vpn-instance vpn-instance-name: Creates the Flowspec IPv4 address family for an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To create a Flowspec IPv4 address family for the public network, do not specify this option.

Examples

# Create a Flowspec IPv4 address family for the public network and enter its view.

<Sysname> system-view

[Sysname] flowspec

[Sysname-flowspec] address-family ipv4

[Sysname-flowspec-ipv4]

address-family ipv4 flowspec (BGP instance view)

Use address-family ipv4 flowspec to create a BGP IPv4 Flowspec address family, or enter the view of an existing BGP IPv4 Flowspec address family.

Use undo address-family ipv4 flowspec to delete a BGP IPv4 Flowspec address family and all its settings.

Syntax

address-family ipv4 flowspec

undo address-family ipv4 flowspec

Default

No BGP IPv4 Flowspec address family exists.

Views

BGP instance view

Predefined user roles

network-admin

Usage guidelines

The settings in the view of a BGP IPv4 Flowspec address family take effect only on routes and peers of the BGP IPv4 Flowspec address family.

Examples

# Create a BGP IPv4 Flowspec address family and enter its view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-ipv4-flowspec]

address-family ipv4 flowspec (BGP-VPN instance view)

Use address-family ipv4 flowspec to create a BGP-VPN IPv4 Flowspec address family, or enter the view of an existing BGP-VPN IPv4 Flowspec address family.

Use undo address-family ipv4 flowspec to delete a BGP-VPN IPv4 Flowspec address family and all its settings.

Syntax

address-family ipv4 flowspec

undo address-family ipv4 flowspec

Default

No BGP-VPN IPv4 Flowspec address family exists.

Views

BGP-VPN instance view

Predefined user roles

network-admin

Usage guidelines

The settings in the view of a BGP-VPN IPv4 Flowspec address family take effect only on routes and peers of the BGP-VPN IPv4 Flowspec address family.

Examples

# Create a BGP-VPN IPv4 Flowspec address family and enter its view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] ip vpn-instance vpn1

[Sysname-bgp-default-vpn1] address-family ipv4 flowspec

[Sysname-bgp-default-flowspec-ipv4-vpn1]

address-family ipv4 flowspec (VPN instance view)

Use address-family ipv4 flowspec to enter the IPv4 Flowspec address family view of a VPN instance.

Use undo address-family ipv4 flowspec to delete all settings in the IPv4 Flowspec address family view of a VPN instance.

Syntax

address-family ipv4 flowspec

undo address-family ipv4 flowspec

Views

VPN instance view

Predefined user roles

network-admin

Usage guidelines

You can configure IPv4 Flowspec parameters in the IPv4 Flowspec address family view of a VPN instance. For example, you can configure route targets for a VPN instance.

Examples

# Enter the IPv4 Flowspec address family view of a VPN instance.

<Sysname> system-view

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1] address-family ipv4 flowspec

[Sysname-vpn-flowspec-ipv4-vpn1]

address-family ipv6

Use address-family ipv6 to create a Flowspec IPv6 address family, or enter the view of an existing Flowspec IPv6 address family.

Use undo address-family ipv6 to delete a Flowspec IPv6 address family and all its settings.

Syntax

address-family ipv6 [ vpn-instance vpn-instance-name ]

undo address-family ipv6 [ vpn-instance vpn-instance-name ]

Default

No Flowspec IPv6 address family exists.

Views

Flowspec view

Predefined user roles

network-admin

Parameters

vpn-instance vpn-instance-name: Creates the Flowspec IPv6 address family for an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To create a Flowspec IPv6 address family for the public network, do not specify this option.

Examples

# Create a Flowspec IPv6 address family for the public network and enter its view.

<Sysname> system-view

[Sysname] flowspec

[Sysname-flowspec] address-family ipv6

[Sysname-flowspec-ipv6]

address-family ipv6 flowspec (BGP instance view)

Use address-family ipv6 flowspec to create a BGP IPv6 Flowspec address family, or enter the view of an existing BGP IPv6 Flowspec address family.

Use undo address-family ipv6 flowspec to delete a BGP IPv6 Flowspec address family and all its settings.

Syntax

address-family ipv6 flowspec

undo address-family ipv6 flowspec

Default

No BGP IPv6 Flowspec address family exists.

Views

BGP instance view

Predefined user roles

network-admin

Usage guidelines

The settings in the view of a BGP IPv6 Flowspec address family take effect only on routes and peers of the BGP IPv6 Flowspec address family.

Examples

# Create a BGP IPv6 Flowspec address family and enter its view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 flowspec

[Sysname-bgp-default-ipv6-flowspec]

address-family ipv6 flowspec (BGP-VPN instance view)

Use address-family ipv6 flowspec to create a BGP-VPN IPv6 Flowspec address family, or enter the view of an existing BGP-VPN IPv6 Flowspec address family.

Use undo address-family ipv6 flowspec to delete a BGP-VPN IPv6 Flowspec address family and all its settings.

Syntax

address-family ipv6 flowspec

undo address-family ipv6 flowspec

Default

No BGP-VPN IPv6 Flowspec address family exists.

Views

BGP-VPN instance view

Predefined user roles

network-admin

Usage guidelines

The settings in the view of a BGP-VPN IPv6 Flowspec address family take effect only on routes and peers of the BGP-VPN IPv6 Flowspec address family.

Examples

# Create a BGP-VPN IPv6 Flowspec address family and enter its view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] ip vpn-instance vpn1

[Sysname-bgp-default-vpn1] address-family ipv6 flowspec

[Sysname-bgp-default-flowspec-ipv6-vpn1]

Related commands

bgp (Layer 3—IP Routing Command Reference)

ip vpn-instance (MPLS Command Reference)

address-family ipv6 flowspec (VPN instance view)

Use address-family ipv6 flowspec to enter the IPv6 Flowspec address family view of a VPN instance.

Use undo address-family ipv6 flowspec to delete all settings in the IPv6 Flowspec address family view of a VPN instance.

Syntax

address-family ipv6 flowspec

undo address-family ipv6 flowspec

Views

VPN instance view

Predefined user roles

network-admin

Usage guidelines

You can configure IPv6 Flowspec parameters in the IPv6 Flowspec VPN address family view of a VPN instance. For example, you can configure route targets for a VPN instance.

Examples

# Enter the IPv6 Flowspec VPN address family view of a VPN instance.

<Sysname> system-view

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1] address-family ipv6 flowspec

[Sysname-vpn-flowspec-ipv6-vpn1]

Related commands

ip vpn-instance (MPLS Command Reference)

address-family vpnv4 flowspec

Use address-family vpnv4 flowspec to create a BGP VPNv4 Flowspec address family, or enter the view of an existing BGP VPNv4 Flowspec address family.

Use undo address-family vpnv4 flowspec to delete a BGP VPNv4 Flowspec address family and all its settings.

Syntax

address-family vpnv4 flowspec

undo address-family vpnv4 flowspec

Default

No BGP VPNv4 Flowspec address family exists.

Views

BGP instance view

Predefined user roles

network-admin

Examples

# Create a BGP VPNv4 Flowspec address family and enter its view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family vpnv4 flowspec

[Sysname-bgp-default-vpnv4-flowspec]

address-family vpnv6 flowspec

Use address-family vpnv6 flowspec to create a BGP VPNv6 Flowspec address family, or enter the view of an existing BGP VPNv6 Flowspec address family.

Use undo address-family vpnv6 flowspec to delete a BGP VPNv6 Flowspec address family and all its settings.

Syntax

address-family vpnv6 flowspec

undo address-family vpnv6 flowspec

Default

No BGP VPNv6 Flowspec address family exists.

Views

BGP instance view

Predefined user roles

network-admin

Examples

# Create a BGP VPNv6 Flowspec address family and enter its view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family vpnv6 flowspec

[Sysname-bgp-default-vpnv6-flowspec]

Related commands

bgp (Layer 3—IP Routing Command Reference)

apply

Use apply to apply an action to matching traffic in a Flowspec rule.

Use undo apply to remove an action from a Flowspec rule.

Syntax

apply action

undo apply action

Default

No action is applied in a Flowspec rule.

Views

IPv4 Flowspec rule view

IPv6 Flowspec rule view

Predefined user roles

network-admin

Parameters

action: Specifies an action. Table 1 shows available actions.

