- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
06-Flowspec commands | 119.23 KB |
address-family ipv4 flowspec (BGP instance view)
address-family ipv4 flowspec (BGP-VPN instance view)
address-family ipv4 flowspec (VPN instance view)
check flow-route-configuration
display bgp routing-table ipv4 flowspec
display bgp routing-table vpnv4 flowspec
flow-route (Flowspec IPv4 address family view)
peer validation-redirect-disable
Flowspec commands
address-family ipv4
Use address-family ipv4 to create a Flowspec IPv4 address family, or enter the view of an existing Flowspec IPv4 address family.
Use undo address-family ipv4 to delete a Flowspec IPv4 address family and all its settings.
Syntax
address-family ipv4 [ vpn-instance vpn-instance-name ]
undo address-family ipv4 [ vpn-instance vpn-instance-name ]
Default
No Flowspec IPv4 address family exists.
Views
Flowspec view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Creates the Flowspec IPv4 address family for an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To create a Flowspec IPv4 address family for the public network, do not specify this option.
Examples
# Create a Flowspec IPv4 address family for the public network and enter its view.
<Sysname> system-view
[Sysname] flowspec
[Sysname-flowspec] address-family ipv4
[Sysname-flowspec-ipv4]
address-family ipv4 flowspec (BGP instance view)
Use address-family ipv4 flowspec to create a BGP IPv4 Flowspec address family, or enter the view of an existing BGP IPv4 Flowspec address family.
Use undo address-family ipv4 flowspec to delete a BGP IPv4 Flowspec address family and all its settings.
Syntax
address-family ipv4 flowspec
undo address-family ipv4 flowspec
Default
No BGP IPv4 Flowspec address family exists.
Views
BGP instance view
Predefined user roles
network-admin
Examples
# Create a BGP IPv4 Flowspec address family and enter its view.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv4 flowspec
[Sysname-bgp-default-ipv4-flowspec]
address-family ipv4 flowspec (BGP-VPN instance view)
Use address-family ipv4 flowspec to create a BGP-VPN IPv4 Flowspec address family, or enter the view of an existing BGP-VPN IPv4 Flowspec address family.
Use undo address-family ipv4 flowspec to delete a BGP-VPN IPv4 Flowspec address family and all its settings.
Syntax
address-family ipv4 flowspec
undo address-family ipv4 flowspec
Default
No BGP-VPN IPv4 Flowspec address family exists.
Views
BGP-VPN instance view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The settings in the view of a BGP-VPN IPv4 Flowspec address family take effect only on routes and peers of the BGP-VPN IPv4 Flowspec address family.
Examples
# Create a BGP-VPN IPv4 Flowspec address family and enter its view.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] ip vpn-instance vpn1
[Sysname-bgp-default-vpn1] address-family ipv4 flowspec
[Sysname-bgp-default-flowspec-ipv4-vpn1]
address-family ipv4 flowspec (VPN instance view)
Use address-family ipv4 flowspec to enter IPv4 Flowspec VPN address family view.
Use undo address-family ipv4 flowspec to delete all settings in IPv4 Flowspec VPN address family view.
Syntax
address-family ipv4 flowspec
undo address-family ipv4 flowspec
Views
VPN instance view
Predefined user roles
network-admin
Usage guidelines
You can configure IPv4 Flowspec VPN parameters in IPv4 Flowspec VPN address family view. For example, you can configure route targets for a VPN instance.
Examples
# Enter IPv4 Flowspec VPN address family view.
<Sysname> system-view
[Sysname] ip vpn-instance vpn1
[Sysname-vpn-instance-vpn1] address-family ipv4 flowspec
[Sysname-vpn-ipv4-vpn1-flowspec]
address-family vpnv4 flowspec
Use address-family vpnv4 flowspec to create a BGP VPNv4 Flowspec address family, or enter the view of an existing BGP VPNv4 Flowspec address family.
Use undo address-family vpnv4 flowspec to delete a BGP VPNv4 Flowspec address family and all its settings.
Syntax
address-family vpnv4 flowspec
undo address-family vpnv4 flowspec
Default
No BGP VPNv4 Flowspec address family exists.
Views
BGP instance view
Predefined user roles
network-admin
Examples
# Create a BGP VPNv4 Flowspec address family and enter its view.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family vpnv4 flowspec
[Sysname-bgp-default-vpnv4-flowspec]
apply
Use apply to apply an action to matching traffic in a Flowspec rule.
