In this guide we will cover all required steps to configure BGP Flow Spec on your Cisco ASR 1000 and use it for malicious traffic filtering. This guide assumes that you have configured BGP Unicast session and it works without any issues.
As first step, please enable Flow Spec globally:
enable configure terminal flowspec address-family ipv4 local-install interface-all exit
After that, you will need to enable Flow spec for peering session to FastNetMon:
address-family ipv4 flowspec neighbor 192.168.11.11 activate neighbor 192.168.11.11 send-community neighbor 192.168.11.11 validation off neighbor 192.168.11.11 maximum-prefix 999 exit-address-family
After adding BGP flow spec announce from FastNetMon you will see records like this on your router side:
show bgp ipv4 flowspec
Output:
BGP table version is 5, local router ID is 1.2.3.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> Dest:2.3.4.5/32,Source:1.2.3.4/32,Proto:=1
0.0.0.0 0 65116 ?
*> Dest:2.3.4.5/32,Source:1.2.3.4/32,Proto:=1
0.0.0.0 0 65116 ?
That’s all! Unfortunately, ASR 1000 does not expose number of bytes / packets filtered by each flow spec rule.