Flowspec (VRF)
Topology: ine-spv4
Load flowspec.vrf.init.cfg
#IOS-XE
config replace flash:flowspec.vrf.init.cfg
#IOS-XR (XRv1 only)
configure
load bootflash:flowspec.vrf.init.cfg
commit replace
yR1, R7 and R8 are all dual-stacked internet peers. Internet is running in an INET vrf in the core.
Configure source-based RTBH within the core so that traffic sourced from 1.1.1.1/32 and 2001:1::1/128 is dropped. Also configure destination-based RTBH so that traffic destined to 8.8.8.9/32 and 2001:8::9/128 is dropped at the edge. Use XR1 as the central policy control router using flowspec.
Answer
#R2, R4, R5
flowspec
vrf INET
address-family ipv4
local-install interface-all
address-family ipv6
local-install interface-all
!
router bgp 100
add vpnv4 flowspec
neighbor 3.3.3.3 activate
add vpnv6 flowspec
neighbor 3.3.3.3 activate
#R3
router bgp 100
neighbor 19.19.19.19 inherit peer-session IBGP
!
add vpnv4 flowspec
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 inherit peer-policy IBGP
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 inherit peer-policy IBGP
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
neighbor 5.5.5.5 inherit peer-policy IBGP
neighbor 19.19.19.19 activate
neighbor 19.19.19.19 send-community extended
neighbor 19.19.19.19 inherit peer-policy IBGP
!
add vpnv6 flowspec
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 inherit peer-policy IBGP
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 inherit peer-policy IBGP
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
neighbor 5.5.5.5 inherit peer-policy IBGP
neighbor 19.19.19.19 activate
neighbor 19.19.19.19 send-community extended
neighbor 19.19.19.19 inherit peer-policy IBGP
#XR1
vrf INET
address-family ipv4 flowspec
import route-target
100:100
export route-target
100:100
!
address-family ipv6 flowspec
import route-target
100:100
export route-target
100:100
!
router bgp 100
address-family vpnv4 flowspec
!
address-family vpnv6 flowspec
!
neighbor 3.3.3.3
remote-as 100
update-source Loopback0
address-family vpnv4 flowspec
!
address-family vpnv6 flowspec
!
!
vrf INET
rd 100:100
add ipv4 flowspec
add ipv6 flowspec
!
class-map type traffic match-all CM_FLOWSPEC_V4_R1
match source-address ipv4 1.1.1.1 255.255.255.255
end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V4_R8
match destination-address ipv4 8.8.8.9 255.255.255.255
end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R1
match source-address ipv6 2001:1::1/128
end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R8
match destination-address ipv6 2001:8::9/128
end-class-map
!
!
policy-map type pbr PM_FLOWSPEC_V4
class type traffic CM_FLOWSPEC_V4_R1
drop
!
class type traffic CM_FLOWSPEC_V4_R8
drop
!
class type traffic class-default
!
end-policy-map
!
policy-map type pbr PM_FLOWSPEC_V6
class type traffic CM_FLOWSPEC_V6_R1
drop
!
class type traffic CM_FLOWSPEC_V6_R8
drop
!
flowspec
vrf INET
address-family ipv4
service-policy type pbr PM_FLOWSPEC_V4
!
address-family ipv6
service-policy type pbr PM_FLOWSPEC_V6Explanation
Running flowspec for VPNv4/v6 is extremely similar to flowspec for regular IPv4/IPv6. This makes it very easy to implement one or the other without having to worry about caveats. It also removes the complexity of using dummy null0 routes on IOS-XE in the global VRF for VPNv4/v6 nexthops in order to discard the traffic.