Use undo apply to remove an action from a Flowspec rule.
Syntax
apply action
undo apply action
Default
No action is applied in a Flowspec rule.
Views
Flowspec rule view
Predefined user roles
network-admin
Parameters
action: Specifies an action. Table 1 shows available actions.
Action |
Description |
deny |
Drops packets. |
redirect { next-hop ipv4-address [ copy-mode ] | vpn-target import-vpn-target } |
Redirects packets: · next-hop ipv4-address [ copy-mode ]: Redirects packets to a next hop. The ipv4-address argument specifies the IP address of the next hop. The copy-mode keyword redirects copies of the packets and is not supported in the current software version. · vpn-target import-vpn-target: Redirects packets to a route target. The import-vpn-target argument specifies a route target, a string of 3 to 21 characters. A route target can be indicated in one of the following formats: ? 16-bit AS number:32-bit user-defined number, for example, 100:3. ? 32-bit IP address:16-bit user-defined number, for example, 192.168.122.15:1. ? 32-bit AS number:16-bit user-defined number, for example, 65536:1. The smallest AS number is 65535. |
remark-dscp dscp-value |
Marks the DSCP value for packets. The dscp-value argument specifies a DSCP value, which can be a number from 0 to 63 or a keyword in Table 2. |
traffic-rate rate |
Limits the rate of packets. The rate argument specifies the traffic rate in the range of 1 to 100000000 kbps. If you set this argument to a vlaue smaller than 8 kbps, 8 kbps is used as the traffic rate. |
Table 2 DSCP keywords and values
Keyword |
DSCP value (binary) |
DSCP value (decimal) |
default |
000000 |
0 |
af11 |
001010 |
10 |
af12 |
001100 |
12 |
af13 |
001110 |
14 |
af21 |
010010 |
18 |
af22 |
010100 |
20 |
af23 |
010110 |
22 |
af31 |
011010 |
26 |
af32 |
011100 |
28 |
af33 |
011110 |
30 |
af41 |
100010 |
34 |
af42 |
100100 |
36 |
af43 |
100110 |
38 |
cs1 |
001000 |
8 |
cs2 |
010000 |
16 |
cs3 |
011000 |
24 |
cs4 |
100000 |
32 |
cs5 |
101000 |
40 |
cs6 |
110000 |
48 |
cs7 |
111000 |
56 |
ef |
101110 |
46 |
Usage guidelines
If you execute this command multiple times with the same type of action in a Flowspec rule, the most recent configuration takes effect.
The relationship among different action types in a Flowspec rule is logic AND.
To redirect packets to a next hop, make sure the next hop is on the public network.
For successful traffic redirection, make sure the next hop IP address is reachable. The redirection feature periodically looks up the routing table to verify the reachability of the next hop IP address. If the next hop IP address is detected unreachable, traffic redirection to a next hop is no longer in effect.
Examples
# Apply a deny action in a Flowspec rule.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match port 23
[Sysname-flow-route-route1] apply deny
# Apply a redirection action in a Flowspec rule.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match port 23
[Sysname-flow-route-route1] apply redirect vpn-target 4:4
# Apply an action of marking DSCP value af11 for packets in a Flowspec rule.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match port 23
[Sysname-flow-route-route1] apply remark-dscp af11
# Apply an action of limiting the traffic rate to 419200 kbps in a Flowspec rule.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match port 23
[Sysname-flow-route-route1] apply traffic-rate 419200
check flow-route-configuration
Use check flow-route-configuration to display uncommitted match criteria and actions in a Flowspec rule.
Syntax
check flow-route-configuration
Views
Flowspec rule view
Predefined user roles
network-admin
Usage guidelines
If you configure match criteria and actions for the first time in a Flowspec rule and do not commit them, this command displays all uncommitted match criteria and actions.
If some match criteria and actions are committed and others are not committed in a Flowspec rule, this command displays all match criteria and actions, including those that are committed. To display the committed match criteria and actions of a Flowspec rule, use the display this command in Flowspec rule view.