Table 1 Available actions

Action	Description
deny	Drops packets.
redirect next-hop { ipv4-address \| ipv6-address } [ copy-mode ]	Redirects packets to a next hop: · ipv4-address: Specifies the IPv4 address of the next hop. · ipv6-address: Specifies the IPv6 address of the next hop. · copy-mode: Redirects copies of the packets.
redirect next-hop { ipv4-address color color \| ipv6-address color color [ sid sid-value ] }	Redirects packets to an SR-MPLS TE policy or SRv6 TE policy: · ipv4-address: Specifies the destination node address of the SR-MPLS TE policy. · ipv6-address: Specifies the destination node address of the SRv6 TE policy. · color color: Specifies the color attribute of the SR-MPLS TE policy, in the format of CO (color-only) flag:color attribute value. The range value for the CO flag is 00 to 11. · sid sid-value: Specifies the SRv6 SID of the egress node. The device adds the SRv6 SID to the SRH header and places it after the SID list. After the packets are forwarded to the egress node, the egress node takes the forwarding action based on the SRv6 SID. For more information about SR-MPLS TE policies or SRv6 TE policies, see Segment Routing Configuration Guide.
redirect next-hop ipv6-address sid sid-value [ prefix-length prefix-length ]	Redirects packets to an SRv6 BE tunnel: · ipv6-address: Specifies the destination node address of the SRv6 BE tunnel. · sid sid-value: Specifies the SRv6 SID of the SRv6 BE tunnel. The device performs an AND operation on the SRv6 SID and the prefix length to obtain the subnet address of the locator. Then, the device uses the subnet address of the locator to recurse to the SRv6 BE tunnel for packet forwarding. The device uses the subnet address of the locator as the destination address in the new IPv6 basic header and encapsulate the SRH header. · prefix-length prefix-length: Specifies the locator prefix length of the SID, in the range of to 32 to 120. For more information about SRv6, see Segment Routing Configuration Guide.
redirect tunnel-id tunnel-id	Redirects packets to a tunnel interface: tunnel-id: Specifies a tunnel interface by its number. The value range for the tunnel-id argument is 0 to 4294967295. Only the MPLS TE tunnel is supported. For more information about tunnel interfaces, see tunneling configuration in Layer 3—IP Services Configuration Guide..
redirect vpn-target import-vpn-target	Redirects packets to a route target. The import-vpn-target argument specifies a route target, a string of 3 to 21 characters. A route target can be indicated in one of the following formats: · 16-bit AS number:32-bit user-defined number, for example, 100:3. · 32-bit IP address:16-bit user-defined number, for example, 192.168.122.15:1. · 32-bit AS number:16-bit user-defined number, for example, 65536:1. The smallest AS number is 65536.
remark-dscp dscp-value	Marks the DSCP value for packets. The dscp-value argument specifies a DSCP value, which can be a number from 0 to 63 or a keyword in Table 2.
traffic-rate rate	Limits the rate of packets. The rate argument specifies the traffic rate in the range of 1 to 100000000 kbps.
traffic-sampling	Sample packets. The sampling rate is 0.1%

Table 2 DSCP keywords and values

Keyword	DSCP value (binary)	DSCP value (decimal)
default	000000	0
af11	001010	10
af12	001100	12
af13	001110	14
af21	010010	18
af22	010100	20
af23	010110	22
af31	011010	26
af32	011100	28
af33	011110	30
af41	100010	34
af42	100100	36
af43	100110	38
cs1	001000	8
cs2	010000	16
cs3	011000	24
cs4	100000	32
cs5	101000	40
cs6	110000	48
cs7	111000	56
ef	101110	46

Usage guidelines

If you execute this command multiple times with the same type of action in a Flowspec rule, the most recent configuration takes effect.

The relationship among different action types in a Flowspec rule is logic AND.

If both actions of redirecting to a VPN instance and redirecting to a tunnel interface are configured, only the action of redirecting to the VPN instance takes effect.

If both actions of redirecting to a tunnel interface and redirecting to a next hop are configured, only the action of redirecting to the VPN instance takes effect.

The action of redirecting to a next hop is mutually exclusive with the action of redirecting to a tunnel interface. If both actions are configured, neither action takes effect.

For successful traffic redirection, make sure the next hop IP address is reachable. The redirection feature periodically looks up the routing table to verify the reachability of the next hop IP address. If the next hop IP address is detected unreachable, traffic redirection to a next hop is no longer in effect.

You can only redirect traffic to the public network by redirecting the traffic to an SR-MPLS TE policy.

You can redirect traffic to the public network or a VPN instance by redirecting the traffic to an SRv6 TE policy. If you do not specify the { sid | vpnsid } sid option, traffic is redirected to the public network.

· To redirect traffic to a VPN instance by using an SRv6 TE policy, you must specify the sid sid-value option and make sure the SID Function type is End.DT4/End.DT6/End.DT46/End.DX4/End.DX6. For more information about Function types, see SRv6 configuration in Segment Routing Configuration Guide.

· To redirect traffic to the public network by using an SRv6 TE policy, you can optionally specify the sid sid-value option and make sure the SID Function type is a public network SID. For more information about Function types, see SRv6 configuration in Segment Routing Configuration Guide.

A traffic sampling action must work with NetStream. You must enable NetStream and specify a destination host for NetStream data export. Matching packets in an Flowspec rule are sampled and sent to the NetStream module. The NetStream module sends them to a remote collector for analysis. For more information about NetStream and IPv6 NetStream, see Network Management and Monitoring Configuration Guide.

Examples

# Apply a deny action in an IPv4 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 23

[Sysname-flow-route-route1] apply deny

# Apply a redirection action in an IPv4 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 23

[Sysname-flow-route-route1] apply redirect vpn-target 4:4

# Apply an action of marking DSCP value af11 for packets in an IPv4 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 23

[Sysname-flow-route-route1] apply remark-dscp af11

# Apply an action of limiting the traffic rate to 419200 kbps in an IPv4 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 23

[Sysname-flow-route-route1] apply traffic-rate 419200

# Apply a deny action in an IPv6 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route1] if-match port 23

[Sysname-flow-route-ipv6-route1] apply deny

# Apply a redirection action in an IPv6 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route1] if-match port 23

[Sysname-flow-route-ipv6-route1] apply redirect vpn-target 4:4

# Apply an action of redirecting traffic to an SR-MPLS TE policy in an IPv4 Flowspec rule: The destination node address is 192.168.45.45, and the color attribute is 01:1.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] apply redirect next-hop 192.168.45.45 color 01:1

# Apply an action of redirecting traffic to an SRv6 TE policy in an IPv6 Flowspec rule: The destination node address is 2::2, the color attribute is 11:2, and the SRv6 SID of the egress node is 2::3.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route2] apply redirect next-hop 2::2 color 11:2 sid 2::3

# Apply an action of sampling packets in an IPv4 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 23

[Sysname-flow-route-route1] apply traffic-sampling

# Apply an action of redirecting packets to a tunnel interface in an IPv4 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 23

[Sysname-flow-route-route1] apply redirect tunnel-id 10

Related commands

flow-route (system view)

flow-route ipv6 (system view)

check flow-route-configuration

Use check flow-route-configuration to display uncommitted match criteria and actions in a Flowspec rule.

Syntax

check flow-route-configuration

Views

IPv4 Flowspec rule view

IPv6 Flowspec rule view

Predefined user roles

network-admin

Usage guidelines

If you configure match criteria and actions for the first time in a Flowspec rule and do not commit them, this command displays all uncommitted match criteria and actions.

If some match criteria and actions are committed and others are not committed in a Flowspec rule, this command displays all match criteria and actions, including those that are committed. To display the committed match criteria and actions of a Flowspec rule, use the display this command in Flowspec rule view.

Examples

# Display uncommitted match criteria and actions in an IPv4 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] check flow-route-configuration

Traffic filtering rules:

Destination IP : 1.1.0.0 255.255.0.0

Destination port : 23

DSCP : 24

Fragment type : match fragment

ICMP code : 8

ICMP type : 10

Packet length : 150

Protocol : 2

Source IP : 1.1.0.0 255.255.0.0

Source port : 238 to 240 550

TCP flags : match 23

Traffic filtering actions:

Traffic rate : 1000(kbps)

Traffic sampling

DSCP marking : 56

Redirecting to VPN target : 100:1

Redirect SR-TE policy:

Nexthop: 2.2.2.3

Color : 00:56874

Redirect SRv6 BE:

Nexthop: 4d::56

SID : 5a::13

Prefix-length : 32

Redirect to tunnel id : 10

# Display uncommitted match criteria and actions in an IPv6 Flowspec rule.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route1] check flow-route-configuration

Traffic filtering rules:

Destination IPv6 : 88:11:11::/123

Destination port : 23

DSCP : 24

Fragment type : match fragment

ICMP code : 8

ICMP type : 10

Packet length : 150

Next header : 2

Source IPv6 : 11:33::/76

Source port : 238 to 240 550

TCP flags : match 23

Flow label : 100

Traffic filtering actions:

Traffic rate : 1000(kbps)

Traffic sampling

DSCP marking : 56

Redirecting to VPN target : 100:1

Redirect SRv6-TE policy:

Nexthop: 4d::56

Color : 00:156879

SID : 5a::13

Redirect SRv6 BE:

Nexthop: 4d::56

SID : 5a::13

Prefix-length : 32

Redirect to tunnel id : 10

Table 3 Command output

Field	Description
Traffic filtering rules	Match criteria that are not committed. For more information about match criteria, see Table 4. If no match criteria are configured or the match criteria are committed, this field displays N/A.
Traffic filtering actions	Actions that are not committed. For more information about actions, see Table 5. If no actions are configured or the actions are committed, this field displays N/A.

