Thanks
Leonardo.
I have tried the following but using a 'route-filter' on the target router appears to deny a /32 source based flow route while it does accept a destination based /32 route:
1) Using a match criteria of 'route-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router denies the source based /32 flow route and the route is not imported. We want source based /32 routes to be accepted by the target router.
-Trigger Router-
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match source 104.104.104.104/32 <--
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g
-Target Router-
set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
!
user@router-RE0> show route table VRF_NAME.inetflow.0
{master}
user@router-RE0>
2)
Using a match criteria of 'route-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router allows a destination based /32 flow route and the route is imported successfully. This is expected behaviour.
-Trigger Router-
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match destination 104.104.104.104/32 <--
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g
-Target Router-
set policy-options policy-statement
VRF_NAME_IM term BGP_FLOWSPEC from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement
VRF_NAME_IM term BGP_FLOWSPEC then accept
!
user@router-RE0> show route table VRF_NAME.inetflow.0
VRF_NAME.inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
104.104.104.104,*,proto=6/term:1
*[BGP/170] 00:02:33, localpref 255, from 10.x.x.x
AS path: I, validation-state: unverified
Fictitious
{master}
user@router-RE0>
3)
Using a match criteria of 'source-address-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router allows a source based /24 flow route and the route is imported. The expected result is that a /24 (non-/32) source based flow route should not be imported and that's our objective.
- Trigger Router -
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match source 104.104.104.0/24 <--
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g
- Target Router -
set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from source-address-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
!
user@router-RE0> show route table VRF_NAME.inetflow.0
VRF_NAME.inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
*,104.104.104/24,proto=6/term:1
*[BGP/170] 00:01:33, localpref 255, from 10.x.x.x
AS path: I, validation-state: unverified
Fictitious
!
Original Message:
Sent: 05-17-2021 10:32
From: Unknown User
Subject: Exporting source based BGP Flowspec routes
Hi,
Indeed source-address-filter will not work on that situation. You will need to apply the filter (input) on destination.
Hope this helps.
Leonardo Gama.
Original Message:
Sent: 05-14-2021 13:00
From: Unknown User
Subject: Exporting source based BGP Flowspec routes
Hi,
We have a vRR instance running in the lab as a trigger router exporting flow routes to a PE edge router. The flow routes are configured in a VRF instance and advertised as VPNv4 routes to the PE router. Our objective is to advertise flow routes that are host routes i.e., that have a prefix-length of /32 only and reject other prefix-lengths. And so we are using the following term in the BGP export policy on the trigger router and statically configuring flow routes for advertisement to the target router:
set policy-options policy-statement TO_PE_EX term HOST_ROUTES from route-filter 0.0.0.0/0 prefix-length-range /0-/31
set policy-options policy-statement TO_PE_EX term HOST_ROUTES then reject
The above term works fine for rejecting routes with prefix-lengths between /0-/31 and only allows /32 host routes to be advertised to the target router such as the destination-based flow route below:
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW match protocol tcp
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW match destination 104.104.104.104/32
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW then community FLOW_STD
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW then rate-limit 1g
But this export policy term does not work for source based host flow routes (/29), e.g., the following route gets advertised. This suggests that the 'term HOST_ROUTES' above is not matching the source based flow route 'DDOS_FLOW_SOURCE' below:
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match protocol tcp
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match source 104.104.104.104/29 <--
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then community FLOW_STD
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then rate-limit 1g
and using the 'source-address-filter' in the export policy doesn't appear to work as expected either, it appears to match a /32 source route and reject it [instead of matching just /0-/31 prefix lengths only]
set policy-options policy-statement TO_PE_EX term HOST_ROUTES_SOURCE from source-address-filter 0.0.0.0/0 prefix-length-range /0-/31
set policy-options policy-statement TO_PE_EX term HOST_ROUTES_SOURCE then reject
For example, the following flow route (/32) is rejected by the policy term HOST_ROUTES_SOURCE above:
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match protocol tcp
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match source 104.104.104.104/32 <--
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then community FLOW_STD
set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then rate-limit 1g
Any thoughts on how we can match the prefix-length for source based flow routes and accept /32 host routes only?
Thanks,