Examples
# Display uncommitted match criteria and actions in a Flowspec rule.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] check flow-route-configuration
Traffic filtering rules:
Destination IP : 1.1.0.0 255.255.0.0
Destination port : 23
DSCP : 24
Fragment type : match fragment
ICMP code : 8
ICMP type : 10
Packet length : 150
Protocol : 2
Source IP : 1.1.0.0 255.255.0.0
Source port : 238 to 240 550
TCP flags : match 23
Traffic filtering actions:
Traffic rate : 1000(kbps)
DSCP marking : 56
Redirecting to VPN target : 1:2
Field |
Description |
Traffic filtering rules |
Match criteria that are not committed. For more information about match criteria, see Table 4. If no match criteria are configured or the match criteria are committed, this field displays N/A. |
Traffic filtering actions |
Actions that are not committed. For more information about actions, see Table 5. If no actions are configured or the actions are committed, this field displays N/A. |
Field |
Description |
Destination IP |
Matches the destination IPv4 address. |
Destination port |
Matches the destination port. |
DSCP |
Matches the DSCP value. |
Fragment type |
Matches the fragment type: · match—Indicates that the specified fragment type is a successful match criterion. · not—Indicates that all fragment types except the specified fragment type are successful match criteria. · fragment—Matches fragmented packets. · non-fragment—Matches non-fragmented packets. · fragment-spe-first—Matches the first fragment of fragmented packets. |
ICMP code |
Matches the ICMP code. |
ICMP type |
Matches the ICMP type. |
Packet length |
Matches the packet length (including the Layer 3 header). |
Port |
Matches the source and destination ports. |
Protocol |
Matches the protocol number. |
Source IP |
Matches the source IPv4 address. |
Source port |
Matches the source port. |
TCP flags |
Matches TCP flags. · match—Indicates that the specified TCP flags are successful match criteria. · not—Indicates that all TCP flags except the specified TCP flags are successful match criteria. |
Field |
Description |
Deny |
Drops packets. |
Traffic rate |
Limits the traffic rate. |
Redirecting to VPN target |
Redirects packets to a route target. |
Redirecting to next-hop |
Redirects packets to a next hop. |
DSCP marking |
Marks the DSCP value for packets. |
Related commands
commit
commit
Use commit to commit match criteria and actions in a Flowspec rule.
Syntax
commit
Default
Match criteria and actions in a Flowspec rule are not committed.
Views
Flowspec rule view
Predefined user roles
network-admin
Usage guidelines
Match criteria and actions in a Flowspec rule can be modified dynamically. To reduce network instability caused by dynamic modification, you must execute the commit command to make the modification in a Flowspec rule take effect..
As a best practice before executing the commit command, use the check flow-route-configuration command to display the match criteria and actions that are not committed.
Multiple Flowspec rules can be applied to a Flowspec IPv4 address family. However, different Flowspec rules cannot have the same committed match criteria.
Examples
# Commit match criteria and actions in Flowspec rule route1.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match port 23
[Sysname-flow-route-route1] apply traffic-rate 419200
[Sysname-flow-route-route1] commit
Related commands
check flow-route-configuration
display bgp routing-table ipv4 flowspec
Use display bgp routing-table ipv4 flowspec to display BGP IPv4 Flowspec routing information.
Syntax
display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] [ flowspec-prefix [ advertise-info ] | statistics ]
display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] peer ipv4-address { advertised-routes | received-routes } [ flowspec-prefix | statistics ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a BGP instance, this command displays the information for the default BGP instance.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays the information for the public network.
flowspec-prefix: Displays detailed BGP IPv4 Flowspec routing information.
advertise-info: Displays advertisement information for BGP IPv4 Flowspec routes.
peer ipv4-address: Displays BGP IPv4 Flowspec routing information advertised to or received from the specified peer.
advertised-routes: Displays BGP IPv4 Flowspec routing information advertised to the specified peer.
received-routes: Displays BGP IPv4 Flowspec routing information received from the specified peer.
statistics: Displays routing statistics.
If you do not specify any parameters, this command displays brief information about all BGP IPv4 Flowspec routes.
Examples
# Display brief information about all BGP IPv4 Flowspec routes in the default BGP instance.
<Sysname> display bgp routing-table ipv4 flowspec
Total number of routes: 1
BGP local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
a – additional-path
Origin: i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* >e DEST:1.2.3.4/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176
0.0.0.0 0 200?