Field

Description

Traffic filtering rules

Match criteria that are not committed.

For more information about match criteria, see Table 4.

If no match criteria are configured or the match criteria are committed, this field displays N/A.

Traffic filtering actions

Actions that are not committed.

For more information about actions, see Table 5.

If no actions are configured or the actions are committed, this field displays N/A.

Table 4 Match criteria

Field	Description
Destination IP	Matches the destination IPv4 address.
Destination IPv6	Matches the destination IPv6 address.
Destination port	Matches the destination port.
DSCP	Matches the DSCP value.
Fragment type	Matches the fragment type: · match—Indicates that the specified fragment type is a successful match criterion. · not—Indicates that all fragment types except the specified fragment type are successful match criteria. · fragment—Matches fragmented packets. · non-fragment—Matches non-fragmented packets. · fragment-spe-first—Matches the first fragment of fragmented packets.
ICMP code	Matches the ICMP code.
ICMP type	Matches the ICMP type.
Packet length	Matches the packet length (including the Layer 3 header).
Port	Matches the source and destination ports.
Protocol	Matches the protocol number.
Source IP	Matches the source IPv4 address.
Source IPv6	Matches the source IPv6 address.
Source port	Matches the source port.
TCP flags	Matches TCP flags. · match—Indicates that the specified TCP flags are successful match criteria. · not—Indicates that all TCP flags except the specified TCP flags are successful match criteria.
Next header	Matches the protocol in an IPv6 next header.
Flow label	Matches the IPv6 flow label.

Table 5 Actions

Field	Description
Deny	Drops packets.
Traffic rate	Limits the traffic rate.
Traffic sampling	Samples packets.
Redirecting to VPN target	Redirects packets to a route target.
Redirecting to next-hop	Redirects packets to a next hop.
DSCP marking	Marks the DSCP value for packets.
Redirect to SR-TE policy	Redirect traffic to an SR-MPLS TE policy. · Nexthop—Destination node address of the SR-MPLS TE policy. · Color—Color attribute of the SR-MPLS TE policy.
Redirect to SRv6-TE policy	Redirect traffic to an SRv6 TE policy: · Nexthop—Destination node address of the SRv6 TE policy. · Color—Color attribute of the SRv6 TE policy. · SID—SRv6 SID of the egress node.
Redirect SRv6 BE	Redirect traffic to an SRv6 BE tunnel: · Nexthop—Destination node address of the SRv6 BE tunnel. · SID—SRv6 SID of the SRv6 BE tunnel. · Prefix-length—Prefix length.
Redirect to tunnel id	Redirect traffic to a tunnel interface.

Related commands

commit

Use commit to commit match criteria and actions in a Flowspec rule.

Syntax

commit

Default

Match criteria and actions in a Flowspec rule are not committed.

Views

IPv4 Flowspec rule view

IPv6 Flowspec rule view

Predefined user roles

network-admin

Usage guidelines

Match criteria and actions in a Flowspec rule can be modified dynamically. To reduce network instability caused by dynamic modification, you must execute the commit command to make the modification in a Flowspec rule take effect.

As a best practice before executing the commit command, use the check flow-route-configuration command to display the match criteria and actions that are not committed.

Multiple Flowspec rules can be applied to a Flowspec IPv4 or IPv6 address family. However, different Flowspec rules cannot have the same committed match criteria.

Examples

# Commit match criteria and actions in IPv4 Flowspec rule route1.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 23

[Sysname-flow-route-route1] apply traffic-rate 419200

[Sysname-flow-route-route1] commit

# Commit match criteria and actions in IPv6 Flowspec rule route1.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route1] if-match port 23

[Sysname-flow-route-ipv6-route1] apply traffic-rate 419200

[Sysname-flow-route-ipv6-route1] commit

Related commands

check flow-route-configuration

description (Flowspec interface group view)

Use description to configure a description for a Flowspec interface group.

Use undo description to delete the description of a Flowspec interface group.

Syntax

description text

undo description

Default

No description is configured for a Flowspec interface group.

Views

Flowspec interface group view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the description as abc for Flowspec interface group 1.

<Sysname> system-view

[Sysname] flowspec flow-interface-group 1

[Sysname-flowspec-interface-group-1] description abc

Related commands

display flowspec flow-interface-group

display bgp group flowspec

Use display bgp group flowspec to display BGP peer group information.

Syntax

display bgp [ instance instance-name ] group { ipv4 | ipv6 | vpnv4 | vpnv6 } flowspec [ vpn-instance vpn-instance-name ] [ group-name group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a BGP instance, this command displays the information for the default BGP instance.

ipv4: Displays IPv4 BGP peer group information.

ipv6: Displays IPv6 BGP peer group information.

vpnv4: Displays VPNv4 BGP peer group information.

vpnv6: Displays VPNv6 BGP peer group information.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays the information for the public network.

group-name group-name: Specifies a BGP peer group by its name, a case-sensitive string of 1 to 47 characters. If you do not specify a group, this command displays brief information about all BGP peer groups for the specified address family.

Examples

# Display brief information about all BGP IPv4 peer groups.

<Sysname> display bgp group ipv4 flowspec

BGP peer group: group1

Remote AS: 600

Authentication type configured: None

Type: external

Members:

1.1.1.10

BGP peer group: group2

Remote AS number: not specified

Type: external

Members:

2.2.2.2

Table 6 Command output

Field	Description
BGP peer group	Name of the BGP peer group.
Remote AS	AS number of the peer group.
Authentication type configured	Authentication mode of the peer group: · None. · MD5. · Keychain (keychain-name).
Type	Type of the peer group: · external—EBGP peer group. · internal—IBGP peer group.
Maximum number of prefixes allowed	Maximum number of routes allowed to learn from the peer. This field does not apply to BGP L2VPN.
Threshold	Percentage of received routes from the peer to maximum routes allowed to learn from the peer. If the percentage is reached, the system generates a log message. This field does not apply to BGP L2VPN.
Configured hold time	Configured hold interval in seconds.
Keepalive time	Keepalive interval in seconds.
Minimum time between advertisements	Minimum route advertisement interval in seconds.
Peer preferred value	Preferred value specified for routes from the peer. This field does not apply to BGP L2VPN.
Site-of-Origin	SoO for the peer group.
Routing policy configured	Routing policy configured for the peer group. If you do not specify a routing policy, this field displays No routing policy is configured. This field does not apply to BGP L2VPN.
Members	Information about peers included in the peer group.
* - Dynamically created peer	An asterisk (*) before a peer address indicates that the peer is a dynamic peer.
Peer	IPv4 or IPv6 address of the peer.
AS	AS number of the peer.
MsgRcvd	Number of messages received.
MsgSent	Number of messages sent.
OutQ	Number of messages to be sent.
PrefRcv	For the IPv4, IPv6, VPNv4, and VPNv6 address families, this field displays the number of prefixes received from the peer. For MPLS L2VPN, this field displays the number of label blocks received from the peer. For VPLS, this field displays the total number of label blocks and VPLS PEs discovered by BGP. For the IPv4 flowspec address family, this field displays the number of IPv4 flowspec messages received from the peer. For the IPv4 MDT address family, this field displays the number of MDT messages received from the peer.
Up/Down	Lasting time of the current BGP session state.
State	Current state of the BGP session between the local router and the peer.
IPsec profile name	IPsec profile applied to the IPv6 BGP peer group.

‌

display bgp routing-table ipv4 flowspec

Use display bgp routing-table ipv4 flowspec to display BGP IPv4 Flowspec routing information.

