BGP Flow spec configuration on Cisco ASR1000

In this guide we will cover all required steps to configure BGP Flow Spec on your Cisco ASR 1000 and use it for malicious traffic filtering. This guide assumes that you have configured BGP Unicast session and it works without any issues.

As first step, please enable Flow Spec globally:

configure terminal
address-family ipv4
local-install interface-all

After that, you will need to enable Flow spec for peering session to FastNetMon:

address-family ipv4 flowspec
  neighbor activate
  neighbor send-community
  neighbor validation off
  neighbor maximum-prefix 999

After adding BGP flow spec announce from FastNetMon you will see records like this on your router side:

show bgp ipv4 flowspec


BGP table version is 5, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  Dest:,Source:,Proto:=1
                                             0 65116 ?
 *>  Dest:,Source:,Proto:=1
                                             0 65116 ?

That’s all! Unfortunately, ASR 1000 does not expose number of bytes / packets filtered by each flow spec rule.