Table 6 Command output
Field |
Description |
Status codes |
Status codes: · * – valid—Valid route. · > – best—Optimal route. · d – dampened—Dampened route. · h – history—History route. · s – suppressed—Suppressed route. · S – stale—Stale route. · i – internal—Internal route. · e – external—External route. · a – additional-path—Additional-path route. |
Origin |
Origin of the route: · i – IGP—Originated in the AS. The origin of routes advertised with the network command is IGP. · e – EGP—Learned through EGP. · ?– incomplete—Unknown origin. The origin of routes redistributed from IGP protocols is incomplete. |
Network |
Destination network address. |
NextHop |
Next hop IP address. |
MED |
MULTI_EXIT_DISC attribute. |
LocPrf |
Local preference value. |
PrefVal |
Preferred value of the route. |
Path/Ogn |
AS_PATH and ORIGIN attributes of the route: · AS_PATH—Records the ASs the route has passed. This attribute can avoid routing loops. · ORIGIN—Identifies the origin of the route. |
# Display statistics for BGP IPv4 Flowspec routes advertised to peer 10.2.1.2 for the default BGP instance.
<Sysname> display bgp routing-table ipv4 flowspec peer 10.2.1.2 advertised-routes statistics
Advertised routes total: 2
# Display statistics for BGP IPv4 Flowspec routes received from peer 10.2.1.2 for the default BGP instance.
<Sysname> display bgp routing-table ipv4 flowspec peer 10.2.1.2 received-routes statistics
Received routes total: 2
Table 7 Command output
Field |
Description |
Advertised routes total |
Total number of advertised routes. |
Received routes total |
Total number of received routes. |
display bgp routing-table vpnv4 flowspec
Use display bgp routing-table vpnv4 flowspec to display BGP VPNv4 Flowspec routing information.
Syntax
display bgp [ instance instance-name ] routing-table vpnv4 flowspec [ peer ipv4-address { advertised-routes | received-routes } [ flowspec-prefix | statistics ] | [ route-distinguisher route-distinguisher ] [ flowspec-prefix [ advertise-info ] ] | statistics ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a BGP instance, this command displays the information for the default BGP instance.
peer ipv4-address: Displays BGP VPNv4 Flowspec routing information advertised to or received from the specified peer.
advertised-routes: Displays BGP VPNv4 Flowspec routing information advertised to the specified peer.
received-routes: Displays BGP VPNv4 Flowspec routing information received from the specified peer.
route-distinguisher route-distinguisher: Displays BGP VPNv4 Flowspec routing information for the specified route distinguisher. The route-distinguisher argument is a string of 3 to 21 characters and can be specified in one of the following formats:
· 16-bit AS number:32-bit user-defined number, for example, 101:3.
· 32-bit IP address:16-bit user-defined number, for example, 192.168.122.15:1.
· 32-bit AS number:16-bit user-defined number, for example, 65536:1. The smallest AS number is 65535.
flowspec-prefix: Displays detailed BGP VPNv4 Flowspec routing information.
advertise-info: Displays advertisement information for BGP VPNv4 Flowspec routes.
statistics: Displays routing statistics.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all BGP VPNv4 Flowspec routes.
Examples
# Display brief information about all BGP VPNv4 Flowspec routes for the default BGP instance.
<Sysname> display bgp routing-table vpnv4 flowspec
BGP local router ID is 192.168.56.55
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
Origin: i - IGP, e - EGP, ? - incomplete
Total number of routes from all PEs: 4
Route distinguisher: 1:3
Total number of routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300
,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl
ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528
0.0.0.0 100 0 ?
* >i DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176
0.0.0.0 100 0 ?
Route distinguisher: 1:5(vpn1)
Total number of routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300
,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl
ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528
0.0.0.0 100 0 ?
* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300
,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl
ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto
:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12
0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105
6
0.0.0.0 0 100?
* > DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176
0.0.0.0 32768 ?
* i 0.0.0.0 100 0 ?
* e 0.0.0.0 0 100?
Route distinguisher: 1:6
Total number of routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300
,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl
ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto
:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12
0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105
6
0.0.0.0 0 100?
* >e DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176
0.0.0.0 0 100?
Table 8 Command output
Field |
Description |
Status codes |
Status codes: · * – valid—Valid route. · > – best—Optimal route. · d – dampened—Dampened route. · h – history—History route. · i – internal—Internal route. · e – external—External route. · s – suppressed—Suppressed route. · S – stale—Stale route. |
Origin |
Origin of the route: · i – IGP—Originated in the AS. The origin of routes advertised with the network command is IGP. · e – EGP—Learned through EGP. · ?– incomplete—Unknown origin. The origin of routes redistributed from IGP protocols is incomplete. |
Network |
Destination network address. |
NextHop |
Next hop IP address. |
MED |
MULTI_EXIT_DISC attribute. |
LocPrf |
Local preference value. |
PrefVal |
Preferred value of the route. |
Path/Ogn |
AS_PATH and ORIGIN attributes of the route: · AS_PATH—Records the ASs the route has passed. This attribute can avoid routing loops. · ORIGIN—Identifies the origin of the route. |
