24.07.2020

BGP Flow spec configuration on Cisco ASR1000

In this guide we will cover all required steps to configure BGP Flow Spec on your Cisco ASR 1000 and use it for malicious traffic filtering. This guide assumes that you have configured BGP Unicast session and it works without any issues.

As first step, please enable Flow Spec globally:

enable
configure terminal
flowspec
address-family ipv4
local-install interface-all
exit

After that, you will need to enable Flow spec for peering session to FastNetMon:

address-family ipv4 flowspec
  neighbor 192.168.11.11 activate
  neighbor 192.168.11.11 send-community
  neighbor 192.168.11.11 validation off
  neighbor 192.168.11.11 maximum-prefix 999
 exit-address-family

After adding BGP flow spec announce from FastNetMon you will see records like this on your router side:

show bgp ipv4 flowspec

Output:

BGP table version is 5, local router ID is 1.2.3.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  Dest:2.3.4.5/32,Source:1.2.3.4/32,Proto:=1
                       0.0.0.0                                0 65116 ?
 *>  Dest:2.3.4.5/32,Source:1.2.3.4/32,Proto:=1
                       0.0.0.0                                0 65116 ?

That’s all! Unfortunately, ASR 1000 does not expose number of bytes / packets filtered by each flow spec rule.