Syntax

display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] [as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression | flowspec-prefix [ advertise-info ] | statistics ]

display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ]

display bgp [ instance instance-name ] routing-table ipv4 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

as-path-acl as-path-acl-number: Displays BGP IPv4 Flowspec routes that match the AS path list specified by its number in the range of 1 to 256.

as-path-acl as-path-acl-name: Displays BGP IPv4 Flowspec routes that match the AS path list specified by its name, a case-sensitive string of 1 to 51 characters. The AS path list name cannot contain only digits.

as-path-regular-expression regular-expression: Displays BGP IPv4 Flowspec routes that match the specified regular expression, a case-sensitive string of 1 to 256 characters.

flowspec-prefix: Displays detailed BGP IPv4 Flowspec routing information. The values for this argument are the values under the Network field displayed when you do not specify this argument.

verbose: Displays detailed information about BGP IPv4 Flowspec routes. If you do not specify this keyword, the command displays brief information about BGP IPv4 Flowspec routes.

advertise-info: Displays advertisement information for BGP IPv4 Flowspec routes.

peer { ipv4-address | ipv6-address }: Displays BGP IPv4 or IPv6 Flowspec routing information advertised to or received from the specified peer.

advertised-routes: Displays BGP IPv4 Flowspec routing information advertised to the specified peer.

received-routes: Displays BGP IPv4 Flowspec routing information received from the specified peer.

statistics: Displays routing statistics.

accepted-routes: Displays BGP IPv4 Flowspec routing information received from the specified peer and permitted by a receiving policy.

not-accepted-routes: Displays BGP IPv4 Flowspec routing information received from the specified peer and not permitted by a receiving policy.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all BGP IPv4 Flowspec routes.

Examples

# Display brief information about all BGP IPv4 Flowspec routes in the default BGP instance.

<Sysname> display bgp routing-table ipv4 flowspec

Total number of routes: 1

BGP local router ID is 10.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:1.2.3.4/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 200?

# Displays BGP IPv4 Flowspec routes in the default BGP instance of the public network that match AS path list 1.

<Sysname> display bgp routing-table ipv4 flowspec as-path-acl 1

Total number of routes: 1

BGP local router ID is 10.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:1.2.3.4/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 200?

# Displays BGP IPv4 Flowspec routes in the default BGP instance of the public network that match any AS path attributes.

<Sysname> display bgp routing-table ipv4 flowspec as-path-regular-expression ^.*

Total number of routes: 1

BGP local router ID is 10.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:1.2.3.4/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 200?

Table 7 Command output

Field	Description
Status codes	Status codes: · * – valid—Valid route. · > – best—Optimal route. · d – dampened—Dampened route. · h – history—History route. · s – suppressed—Suppressed route. · S – stale—Stale route. · i – internal—Internal route. · e – external—External route.
Origin	Origin of the route: · i – IGP—Originated in the AS. The origin of routes advertised with the network command is IGP. · e – EGP—Learned through EGP. · ?– incomplete—Unknown origin. The origin of routes redistributed from IGP protocols is incomplete.
Network	Destination network address.
NextHop	Next hop IP address.
MED	Multi-Exit Discriminator attribute.
LocPrf	Local preference value.
PrefVal	Preferred value of the route.
Path/Ogn	AS_PATH and ORIGIN attributes of the route: · AS_PATH—Records the ASs the route has passed. This attribute can avoid routing loops. · ORIGIN—Identifies the origin of the route.

# Display detailed information about a BGP IPv4 Flowspec route (DEST:1.1.1.0/24,DPort:=10/64) for the default BGP instance in the public network.

<Sysname> display bgp routing-table ipv4 flowspec DEST:1.1.1.0/24,DPort:=10/64

BGP local router ID: 10.1.1.1

Local AS number: 10

Paths: 1 available, 1 best

BGP routing table information of DEST:1.1.1.0/24,DPort:=10/64:

Imported route.

Original nexthop: 0.0.0.0

Out interface : NULL0

Route age : 01h55m46s

OutLabel : NULL

Ext-Community : <FLOWSPEC RATE: 2500 Bps>, <FLOWSPEC REDIRECT: Tunnel-ID(22)

Flags(0x0)>

Wide-Community : <DownloadToFIB: SourceAS(65515) RelyFlag(0xa5)>

RxPathID : 0x0

TxPathID : 0x0

Org-validation : Valid

AS-path : (null)

Origin : igp

Attribute value : pref-val 32768

State : valid, local, best

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Table 8 Command output

Field	Description
Paths	Number of routes: · available—Number of valid routes. · best—Number of optimal routes.
BGP routing table information of DEST:1.1.1.0/24,DPort:=10/64	Information about the BGP route to network 1.1.1.0/24.
Imported route	This route is an imported route.
Original nexthop	Original next hop of the route. If the route was obtained from a BGP UPDATE message, the original next hop is the next hop IP address in the message.
Out interface	Next hop output interface information.
Route age	Time elapsed since the most recent route update.
OutLabel	Outgoing label of the route.
Ext-community	Extended community attribute.
Wide-Community	Wide community attribute.
RxPathID	Add-path ID of received routes.
TxPathID	Add-path ID of advertised routes.
Org-validation	BGP RPKI validation state: · Valid. · Not found. · Invalid.
AS-path	AS_PATH attribute of the route, which records the ASs the route has passed and avoids routing loops.
Origin	Origin of the route: · igp—Originated in the AS. · egp—Learned through EGP. · incomplete—Unknown origin.
Attribute value	BGP path attributes: · MED—MED value. · localpref—Local preference value. · pref-val—Preferred value. · pre—Route preference.
Originator	Peer that generated the route.
Cluster list	CLUSTER_LIST attribute of the route. If the route does not carry this attribute, this field is not displayed.
Advertised to VPN peers (1 in total)	Peers to which the route has been advertised.
State	Current state of the route: · valid. · internal. · external. · local. · synchronize. · best. · delay—The route will be delayed for optimal route selection. This field is displayed only in the detailed command output. · bgp-rib-only—The route will not be flushed to the routing table. This field is displayed only in the detailed command output.
IP precedence	IP precedence in the range of 0 to 7. N/A indicates that the route does not support this field.
QoS local ID	QoS local ID in the range of 1 to 4095. N/A indicates that the route does not support this field.
Traffic index	Traffic index in the range of 1 to 64. N/A indicates that the route does not support this field.

# Display statistics for BGP IPv4 Flowspec routes advertised to peer 10.2.1.2 for the default BGP instance.

<Sysname> display bgp routing-table ipv4 flowspec peer 10.2.1.2 advertised-routes statistics

Advertised routes total: 2

# Display statistics for BGP IPv4 Flowspec routes received from peer 10.2.1.2 for the default BGP instance.

<Sysname> display bgp routing-table ipv4 flowspec peer 10.2.1.2 received-routes statistics

Received routes total: 2

Table 9 Command output

Field	Description
Advertised routes total	Total number of advertised routes.
Received routes total	Total number of received routes.

‌

display bgp routing-table ipv6 flowspec

Use display bgp routing-table ipv6 flowspec to display BGP IPv6 Flowspec routing information.

Syntax

display bgp [ instance instance-name ] routing-table ipv6 flowspec [ vpn-instance vpn-instance-name ] [ as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression |flowspec-prefix [ advertise-info ] | statistics ]

display bgp [ instance instance-name ] routing-table ipv6 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ] ]

display bgp [ instance instance-name ] routing-table ipv6 flowspec [ vpn-instance vpn-instance-name ] peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

as-path-acl as-path-acl-number: Displays BGP IPv6 Flowspec routes that match the AS path list specified by its number in the range of 1 to 256.

as-path-acl as-path-acl-name: Displays BGP IPv6 Flowspec routes that match the AS path list specified by its name, a case-sensitive string of 1 to 51 characters. The AS path list name cannot contain only digits.

as-path-regular-expression regular-expression: Displays BGP IPv6 Flowspec routes that match the specified regular expression, a case-sensitive string of 1 to 256 characters.

flowspec-prefix: Displays detailed BGP IPv6 Flowspec routing information. The values for this argument are the values under the Network field displayed when you do not specify this argument.

verbose: Displays detailed information about BGP IPv6 Flowspec routes. If you do not specify this keyword, the command displays brief information about BGP IPv6 Flowspec routes.

advertise-info: Displays advertisement information for BGP IPv6 Flowspec routes.

peer { ipv4-address | ipv6-address }: Displays BGP IPv4 or IPv6 Flowspec routing information advertised to or received from the specified peer.

advertised-routes: Displays BGP IPv6 Flowspec routing information advertised to the specified peer.

received-routes: Displays BGP IPv6 Flowspec routing information received from the specified peer.

statistics: Displays routing statistics.

accepted-routes: Displays BGP IPv6 Flowspec routing information received from the specified peer and permitted by a receiving policy.

not-accepted-routes: Displays BGP IPv6 Flowspec routing information received from the specified peer and not permitted by a receiving policy.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all BGP IPv6 Flowspec routes.

