Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Exporting source based BGP Flowspec routes

  • 1.  Exporting source based BGP Flowspec routes

    Posted 05-14-2021 13:01
    Hi,
    We have a vRR instance running in the lab as a trigger router exporting flow routes to a PE edge router. The flow routes are configured in a VRF instance and advertised as VPNv4 routes to the PE router. Our objective is to advertise flow routes that are host routes i.e., that have a prefix-length of /32 only and reject other prefix-lengths. And so we are using the following term in the BGP export policy on the trigger router and statically configuring flow routes for advertisement to the target router:

    set policy-options policy-statement TO_PE_EX term HOST_ROUTES from route-filter 0.0.0.0/0 prefix-length-range /0-/31
    set policy-options policy-statement TO_PE_EX term HOST_ROUTES then reject

    The above term works fine for rejecting routes with prefix-lengths between /0-/31 and only allows /32 host routes to be advertised to the target router such as the destination-based flow route below: 

    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW match destination 104.104.104.104/32
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW then community FLOW_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW then rate-limit 1g

    But this export policy term does not work for source based host flow routes (/29), e.g., the following route gets advertised. This suggests that the 'term HOST_ROUTES' above is not matching the source based flow route 'DDOS_FLOW_SOURCE' below:

    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match source 104.104.104.104/29         <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then community FLOW_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then rate-limit 1g

    and using the 'source-address-filter' in the export policy doesn't appear to work as expected either, it appears to match a /32 source route and reject it [instead of matching just /0-/31 prefix lengths only]
    set policy-options policy-statement TO_PE_EX term HOST_ROUTES_SOURCE from source-address-filter 0.0.0.0/0 prefix-length-range /0-/31
    set policy-options policy-statement TO_PE_EX term HOST_ROUTES_SOURCE then reject

    For example, the following flow route (/32) is rejected by the policy term HOST_ROUTES_SOURCE above:

    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match source 104.104.104.104/32        <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then community FLOW_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then rate-limit 1g

    Any thoughts on how we can match the prefix-length for source based flow routes and accept /32 host routes only?
    Thanks,


  • 2.  RE: Exporting source based BGP Flowspec routes

    Posted 05-17-2021 10:32
    Hi,

    Indeed source-address-filter will not work on that situation. You will need to apply the filter (input) on destination. 

    Hope this helps.

    Leonardo Gama.


  • 3.  RE: Exporting source based BGP Flowspec routes

    Posted 05-19-2021 11:52
    Thanks Leonardo. 
    I have tried the following but using a 'route-filter' on the target router appears to deny a /32 source based flow route while it does accept a destination based /32 route:

    1) Using a match criteria of  'route-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router denies the source based /32 flow route and the route is not imported. We want source based /32 routes to be accepted by the target router. 

    -Trigger Router-
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match source 104.104.104.104/32                 <--
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g

    -Target Router-
     set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from route-filter 0.0.0.0/0 prefix-length-range /32-/32
     set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
    ​!
    user@router-RE0> show route table VRF_NAME.inetflow.0
    {master}
    user@router-RE0> ​

    2) Using a match criteria of  'route-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router allows a destination based /32 flow route and the route is imported successfully. This is expected behaviour. 

    -Trigger Router-
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match destination 104.104.104.104/32          <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g

    -Target Router-
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from route-filter 0.0.0.0/0 prefix-length-range /32-/32
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
    !
    user@router-RE0> show route table VRF_NAME.inetflow.0
    VRF_NAME.inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    104.104.104.104,*,proto=6/term:1
    *[BGP/170] 00:02:33, localpref 255, from 10.x.x.x
    AS path: I, validation-state: unverified
    Fictitious
    {master}
    user@router-RE0>

    3) Using a match criteria of  'source-address-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router allows a source based /24 flow route and the route is imported. The expected result is that a /24 (non-/32) source based flow route should not be imported and that's our objective. 

    - Trigger Router -
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match source 104.104.104.0/24                      <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g

    - Target Router -
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from source-address-filter 0.0.0.0/0 prefix-length-range /32-/32
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
    !
    user@router-RE0> show route table VRF_NAME.inetflow.0
    VRF_NAME.inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    *,104.104.104/24,proto=6/term:1
    *[BGP/170] 00:01:33, localpref 255, from 10.x.x.x
    AS path: I, validation-state: unverified
    Fictitious
    !



  • 4.  RE: Exporting source based BGP Flowspec routes

    Posted 05-19-2021 13:26
    Hi,

    It seems source-address-filter only matches multicast source addresses. On IOS-XR for instance, the RPL matches both source and destination flow route by using a prefix-set. It is not ideal, but it is better than being able to match only destination flow route.
    I think you should request an enhancement to the Account Manager.

    HTH.

    Leonardo Gama.