# Display statistics for BGP VPNv4 Flowspec routes advertised to peer 15.5.6.2 for the default BGP instance.
<Sysname> display bgp routing-table vpnv4 flowspec peer 15.5.6.2 advertised-routes statistics
Advertised routes total: 3
# Display statistics for BGP VPNv4 Flowspec routes received from peer 15.5.6.2 for the default BGP instance.
<Sysname> display bgp routing-table vpnv4 flowspec peer 15.5.6.2 received-routes statistics
Received routes total: 2
Table 9 Command output
Field |
Description |
Advertised routes total |
Total number of advertised routes. |
Received routes total |
Total number of received routes. |
# Display statistics for BGP VPNv4 Flowspec routes.
<Sysname> display bgp routing-table vpnv4 flowspec statistics
Total number of routes from all PEs: 4
Route distinguisher: 1:3
Route distinguisher: 1:5(vpn1)
Total number of routes: 5
Route distinguisher: 1:6
Total number of routes: 2
display flow-route
Use display flow-route to display Flowspec rule information on a Flowspec edge router.
Syntax
In standalone mode:
display flow-route { all | flow-route-id | [ instance instance-name ] [ ip [ vpn-instance vpn-instance-name ] ] } [ slot slot-number ]
In IRF mode:
display flow-route { all | flow-route-id | [ instance instance-name ] [ ip [ vpn-instance vpn-instance-name ] ] } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all Flowspec rules.
flow-route-id: Specifies a Flowspec rule by its ID in the range of 0 to fffffffffffffffe (hexadecimal).
instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a BGP instance, this command displays the information for the default BGP instance.
ip: Specifies IPv4 Flowspec rules.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays the information for the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the Flowspec rule information for the active MPU. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays the Flowspec rule information for the global active MPU. (In IRF mode.)
Usage guidelines
If multiple effective Flowspec rules exist, the device compares a packet with Flowspec rules in their display order in the command output.
Examples
# Display information about all Flowspec rules.
<Sysname> display flow-route all
Total number of flow-routes: 3
Flow route (ID 0x0)(Failed)
BGP instance : default
Traffic filtering rules:
Destination IP : 1.2.3.4 255.255.255.255
Port : 22 33 44 55
Source IP : 2.3.4.5 255.255.255.255
Traffic filtering actions:
DSCP marking : 10
Redirecting to VPN instance : vpn3
Flow route (ID 0x1)
BGP instance : default
Traffic filtering rules:
Destination IP : 1.2.3.4 255.255.255.255
Traffic filtering actions:
Deny
Flow route (ID 0x2)
BGP instance : default
VPN instance : vpn1
Traffic filtering rules:
ICMP type : 23
Traffic filtering actions:
Traffic rate : 1000(kbps)
Flow route (ID 0x3)
BGP instance : default
VPN instance : vpn1
Traffic filtering rules:
Source port : 80
Traffic filtering actions:
Redirecting to VPN target : 3:3 (Inactive)
Table 10 Command output
Field |
Description |
Flow route (ID 0x0) |
Flowspec rule ID. The (Failed) attribute indicates that the Flowspec rule failed to be applied. |
VPN instance |
VPN instance where the Flowspec rule takes effect. If this field does not appear, the Flowspec rule takes effect in the public network. |
Redirecting to VPN instance |
Redirects packets to a VPN instance. If the route target for redirection cannot be mapped to a VPN instance, the redirection action does not take effect (indicated by Inactive enclosed in parenthesis). In addition, this field is displayed as Redirecting to VPN target. |
Redirecting to next-hop |
Redirects packets to a next hop. If the next hop is unreachable or invalid, the redirection action does not take effect (indicated by Inactive enclosed in parenthesis). |
For information about other fields, see Table 3, Table 4, and Table 5.
flow-route (system view)
Use flow-route to create a Flowspec rule, or enter the view of an existing Flowspec rule.
Use undo apply to delete a Flowspec rule.
Syntax
flow-route flowroute-name
undo flow-route flowroute-name
Default
No Flowspec rules exist.