Examples

# Display brief information about all public-network BGP IPv6 Flowspec routes in the default BGP instance.

<Sysname> display bgp routing-table ipv6 flowspec

Total number of routes: 1

BGP local router ID is 10::1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:11::1/64,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 200?

# Displays BGP IPv4 Flowspec routes in the default BGP instance of the public network that match AS path list 1.

<Sysname> display bgp routing-table ipv6 flowspec as-path-acl 1

Total number of routes: 1

BGP local router ID is 10::1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:11::1/64,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 200?

# Displays BGP IPv4 Flowspec routes in the default BGP instance of the public network that match any AS path attributes.

<Sysname> display bgp routing-table ipv6 flowspec as-path-regular-expression ^.*

Total number of routes: 1

BGP local router ID is 10::1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:11::1/64,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 200?

# Display information about public-network BGP IPv6 Flowspec routes advertised to peer 10::1 in the default BGP instance.

<Sysname> display bgp routing-table ipv6 flowspec peer 10:: 1 advertised-routes

Total number of routes: 1

BGP local router ID is 10::2

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf Path/Ogn

* > DEST:11::1/64,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 200?

# Display information about public-network BGP IPv6 Flowspec routes received from peer 10::2 in the default BGP instance.

<Sysname> display bgp routing-table ipv6 flowspec peer 10::2 received-routes

Total number of routes: 1

BGP local router ID is 10::1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:11::1/64,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 200?

Table 10 Command output

Field	Description
Status codes	Status codes: · * – valid—Valid route. · > – best—Optimal route. · d – dampened—Dampened route. · h – history—History route. · s – suppressed—Suppressed route. · S – stale—Stale route. · i – internal—Internal route. · e – external—External route.
Origin	Origin of the route: · i – IGP—Originated in the AS. The origin of routes advertised with the network command is IGP. · e – EGP—Learned through EGP. · ?– incomplete—Unknown origin. The origin of routes redistributed from IGP protocols is incomplete.
Network	Destination network address.
NextHop	Next-hop IP address.
MED	Multi-Exit Discriminator attribute.
LocPrf	Local preference value.
PrefVal	Preferred value of the route.
Path/Ogn	AS_PATH and ORIGIN attributes of the route: · AS_PATH—Records the ASs the route has passed. This attribute can avoid routing loops. · ORIGIN—Identifies the origin of the route.

# Display statistics for BGP IPv6 Flowspec routes advertised to peer 10::2 in the default BGP instance.

<Sysname> display bgp routing-table ipv6 flowspec peer 10::2 advertised-routes statistics

Advertised routes total: 2

# Display statistics for BGP IPv6 Flowspec routes received from peer 10::2 in the default BGP instance.

<Sysname> display bgp routing-table ipv6 flowspec peer 10::2 received-routes statistics

Received routes total: 2

Table 11 Command output

Field	Description
Advertised routes total	Total number of advertised routes.
Received routes total	Total number of received routes.

# Display information about public-network BGP IPv6 Flowspec routes to destination network with DPort as 1000/32 in the default BGP instance.

<Sysname> display bgp routing-table ipv6 flowspec DPort:=1000/32

BGP local router ID: 1.1.1.2

Local AS number: 100

Paths: 1 available, 1 best

BGP routing table information of DPort:=1000/32:

Imported route.

Original nexthop: 0.0.0.0

Out interface : NULL0

Route age : 00h00m10s

OutLabel : NULL

Ext-Community : <CO-Flag:Color(00:1)>

Ext-Community6 : <FLOWSPEC REDIRECT-IP: 11::1:0>

RxPathID : 0x0

TxPathID : 0x0

Org-validation : Valid

PrefixSID : N/A SID <123::1>

AS-path : (null)

Origin : igp

Attribute value : pref-val 32768

State : valid, local, best

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Table 12 Command output

Field	Description
Paths	Number of routes: · available—Number of valid routes. · best—Number of optimal routes.
Original nexthop	Original next hop of the route. If the route was obtained from a BGP UPDATE message, the original next hop is the next hop IP address in the message.
Out interface	Next hop output interface information.
Route age	Time elapsed since the most recent route update.
OutLabel	Outgoing label of the route.
Ext-Community	Extended community attribute.
Ext-Community6	IPv6 extended community attribute.
RxPathID	Add-path ID of received routes.
TxPathID	Add-path ID of advertised routes.
Org-validation	BGP RPKI validation state: · Valid. · Not found. · Invalid.
PrefixSID	Prefix SID: · Label index—Label index. · SRGB —SRGB range.
AS-path	AS_PATH attribute of the route, which records the ASs the route has passed and avoids routing loops.
Origin	Origin of the route: · igp—Originated in the AS. · egp—Learned through EGP. · incomplete—Unknown origin.
Attribute value	BGP path attributes: · MED—MED value. · localpref—Local preference value. · pref-val—Preferred value. · pre—Route preference.
Originator	Peer that generated the route.
Cluster list	CLUSTER_LIST attribute of the route. If the route does not carry this attribute, this field is not displayed.
Advertised to VPN peers (1 in total)	Peers to which the route has been advertised.
State	Current state of the route: · valid. · internal. · external. · local. · synchronize. · best. · delay—The route will be delayed for optimal route selection. This field is displayed only in the detailed command output. · bgp-rib-only—The route will not be flushed to the routing table. This field is displayed only in the detailed command output. · not preferred for reason—Reason why the route is not selected as the optimal route. · not ECMP for reason—Reason why the route does not form ECMP routes with other routes.
IP precedence	IP precedence in the range of 0 to 7. N/A indicates that the route does not support this field.
QoS local ID	QoS local ID in the range of 1 to 4095. N/A indicates that the route does not support this field.
Traffic index	Traffic index in the range of 1 to 64. N/A indicates that the route does not support this field.

‌

display bgp routing-table vpnv4 flowspec

Use display bgp routing-table vpnv4 flowspec to display BGP VPNv4 Flowspec routing information.

Syntax

display bgp [ instance instance-name ] routing-table vpnv4 flowspec [ as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression | peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ] | [ route-distinguisher route-distinguisher ] [ flowspec-prefix [ advertise-info ] ] | statistics ]

display bgp [ instance instance-name ] routing-table vpnv4 flowspec peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

as-path-acl as-path-acl-number: Displays BGP VPNv4 Flowspec routes that match the AS path list specified by its number in the range of 1 to 256.

as-path-acl as-path-acl-name: Displays BGP VPNv4 Flowspec routes that match the AS path list specified by its name, a case-sensitive string of 1 to 51 characters. The AS path list name cannot contain only digits.

as-path-regular-expression regular-expression: Displays BGP VPNv4 Flowspec routes that match the specified regular expression, a case-sensitive string of 1 to 256 characters.

peer { ipv4-address | ipv6-address }: Displays BGP VPNv4 or VPNv6 Flowspec routing information advertised to or received from the specified peer.

advertised-routes: Displays BGP VPNv4 Flowspec routing information advertised to the specified peer.

received-routes: Displays BGP VPNv4 Flowspec routing information received from the specified peer.

route-distinguisher route-distinguisher: Displays BGP VPNv4 Flowspec routing information for the specified route distinguisher. The route-distinguisher argument is a string of 3 to 21 characters and can be specified in one of the following formats:

· 16-bit AS number:32-bit user-defined number, for example, 101:3.

· 32-bit IP address:16-bit user-defined number, for example, 192.168.122.15:1.

· 32-bit AS number:16-bit user-defined number, for example, 65536:1. The smallest AS number is 65535.

flowspec-prefix: Displays detailed BGP VPNv4 Flowspec routing information. The values for this argument are the values under the Network field displayed when you do not specify this argument.

verbose: Displays detailed information about BGP VPNv4 Flowspec routes. If you do not specify this keyword, the command displays brief information about BGP VPNv4 Flowspec routes.

advertise-info: Displays advertisement information for BGP VPNv4 Flowspec routes.

statistics: Displays routing statistics.

accepted-routes: Displays BGP VPNv4 Flowspec routing information received from the specified peer and permitted by a receiving policy.

not-accepted-routes: Displays BGP VPNv4 Flowspec routing information received from the specified peer and not permitted by a receiving policy.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all BGP VPNv4 Flowspec routes.

Examples

# Display brief information about all BGP VPNv4 Flowspec routes for the default BGP instance.

<Sysname> display bgp routing-table vpnv4 flowspec

BGP local router ID is 192.168.56.55

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route distinguisher: 1:3

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >i DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 100 0 ?

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* > DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 32768 ?

* i 0.0.0.0 100 0 ?

* e 0.0.0.0 0 100?

