inherit peer-policy IBGP
 !
 add vpnv6 flowspec
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
  neighbor 2.2.2.2 inherit peer-policy IBGP
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
  neighbor 4.4.4.4 inherit peer-policy IBGP
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
  neighbor 5.5.5.5 inherit peer-policy IBGP
  neighbor 19.19.19.19 activate
  neighbor 19.19.19.19 send-community extended
  neighbor 19.19.19.19 inherit peer-policy IBGP

#XR1
router bgp 100
 address-family vpnv4 flowspec
 !
 address-family vpnv6 flowspec
 !
 neighbor 3.3.3.3
  remote-as 100
  update-source Loopback0
  address-family vpnv4 flowspec
  !
  address-family vpnv6 flowspec

The only difference on IOS-XE PEs is that you activate flowspec for all interfaces in the VRF:

#R2, R4, R5
flowspec
 vrf INET
  address-family ipv4
   local-install interface-all
  address-family ipv6
   local-install interface-all

There is a bit more configuration on the IOS-XR central policy router. We must define the VRF, because the XR router needs to export the policies with the correct RT, so that other PEs in the INET VRF will import these flowspec NLRI updates. We must activate the VRF under BGP with an RD and activate the ipv4/v6 flowspec address-families.

#XR1
vrf INET
 address-family ipv4 flowspec
  import route-target
   100:100
  export route-target
   100:100
 !
 address-family ipv6 flowspec
  import route-target
   100:100
  export route-target
   100:100
!
router bgp 100
 vrf INET
  rd 100:100
  add ipv4 flowspec
  add ipv6 flowspec

Next, we configure the class-maps and policy-maps. This is no different than before.

#XR1
class-map type traffic match-all CM_FLOWSPEC_V4_R1
 match source-address ipv4 1.1.1.1 255.255.255.255
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V4_R8
 match destination-address ipv4 8.8.8.9 255.255.255.255
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R1
 match source-address ipv6 2001:1::1/128
 end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R8
 match destination-address ipv6 2001:8::9/128
 end-class-map
!
!
policy-map type pbr PM_FLOWSPEC_V4
 class type traffic CM_FLOWSPEC_V4_R1
  drop
 !
 class type traffic CM_FLOWSPEC_V4_R8
  drop
!
policy-map type pbr PM_FLOWSPEC_V6
 class type traffic CM_FLOWSPEC_V6_R1
  drop
 !
 class type traffic CM_FLOWSPEC_V6_R8
  drop

Finally, we use the policy-maps in a service-policy under the VRF under flowspec.

#XR1
flowspec
 vrf INET
  address-family ipv4
   service-policy type pbr PM_FLOWSPEC_V4
  !
  address-family ipv6
   service-policy type pbr PM_FLOWSPEC_V6

XR1 will now automatically inject the appropriate flowspec NLRI into vpnv4/v6 flowspec. We can confirm this on XR1 itself. First we see the local policies:

Next, we see that XR1 has created the BGP VRF ipv4/v6 flowspec entries:

These are taken from the BGP VRF table and injected into the vpnv4/v6 table with the appropriate export RT.

We can see the details of the NLRI by copying+pasting the NLRI. The /48 appears to refer to the length of the NLRI in bits and can be ignored. Notice that we now see the RT, as we would see in any VPN update.

The PEs should receive these NLRI. Again, these have no nexthop, because they are policy advertisement, not actual route advertisements.

On the PEs, we should see that these flowspec entries are imported into the flowspec table for the VRF:

If we send test traffic, we should see that the PE drops the traffic ingress at the edge, just like in the previous lab in which we ran the internet table in the global RIB.

In summary, flowspec for VRFs has very little difference compared to flowspec for the global RIB. All changes are fairly intuitive:

  • Use BGP vpnv4/v6 flowspec instead of BGP ipv4/v6 flowspec

  • Activate flowspec for all interfaces in the VRF, instead of the global RIB

  • Define the VRF on the XR controller, using the export RT under ipv4/v6 flowspec

    • The IOS-XE PEs appear to use the unicast RTs for importing into the flowspec VRF policy

  • Define the VRF under BGP on the XR controller, activating ipv4/v6 flowspec

  • Define the service-policy for flowspec under the associated VRF on the XR controller