Views
System view
Predefined user roles
network-admin
Parameters
flowroute-name: Specifies a Flowspec rule name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
To delete a Flowspec rule applied to a Flowspec IPv4 address family, perform the following tasks:
1. Execute the undo flow-route command in Flowspec IPv4 address family view.
2. Execute the undo flow-route command in system view.
Examples
# Create a Flowspec rule named route1.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1]
flow-route (Flowspec IPv4 address family view)
Use flow-route to apply a Flowspec rule to a Flowspec IPv4 address family.
Use undo apply to remove a Flowspec rule from a Flowspec IPv4 address family.
Syntax
flow-route flowroute-name
undo flow-route flowroute-name
Default
No Flowspec rule is applied to a Flowspec IPv4 address family.
Views
Flowspec IPv4 address family view
Predefined user roles
network-admin
Parameters
flowroute-name: Specifies an existing Flowspec rule by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
If multiple Flowspec rules are applied to a Flowspec IPv4 address family, you can use the display flow-route command on a Flowspec edge router to display the match order of match criteria that are committed. If match criteria in multiple Flowspec rules can match a packet, the packet is matched by the match criterion that appears at the top.
Examples
# Apply Flowspec rule route1 to the public network address family.
<Sysname> system-view
[Sysname] flowspec
[Sysname-flowspec] address-family ipv4
[Sysname-flowspec-ipv4] flow-route route1
flowspec
Use flowspec to enter Flowspec view.
Syntax
flowspec
Views
System view
Predefined user roles
network-admin
Examples
# Enter Flowspec view.
<Sysname> system-view
[Sysname] flowspec
[Sysname-flowspec]
if-match
Use if-match to configure a match criterion in a Flowspec rule.
Use undo if-match to delete a match criterion from a Flowspec rule.
Syntax
if-match match-criteria
undo if-match match-criteria
Default
No match criterion is configured in a Flowspec rule.
Views
Flowspec rule view
Predefined user roles
network-admin
Parameters
match-criteria: Specifies a match criterion. Table 11 shows the available match criteria.
Table 11 Available match criteria
Match criterion type ID |
Option |
Description |
1 |
destination-ip ipv4-address { mask-length | mask } |
Matches the destination IPv4 address of packets. The ipv4-address argument specifies an IPv4 address in dotted decimal notation. The mask-length argument specifies the mask length in the range of 0 to 32. The mask argument specifies the mask in dotted decimal notation. |
2 |
source-ip ipv4-address { mask-length | mask } |
Matches the source IPv4 address of packets. The ipv4-address argument specifies an IPv4 address in dotted decimal notation. The mask-length argument specifies the mask length in the range of 0 to 32. The mask argument specifies the mask in dotted decimal notation. |
3 |
protocol { proto-name&<1-8> | proto-list } |
Matches a protocol. The proto-list argument specifies a space-separated list of up to eight protocol items. Each item specifies a protocol or a range of protocols by numerical values in the form of proto-start to proto-end. The value for proto-end must be greater than or equal to the value for proto-start. The value range for the proto argument is 0 to 255. The proto-name argument specifies up to eight protocols by keyword. The available keywords are: icmp (1), igmp (2), ipinip (4), tcp (6), egp (8), udp (17), ipv6 (41), rsvp (46), gre (47), esp (50), ospf (89), and pim (103). |
4 |
port port-list |
Matches the source and destination port numbers of packets. The port-list argument specifies a space-separated list of up to eight port number items. Each item specifies a port number or a range of port numbers in the form of port-start to port-end. The value for port-end must be greater than or equal to the value for port-start. The value range for the port argument is 0 to 65535. |
5 |
destination-port port-list |
Matches the destination port number of packets. The port-list argument specifies a space-separated list of up to eight port number items. Each item specifies a port number or a range of port numbers in the form of port-start to port-end. The value for port-end must be greater than or equal to the value for port-start. The value range for the port argument is 0 to 65535. |
6 |
source-port port-list |
Matches the source port number of packets. The port-list argument specifies a space-separated list of up to eight port number items. Each item specifies a port number or a range of port numbers in the form of port-start to port-end. The value for port-end must be greater than or equal to the value for port-start. The value range for the port argument is 0 to 65535. |
7 |
icmp-type type-list |
Matches the ICMP type of packets. The type-list argument specifies a space-separated list of up to eight type items. Each item specifies a type or a range of types in the form of type-start to type-end. The value for type-end must be greater than or equal to the value for type-start. The value range for the type argument is 0 to 255. |
8 |
icmp-code code-list |
Matches the ICMP code of packets. The code-list argument specifies a space-separated list of up to eight code items. Each item specifies a code or a range of codes in the form of code-start to code-end. The value for code-end must be greater than or equal to the value for code-start. The value range for the code argument is 0 to 255. |
9 |