Route distinguisher: 1:6

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* >e DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 100?

# Displays BGP VPNv4 Flowspec routes that match AS path list 1.

<Sysname> display bgp routing-table vpnv4 flowspec as-path-acl 1

BGP local router ID is 192.168.56.55

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route distinguisher: 1:3

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >i DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 100 0 ?

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* > DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 32768 ?

* i 0.0.0.0 100 0 ?

* e 0.0.0.0 0 100?

Route distinguisher: 1:6

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* >e DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 100?

# Displays BGP VPNv4 Flowspec routes that match any AS path attributes.

<Sysname> display bgp routing-table vpnv4 flowspec as-path-regular-expression ^.*

BGP local router ID is 192.168.56.55

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route distinguisher: 1:3

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >i DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 100 0 ?

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* > DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 32768 ?

* i 0.0.0.0 100 0 ?

* e 0.0.0.0 0 100?

Route distinguisher: 1:6

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:1.2.3.4/32,Source:2.3.4.5/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* >e DEST:4.5.6.7/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 100?

Table 13 Command output

Field	Description
Status codes	Status codes: · * – valid—Valid route. · > – best—Optimal route. · d – dampened—Dampened route. · h – history—History route. · i – internal—Internal route. · e – external—External route. · s – suppressed—Suppressed route. · S – stale—Stale route.
Origin	Origin of the route: · i – IGP—Originated in the AS. The origin of routes advertised with the network command is IGP. · e – EGP—Learned through EGP. · ?– incomplete—Unknown origin. The origin of routes redistributed from IGP protocols is incomplete.
Network	Destination network address.
NextHop	Next hop IP address.
MED	Multi-Exit Discriminator attribute.
LocPrf	Local preference value.
PrefVal	Preferred value of the route.
Path/Ogn	AS_PATH and ORIGIN attributes of the route: · AS_PATH—Records the ASs the route has passed. This attribute can avoid routing loops. · ORIGIN—Identifies the origin of the route.

# Display detailed information about BGP VPNv4 Flowspec route DEST:1.1.1.0/24,DPort:=10/64 advertised to peer 1.1.1.9.

<Sysname> display bgp routing-table vpnv4 flowspec peer 1.1.1.9 advertised-routes DEST:1.1.1.0/24,DPort:=10/64 verbose

BGP local router ID: 192.168.56.3

Local AS number: 100

Route distinguisher: 100:1

Total number of routes: 1

Paths: 1 best

BGP routing table information of DEST:1.1.1.0/24,DPort:=10/64:

Original nexthop: 0.0.0.0

Ext-Community : <RT: 12:1>, <FLOWSPEC RATE: 1250 Bps>

AS-path : (null)

Origin : igp

Attribute value : localpref 100

Advertised to VPN peers (1 in total):

1.1.1.9

# Display statistics for BGP VPNv4 Flowspec routes advertised to peer 15.5.6.2 for the default BGP instance.

<Sysname> display bgp routing-table vpnv4 flowspec peer 15.5.6.2 advertised-routes statistics

Advertised routes total: 3

# Display statistics for BGP VPNv4 Flowspec routes received from peer 15.5.6.2 for the default BGP instance.

<Sysname> display bgp routing-table vpnv4 flowspec peer 15.5.6.2 received-routes statistics

Received routes total: 2

Table 14 Command output

Field	Description
Advertised routes total	Total number of advertised routes.
Received routes total	Total number of received routes.

# Display statistics for BGP VPNv4 Flowspec routes.

<Sysname> display bgp routing-table vpnv4 flowspec statistics

Total number of routes from all PEs: 4

Route distinguisher: 1:3

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Route distinguisher: 1:6

Total number of routes: 2

display bgp routing-table vpnv6 flowspec

Use display bgp routing-table vpnv6 flowspec to display BGP VPNv6 Flowspec routing information.

Syntax

display bgp [ instance instance-name ] routing-table vpnv6 flowspec [ as-path-acl { as-path-acl-number | as-path-acl-name } | as-path-regular-expression regular-expression | peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ flowspec-prefix [ verbose ] | statistics ] | [ route-distinguisher route-distinguisher ] [ flowspec-prefix [ advertise-info ] ] | statistics ]

display bgp [ instance instance-name ] routing-table vpnv6 flowspec peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

as-path-acl as-path-acl-number: Displays BGP VPNv6 Flowspec routes that match the AS path list specified by its number in the range of 1 to 256.

as-path-acl as-path-acl-name: Displays BGP VPNv6 Flowspec routes that match the AS path list specified by its name, a case-sensitive string of 1 to 51 characters. The AS path list name cannot contain only digits.

as-path-regular-expression regular-expression: Displays BGP VPNv6 Flowspec routes that match the specified regular expression, a case-sensitive string of 1 to 256 characters.

peer { ipv4-address | ipv6-address }: Displays BGP VPNv4 or VPNv6 Flowspec routing information advertised to or received from the specified peer.

advertised-routes: Displays BGP VPNv6 Flowspec routing information advertised to the specified peer.

received-routes: Displays BGP VPNv6 Flowspec routing information received from the specified peer.

route-distinguisher route-distinguisher: Displays BGP VPNv6 Flowspec routing information for the specified route distinguisher. The route-distinguisher argument is a string of 3 to 21 characters and can be specified in one of the following formats:

· 16-bit AS number:32-bit user-defined number, for example, 101:3.

· 32-bit IP address:16-bit user-defined number, for example, 192.168.122.15:1.

· 32-bit AS number:16-bit user-defined number, for example, 65536:1. The smallest AS number is 65535.

flowspec-prefix: Displays detailed BGP VPNv6 Flowspec routing information. The values for this argument are the values under the Network field displayed when you do not specify this argument.

verbose: Displays detailed information about BGP VPNv6 Flowspec routes. If you do not specify this keyword, the command displays brief information about BGP VPNv6 Flowspec routes.

advertise-info: Displays advertisement information for BGP VPNv6 Flowspec routes.

statistics: Displays routing statistics.

accepted-routes: Displays BGP VPNv6 Flowspec routing information received from the specified peer and permitted by a receiving policy.

not-accepted-routes: Displays BGP VPNv6 Flowspec routing information received from the specified peer and not permitted by a receiving policy.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all BGP VPNv6 Flowspec routes.

Examples

# Display brief information about all BGP VPNv6 Flowspec routes in the default BGP instance.

<Sysname> display bgp routing-table vpnv6 flowspec

BGP local router ID is 1::1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route distinguisher: 1:3

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >i DEST:4::1/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 100 0 ?

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >e DEST:4::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:2::1/32,Source:3::1/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* > DEST:4::1/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 32768 ?

* i 0.0.0.0 100 0 ?

* e 0.0.0.0 0 100?

Route distinguisher: 1:6

Total number of routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:2::1/32,Source:3::1/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* >e DEST:4::1 /32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 0 100?

# Displays BGP VPNv6 Flowspec routes that match AS path list 1.

<Sysname> display bgp routing-table vpnv6 flowspec as-path-acl 1

BGP local router ID is 192.168.56.55

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >e DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:2::1/32,Source:3::1/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* > DEST:4::1/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 32768 ?

* i 0.0.0.0 100 0 ?

* e 0.0.0.0 0 100?

# Displays BGP VPNv6 Flowspec routes that match any AS path attributes.

<Sysname> display bgp routing-table vpnv6 flowspec as-path-regular-expression ^.*

BGP local router ID is 192.168.56.55

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >e DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:2::1/32,Source:3::1/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* > DEST:4::1/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 32768 ?

* i 0.0.0.0 100 0 ?

* e 0.0.0.0 0 100?

# Display brief information about all BGP VPNv6 Flowspec routes with route distinguisher 1:5 in the default BGP instance.

<Sysname> display bgp routing-table vpnv6 flowspec route-distinguisher 1:5

BGP local router ID is 192.168.56.55

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/528

0.0.0.0 100 0 ?

* >e DEST:2::1/32,Source:3::1/32,Proto:=0|=1|=60,Port:=200,DPort:=200|=300

,SPort:=100|=120|=140,ICMPType:=200|=100|=120|=140,ICMPCode:=200|=220|=230,TCPFl

ags:=255,Length:=1024,DSCP:=6|=2,Frag:=4,DEST:2::1/32,Source:3::1/32,Proto

:=0|=1|=60,Port:=200,DPort:=200|=300,SPort:=100|=120|=140,ICMPType:=200|=100|=12

0|=140,ICMPCode:=200|=220|=230,TCPFlags:=255,Length:=1024,DSCP:=6|=2,Frag:=4/105

0.0.0.0 0 100?