To begin, we must configure peering for vpnv4/v6 flowspec instead of ipv4/v6 flowspec:
#R2, R4, R5
router bgp 100
add vpnv4 flowspec
neighbor 3.3.3.3 activate
add vpnv6 flowspec
neighbor 3.3.3.3 activate
#R3
router bgp 100
neighbor 19.19.19.19 inherit peer-session IBGP
!
add vpnv4 flowspec
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 inherit peer-policy IBGP
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 inherit peer-policy IBGP
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
neighbor 5.5.5.5 inherit peer-policy IBGP
neighbor 19.19.19.19 activate
neighbor 19.19.19.19 send-community extended
neighbor 19.19.19.19 inherit peer-policy IBGP
!
add vpnv6 flowspec
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 inherit peer-policy IBGP
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 inherit peer-policy IBGP
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
neighbor 5.5.5.5 inherit peer-policy IBGP
neighbor 19.19.19.19 activate
neighbor 19.19.19.19 send-community extended
neighbor 19.19.19.19 inherit peer-policy IBGP
#XR1
router bgp 100
address-family vpnv4 flowspec
!
address-family vpnv6 flowspec
!
neighbor 3.3.3.3
remote-as 100
update-source Loopback0
address-family vpnv4 flowspec
!
address-family vpnv6 flowspecThe only difference on IOS-XE PEs is that you activate flowspec for all interfaces in the VRF:
#R2, R4, R5
flowspec
vrf INET
address-family ipv4
local-install interface-all
address-family ipv6
local-install interface-allThere is a bit more configuration on the IOS-XR central policy router. We must define the VRF, because the XR router needs to export the policies with the correct RT, so that other PEs in the INET VRF will import these flowspec NLRI updates. We must activate the VRF under BGP with an RD and activate the ipv4/v6 flowspec address-families.
#XR1
vrf INET
address-family ipv4 flowspec
import route-target
100:100
export route-target
100:100
!
address-family ipv6 flowspec
import route-target
100:100
export route-target
100:100
!
router bgp 100
vrf INET
rd 100:100
add ipv4 flowspec
add ipv6 flowspecNext, we configure the class-maps and policy-maps. This is no different than before.
#XR1
class-map type traffic match-all CM_FLOWSPEC_V4_R1
match source-address ipv4 1.1.1.1 255.255.255.255
end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V4_R8
match destination-address ipv4 8.8.8.9 255.255.255.255
end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R1
match source-address ipv6 2001:1::1/128
end-class-map
!
class-map type traffic match-all CM_FLOWSPEC_V6_R8
match destination-address ipv6 2001:8::9/128
end-class-map
!
!
policy-map type pbr PM_FLOWSPEC_V4
class type traffic CM_FLOWSPEC_V4_R1
drop
!
class type traffic CM_FLOWSPEC_V4_R8
drop
!
policy-map type pbr PM_FLOWSPEC_V6
class type traffic CM_FLOWSPEC_V6_R1
drop
!
class type traffic CM_FLOWSPEC_V6_R8
dropFinally, we use the policy-maps in a service-policy under the VRF under flowspec.
#XR1
flowspec
vrf INET
address-family ipv4
service-policy type pbr PM_FLOWSPEC_V4
!
address-family ipv6
service-policy type pbr PM_FLOWSPEC_V6XR1 will now automatically inject the appropriate flowspec NLRI into vpnv4/v6 flowspec. We can confirm this on XR1 itself. First we see the local policies:
Next, we see that XR1 has created the BGP VRF ipv4/v6 flowspec entries:
These are taken from the BGP VRF table and injected into the vpnv4/v6 table with the appropriate export RT.
We can see the details of the NLRI by copying+pasting the NLRI. The /48 appears to refer to the length of the NLRI in bits and can be ignored. Notice that we now see the RT, as we would see in any VPN update.
The PEs should receive these NLRI. Again, these have no nexthop, because they are policy advertisement, not actual route advertisements.
On the PEs, we should see that these flowspec entries are imported into the flowspec table for the VRF:
If we send test traffic, we should see that the PE drops the traffic ingress at the edge, just like in the previous lab in which we ran the internet table in the global RIB.
In summary, flowspec for VRFs has very little difference compared to flowspec for the global RIB. All changes are fairly intuitive:
Use BGP vpnv4/v6 flowspec instead of BGP ipv4/v6 flowspec
Activate flowspec for all interfaces in the VRF, instead of the global RIB
Define the VRF on the XR controller, using the export RT under ipv4/v6 flowspec
The IOS-XE PEs appear to use the unicast RTs for importing into the flowspec VRF policy
Define the VRF under BGP on the XR controller, activating ipv4/v6 flowspec
Define the service-policy for flowspec under the associated VRF on the XR controller
Last updated