tcp-flags { match | not } tcp-flags [ any ] |
Matches the TCP flag of packets. The match keyword indicates that the specified TCP flags are successful match criteria. The not keyword indicates that all TCP flags except the specified TCP flags are successful match criteria. The tcp-flags argument specifies a TCP flag value in the range of 0 to 63. This field in the packet is a 6-bit binary value. The any keyword matches all packets with the specified bits as 1 in the binary TCP flag values. For example, to match all packets with the first and third bits as 1 in the TCP flag values, configure the if-match tcp-flags match 5 any command. The decimal TCP flag value 5 corresponds to the binary value 000101. |
10 |
packet-length length-list |
Matches the Layer 3 packet length (including Layer 3 header) of packets. This option is not supported in the current software version. |
11 |
dscp { dscp-name&<1-8> | dscp-list } |
Matches the DSCP value of packets. The dscp-name argument specifies up to eight DSCP values by keyword. Table 2 shows the available keywords. The dscp-list argument specifies a space-separated list of up to eight DSCP values. Each item specifies a DSCP value or a range of DSCP values in the form of dscp-start to dscp-end. The value for dscp-end must be greater than or equal to the value for dscp-start. The value range for the dscp argument is 0 to 63. |
12 |
fragment-type { match | not } { fragment | non-fragment | fragment-spe-first } |
Matches the fragment type. The match keyword indicates that the specified fragment type is a successful match criterion. The not keyword indicates that all fragment types except the specified fragment type are successful match criteria. The fragment keyword matches fragmented packets. The non-fragment keyword matches non-fragmented packets. The fragment-spe-first keyword matches the first fragment of fragmented packets. |
Usage guidelines
In a single Flowspec rule, the following rules apply:
· The port port-list option is mutually exclusive with the source-port port-list or destination-port port-list option.
· The relationship among match criteria of different types is logic AND.
· The relationship among match criteria of the same type is logic OR.
If multiple Flowspec rules exist, the device matches the Flowspec rules in ascending order of match criterion type IDs. If a match is found, the matching process stops and the action in the matching Flowspec rule is applied. For the match order of the same-type match criteria, see section 5.1 in RFC 5575.
Examples
# Configure Flowspec rule route1 to match packets with destination IPv4 address 192.168.100.1/24.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match destination-ip 192.168.100.1 24
# Configure Flowspec rule route1 to match packets with destination port number 80.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match destination-port 80
# Configure Flowspec rule route1 to match packets with DSCP value af11.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match dscp af11
# Configure Flowspec rule route1 to match all fragmented packets.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match fragment-type match fragment
# Configure Flowspec rule route1 to match packets with ICMP code 0.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match icmp-code 0
# Configure Flowspec rule route1 to match packets with ICMP type 1.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match icmp-type 1
# Configure Flowspec rule route1 to match packets with both the source and destination port numbers as 80.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match port 80
# Configure Flowspec rule route1 to match ICMP packets.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match protocol icmp
# Configure Flowspec rule route1 to match packets with source IPv4 address 192.168.100.1/24.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match destination-ip 192.168.100.1 24
# Configure Flowspec rule route1 to match packets with source port number 23.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match source-port 23
# Configure Flowspec rule route1 to match packets with TCP flag 6.
<Sysname> system-view
[Sysname] flow-route route1
[Sysname-flow-route-route1] if-match tcp-flags match 6
peer next-hop-invariable
Use peer next-hop-invariable to configure the device to not change the next hop of routes advertised to EBGP peers.
Use undo peer next-hop-invariable to restore the default.
Syntax
peer { group-name | ipv4-address [ mask-length ] } next-hop-invariable
undo peer { group-name | ipv4-address [ mask-length ] } next-hop-invariable
Default
The device uses its IP address as the next hop of routes advertised to EBGP peers.
Views
BGP IPv4 Flowspec address family view
BGP-VPN IPv4 Flowspec address family view
BGP VPNv4 Flowspec address family view
Predefined user roles
network-admin
Parameters
group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters.
ipv4-address: Specifies a peer by its IP address.
mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and mask-length arguments together to specify a subnet. If you specify a subnet, the device does not change the next hop of routes advertised to the dynamic peers in the subnet.
Usage guidelines
If you configure a redirection action in a Flowspec rule and also want to apply the redirection action on EBGP peers, configure this command. This command enables the device to use the next hop specified in the apply redirect command in routes advertised to EBGP peers.
Examples
# Configure the device to not change the next hop of routes advertised to peer 1.1.1.1.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family vpnv4
[Sysname-bgp-default-af-vpnv4] peer 1.1.1.1 next-hop-invariable
peer reflect-client
Use peer reflect-client to configure the device as a route reflector and specify a peer or peer group as a client.
Use undo peer reflect-client to remove the configuration.
peer { group-name | ipv4-address [ mask-length ] } reflect-client
undo peer { group-name | ipv4-address [ mask-length ] } reflect-client
Neither the route reflector nor the client is configured.
BGP IPv4 Flowspec address family view
BGP-VPN IPv4 Flowspec address family view
BGP VPNv4 Flowspec address family view
network-admin
group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have been created.
ipv4-address: Specifies a peer by its IPv4 address. The peer must have been created.
mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and mask-length arguments together to specify a subnet. If you specify a subnet, this command configures the device as a route reflector and specifies all dynamic peers in the subnet as clients.
Using route reflectors can solve the issue brought by too many IBGP connections. In an AS, a router acts as a route reflector, and other routers act as clients connecting to the route reflector. The route reflector forwards the routing information received from a client to other clients. In this way, all clients can receive routing information from one another without establishing BGP sessions.
# In BGP IPv4 Flowspec address family view, configure the local device as a route reflector and specify IBGP peer group test as a client.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv4 flowspec
[Sysname-bgp-default-ipv4] peer test reflect-client
peer validation-disable
Use peer validation-disable to disable validation of Flowspec rules from BGP Flowspec peers.
Use undo peer validation-disable to enable this function.
Syntax
peer { group-name | ip-address [ mask-length ] } validation-disable
undo peer { group-name | ip-address [ mask-length ] } validation-disable
Default
Flowspec rules from BGP Flowspec peers are validated.
Views
BGP IPv4 Flowspec address family view
BGP-VPN IPv4 Flowspec address family view
Predefined user roles
network-admin
Parameters
group-name: Specifies an existing peer group by its name, a case-sensitive string of 1 to 47 characters.
ip-address: Specifies an existing peer by its IP address.
mask-length: Specifies the mask length in the range of 0 to 32. If you do not specify the mask length, all dynamic peers in the subnet are specified.
Usage guidelines
When the device receives a Flowspec rule with a destination IP address match criterion, it looks up the destination IP address in the routing table for the best unicast route. The validation succeeds if the following conditions exist:
· The unicast route is a BGP route.
· The sender of the BGP route is the same as the sender of the Flowspec rule.
If you want to use a destination IP address that cannot pass the validation as a match criterion, disable this function.
Examples
# Disable validation of Flowspec rules from BGP Flowspec peer 1.1.1.1.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv4 flowspec
[Sysname-bgp-default-ipv4-flowspec] peer 1.1.1.1 validation-disable
peer validation-redirect-disable
Use peer validation-redirect-disable to disable validation of the redirection next hops in Flowspec rules from BGP Flowspec peers.
Use undo peer validation-redirect-disable to enable this function.
Syntax
peer { group-name | ip-address [ mask-length ] } validation-redirect-disable
undo peer { group-name | ip-address [ mask-length ] } validation-redirect-disable
Default
The redirection next hops in Flowspec rules from BGP Flowspec peers are validated.
Views
BGP IPv4 Flowspec address family view
BGP-VPN IPv4 Flowspec address family view
Predefined user roles
network-admin
Parameters
group-name: Specifies an existing peer group by its name, a case-sensitive string of 1 to 47 characters.
ip-address: Specifies an existing peer by its IP address.
mask-length: Specifies the mask length in the range of 0 to 32. If you do not specify the mask length, all dynamic peers in the subnet are specified.
Usage guidelines
When the device receives a Flowspec rule with a redirect-to-nexthop action, it looks up the next hop IP address in the routing table for the best unicast route. The validation succeeds if the following conditions exist:
· The unicast route is a BGP route.
· The first AS number of the route is the same as the AS number of the BGP peer that sends the Flowspec rule.
To redirect packets to a next hop that cannot pass the validation, disable this function.
Only EBGP peers support this command.
Examples
# Disable validation of the redirection next hops in Flowspec rules from BGP Flowspec peer 1.1.1.1.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv4 flowspec
[Sysname-bgp-default-ipv4-flowspec] peer 1.1.1.1 validation-redirect-disable