* > DEST:4::1/32,Proto:=0|=1|=60,DPort:=200,SPort:=100,ICMPType:=200/176

0.0.0.0 32768 ?

* i 0.0.0.0 100 0 ?

* e 0.0.0.0 0 100?

Table 15 Command output

Field	Description
Status codes	Status codes: · * – valid—Valid route. · > – best—Optimal route. · d – dampened—Dampened route. · h – history—History route. · i – internal—Internal route. · e – external—External route. · s – suppressed—Suppressed route. · S – stale—Stale route.
Origin	Origin of the route: · i – IGP—Originated in the AS. The origin of routes advertised with the network command is IGP. · e – EGP—Learned through EGP. · ?– incomplete—Unknown origin. The origin of routes redistributed from IGP protocols is incomplete.
Network	Destination network address.
NextHop	Next hop IP address.
MED	Multi-Exit Discriminator attribute.
LocPrf	Local preference value.
PrefVal	Preferred value of the route.
Path/Ogn	AS_PATH and ORIGIN attributes of the route: · AS_PATH—Records the ASs the route has passed. This attribute can avoid routing loops. · ORIGIN—Identifies the origin of the route.

# Display statistics for BGP VPNv6 Flowspec routes advertised to peer 15.5.6.2 in the default BGP instance.

<Sysname> display bgp routing-table vpnv6 flowspec peer 15.5.6.2 advertised-routes statistics

Advertised routes total: 3

# Display statistics for BGP VPNv6 Flowspec routes received from peer 15.5.6.2 in the default BGP instance.

<Sysname> display bgp routing-table vpnv6 flowspec peer 15.5.6.2 received-routes statistics

Received routes total: 2

Table 16 Command output

Field	Description
Advertised routes total	Total number of advertised routes.
Received routes total	Total number of received routes.

# Display statistics for BGP VPNv6 Flowspec routes.

<Sysname> display bgp routing-table vpnv6 flowspec statistics

Total number of routes from all PEs: 4

Route distinguisher: 1:3

Total number of routes: 2

Route distinguisher: 1:5(vpn1)

Total number of routes: 5

Route distinguisher: 1:6

Total number of routes: 2

# Display information about public-network BGP VPNv6 Flowspec routes to destination network with DPort as 1000/32 in the default BGP instance.

<Sysname> display bgp routing-table vpnv6 flowspec DPort:=1000/32

BGP local router ID: 192.168.56.11

Local AS number: 1

Route distinguisher: 1:1(1)

Total number of routes: 1

Paths: 1 available, 1 best

BGP routing table information of DPort:=1000/32:

Imported route.

Original nexthop: 0.0.0.0

Out interface : NULL0

Route age : 00h00m26s

OutLabel : NULL

Ext-Community : <RT: 1:1>, <CO-Flag:Color(00:1)>

Ext-Community6 : <FLOWSPEC REDIRECT-IP: 1::1:0>

RxPathID : 0x0

TxPathID : 0x0

Org-validation : Valid

PrefixSID : N/A SID <111::1>

AS-path : (null)

Origin : igp

Attribute value : pref-val 32768

State : valid, local, best

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Table 17 Command output

Field	Description
Paths	Number of routes: · available—Number of valid routes. · best—Number of optimal routes.
Original nexthop	Original next hop of the route. If the route was obtained from a BGP UPDATE message, the original next hop is the next hop IP address in the message.
Out interface	Next hop output interface information.
Route age	Time elapsed since the most recent route update.
OutLabel	Outgoing label of the route.
Ext-Community	Extended community attribute.
Ext-Community6	IPv6 extended community attribute.
RxPathID	Add-path ID of received routes.
TxPathID	Add-path ID of advertised routes.
Org-validation	BGP RPKI validation state: · Valid. · Not found. · Invalid.
PrefixSID	Prefix SID: · Label index—Label index. · SRGB—SRGB range.
AS-path	AS_PATH attribute of the route, which records the ASs the route has passed and avoids routing loops.
Origin	Origin of the route: · igp—Originated in the AS. · egp—Learned through EGP. · incomplete—Unknown origin.
Attribute value	BGP path attributes: · MED—MED value. · localpref—Local preference value. · pref-val—Preferred value. · pre—Route preference.
Inlabel	Inbound label of the value.
Originator	Peer that generated the route.
Cluster list	CLUSTER_LIST attribute of the route. If the route does not carry this attribute, this field is not displayed.
Advertised to VPN peers (1 in total)	Peers to which the route has been advertised.
State	Current state of the route: · valid. · internal. · external. · local. · synchronize. · best. · delay—The route will be delayed for optimal route selection. This field is displayed only in the detailed command output. · bgp-rib-only—The route will not be flushed to the routing table. This field is displayed only in the detailed command output. · not preferred for reason—Reason why the route is not selected as the optimal route. · not ECMP for reason—Reason why the route does not form ECMP routes with other routes.
IP precedence	IP precedence in the range of 0 to 7. N/A indicates that the route does not support this field.
QoS local ID	QoS local ID in the range of 1 to 4095. N/A indicates that the route does not support this field.
Traffic index	Traffic index in the range of 1 to 64. N/A indicates that the route does not support this field.

‌

display flow-route

Use display flow-route to display Flowspec rule information on a Flowspec edge router.

Syntax

In standalone mode:

display flow-route { { ipv4 | ipv6 } all | flow-route-id } [ slot slot-number [ cpu cpu-number ] ]

display flow-route { { ipv4 | ipv6 } [ instance instance-name ] [ vpn-instance vpn-instance-name | public-instance ] | flow-route-id } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display flow-route { { ipv4 | ipv6 } all | flow-route-id } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

display flow-route { { ipv4 | ipv6 } [ instance instance-name ] [ vpn-instance vpn-instance-name | public-instance ] | flow-route-id } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Specifies IPv4 Flowspec rules.

ipv6: Specifies IPv6 Flowspec rules.

all: Specifies all Flowspec rules.

flow-route-id: Specifies a Flowspec rule by its ID in the range of 0 to fffffffffffffffe (hexadecimal).

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.

public-instance: Displays information about Flowspec rules in the public network.

flow-route-id: Specifies a Flowspec rule by its ID in the range of 0 to fffffffffffffffe (hexadecimal).

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the Flowspec rule information for the active MPU. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays the Flowspec rule information for the global active MPU. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If multiple effective Flowspec rules exist, the device compares a packet with Flowspec rules in their display order in the command output.

Examples

# Display information about all IPv4 Flowspec rules.

<Sysname> display flow-route ipv4 all

Total number of flow-routes: 3

Flow route (ID 0x0)(Failed)

BGP instance : default

Traffic filtering rules:

Destination IP : 1.2.3.4 255.255.255.255

Port : 22 33 44 55

Source IP : 2.3.4.5 255.255.255.255

Traffic filtering actions:

DSCP marking : 10

Redirecting to VPN instance : vpn3

Sampling : Enabled

Flow route (ID 0x1)

BGP instance : default

Traffic filtering rules:

Destination IP : 1.2.3.4 255.255.255.255

Traffic filtering actions:

Deny

Flow route (ID 0x2)

BGP instance : default

VPN instance : vpn1

Traffic filtering rules:

ICMP type : 23

Traffic filtering actions:

Traffic rate : 1000(kbps)

Redirecting to next-hop: 1.1.1.1

NID : 268435456

Flow route (ID 0x3)

BGP instance : default

VPN instance : vpn1

Traffic filtering rules:

Source port : 80

Traffic filtering actions:

Redirecting to VPN target : 3:3 (Inactive)

Flow route (ID 0x4)

BGP instance : default

VPN instance : vpn1

Traffic filtering rules:

Source port : 90

Traffic filtering actions:

Redirecting to SR-TE policy

NID: 16824674

Flow route (ID 0x5)

BGP instance : default

Traffic filtering rules:

Destination IPv6 : 6::6/128

Traffic filtering actions:

Redirecting to SRv6 BE

VNID : 0x726000001

SID : 1000::102

Flow route (ID 0x6)

VPN instance : vpn1

Traffic filtering rules:

Source port : 70

Traffic filtering actions: (bgp.bgp4)

Redirecting to tunnel id : 1

Statistics:

Matched : 0 packets, 0 bytes

Transmitted : 0 packets, 0 bytes

Dropped : 0 packets, 0 bytes

# Display information about all IPv6 Flowspec rules.

<Sysname> display flow-route ipv6 all

Total number of flow-routes: 2

Flow route (ID 0x0)(Failed)

BGP instance : default

Traffic filtering rules:

Destination Ipv6 : 88:11:11::/123

Port : 22 33 44 55

Source Ipv6 : 66:11::/43

Traffic filtering actions:

DSCP marking : 10

Redirecting to VPN instance : vpn3

Sampling : Enabled

Flow route (ID 0x1)

BGP instance : default

Traffic filtering rules:

Destination Ipv6 : 88:11:11::/123

Traffic filtering actions:

Deny

Flow route (ID 0x2)

BGP instance : default

Traffic filtering rules:

Destination Ipv6 : 88:11:11::/123

Traffic filtering actions:

Redirecting to SRv6-TE policy

Forwarding ID: 16824365

SID : 5e::35

Flow route (ID 0x3)

BGP instance : default

Traffic filtering rules:

Destination IPv6 : 6::6/128

Traffic filtering actions:

Redirecting to SRv6 BE

VNID : 0x726000001

SID : 1000::102

Flow route (ID 0x6)

VPN instance : vpn1

Traffic filtering rules:

Source port : 70

Traffic filtering actions: (bgp.bgp4)

Redirecting to tunnel id : 1

Statistics:

Matched : 0 packets, 0 bytes

Transmitted : 0 packets, 0 bytes

Dropped : 0 packets, 0 bytes

Table 18 Command output

Field	Description
Flow route (ID 0x0)	Flowspec rule ID. The (Failed) attribute indicates that the Flowspec rule failed to be applied.
VPN instance	VPN instance where the Flowspec rule takes effect. If this field does not appear, the Flowspec rule takes effect in the public network.
Redirecting to VPN instance	Redirects packets to a VPN instance. If the route target for redirection cannot be mapped to a VPN instance, the redirection action does not take effect (indicated by Inactive enclosed in parenthesis). In addition, this field is displayed as Redirecting to VPN target.
Sampling	Sampling action: Enabled or Disabled.
Redirecting to next-hop	Redirects packets to a next hop. If the next hop is unreachable or invalid, the redirection action does not take effect (indicated by Inactive enclosed in parenthesis).
Redirecting to SR-TE policy	Redirect traffic to an SR-MPLS TE policy.
Redirecting to SRv6-TE policy	Redirect traffic to an SRv6 TE policy.
NID	Next Hop Label Forwarding Entry (NHLFE) index.
Forwarding ID	Forwarding entry index of the SRv6 TE policy.
SID	SRv6 SID of the egress node.
Redirecting to SRv6 BE	Redirect traffic to an SRv6 BE tunnel.
VNID	Next hop index.
Redirecting to tunnel id	Redirect traffic to a tunnel interface.

For information about other fields, see Table 3, Table 4, and Table 5.

display flowspec flow-interface-group

Use display flowspec flow-interface-group to display the configuration of Flowspec interface groups.

Syntax

display flowspec flow-interface-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies a Flowspec interface group by its ID in the range of 0 to 16383. If you do not specify a Flowspec interface group, this command displays the configuration of all Flowspec interface groups.

Examples

# Display the configuration of all Flowspec interface groups.

<Sysname> display flowspec flow-interface-group

Flowspec interface group: 1

Description: aaaaadsfadfdf

Interfaces:

Ten-GigabitEthernet3/1/1

Ten-GigabitEthernet3/1/2

Ten-GigabitEthernet3/1/3

Flowspec interface group: 2

Description: aaaaadsfadfdf

Interfaces:

Ten-GigabitEthernet3/1/1

Ten-GigabitEthernet3/1/2

Ten-GigabitEthernet3/1/3

Flowspec interface group: 3

Description: aaaaadsfadfdf

Interfaces:

Ten-GigabitEthernet3/1/1

Ten-GigabitEthernet3/1/2

Ten-GigabitEthernet3/1/3

Related commands

description (Flowspec interface group view)

flowspec flow-interface-group

interface (Flowspec interface group view)

display flowspec statistics

Use display flowspec statistics to display traffic statistics for a Flowspec rule.

Syntax

display flowspec statistics flow-route-id [ flow-interface-group group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

flow-route-id: Specifies a Flowspec rule by its ID in the range of 0 to fffffffffffffffe (hexadecimal). To obtain Flowspec rule IDs, execute the display flow-route command. A Flowspec rule is uniquely identified by its ID.

flow-interface-group group-id: Specifies a Flowspec interface group by its ID in the range of 0 to 16383. If you do not specify a Flowspec interface group, this command displays traffic statistics for all Flowspec interface groups associated with a Flowspec rule.

Examples

# Display traffic statistics for Flowspec rule 1, which is not associated with any Flowspec interface groups.

<Sysname> display flowspec statistics 1

Flow route ID: 0x1

Statistics:

Matched : 7981 packets, 1140192 bytes, 15 pps, 21516 bps

Transmitted : 2979 Packets, 485628 bytes, 7 pps, 10431 bps

Dropped : 4002 packets, 654564 bytes, 8 pps, 11085 bps

# Display traffic statistics for Flowspec rule 1, which is associated with Flowspec interface group 1.

<Sysname>display flowspec statistics 1 flow-interface-group 1

Flow route ID: 0x1

Flowspec interface group: 1

Statistics:

Matched : 7981 packets, 1140192 bytes, 15 pps, 21516 bps

Transmitted : 2979 Packets, 485628 bytes, 7 pps, 10431 bps

Dropped : 4002 packets, 654564 bytes, 8 pps, 11085 bps

# Display traffic statistics for Flowspec interface groups all associated with Flowspec rule 1.

<Sysname>display flowspec statistics 1

Flow route ID: 0x1

Flowspec interface group: 1

Statistics:

Matched : 7981 packets, 1140192 bytes, 15 pps, 21516 bps

Transmitted : 2979 Packets, 485628 bytes, 7 pps, 10431 bps

Dropped : 4002 packets, 654564 bytes, 8 pps, 11085 bps

Flowspec interface group: 2

Statistics:

Matched : 7981 packets, 1140192 bytes, 15 pps, 21516 bps

Transmitted : 2979 Packets, 485628 bytes, 7 pps, 10431 bps

Dropped : 4002 packets, 654564 bytes, 8 pps, 11085 bps

Flowspec interface group: 3

Statistics:

Matched : 7981 packets, 1140192 bytes, 15 pps, 21516 bps

Transmitted : 2979 Packets, 485628 bytes, 7 pps, 10431 bps

Dropped : 4002 packets, 654564 bytes, 8 pps, 11085 bps

Table 19 Command output

Field	Description
Matched	Total number of matching packets and average rate during the last statistics polling interval configured by using the flow-interval command (see Ethernet interface commands in Interface Command Reference).
Transmitted	Number of forwarded matching packets and average forwarding rate during the last statistics polling interval configured by using the flow-interval command (see Ethernet interface commands in Interface Command Reference).
Dropped	Number of dropped matching packets and average dropping rate during the last statistics polling interval configured by using the flow-interval command (see Ethernet interface commands in Interface Command Reference).

Related commands

reset flowspec statistics

flow-route ipv6

Use flow-route ipv6 to create an IPv6 Flowspec rule, or enter the view of an existing IPv6 Flowspec rule.

Use undo flow-route ipv6 to delete an IPv6 Flowspec rule.

Syntax

flow-route flowroute-name ipv6

undo flow-route flowroute-name ipv6

Default

Non IPv6 Flowspec rules exist.

Views

System view

Predefined user roles

network-admin

Parameters

flowroute-name: Specifies an IPv6 Flowspec rule name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

To delete an IPv6 Flowspec rule applied to a Flowspec IPv6 address family, perform the following tasks:

1. Execute the undo flow-route ipv6 command in Flowspec IPv6 address family view.

2. Execute the undo flow-route ipv6 command in system view.

Examples

# Create an IPv6 Flowspec rule named route1.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route1]

flow-route (system view)

Use flow-route to create an IPv4 Flowspec rule, or enter the view of an existing IPv4 Flowspec rule.

Use undo flow-route to delete an IPv4 Flowspec rule.

Syntax

flow-route flowroute-name

undo flow-route flowroute-name

Default

No IPv4 Flowspec rules exist.

Views

System view

Predefined user roles

network-admin

Parameters

flowroute-name: Specifies an IPv4 Flowspec rule name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

To delete an IPv4 Flowspec rule applied to a Flowspec IPv4 address family, perform the following tasks:

1. Execute the undo flow-route command in Flowspec IPv4 address family view.

2. Execute the undo flow-route command in system view.

Examples

# Create an IPv4 Flowspec rule named route1.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1]

flow-route (Flowspec IPv4 address family view, Flowspec IPv6 address family view)

Use flow-route to apply a Flowspec rule to a Flowspec IPv4 or IPv6 address family.

Use undo flow-route to remove a Flowspec rule from a Flowspec IPv4 or IPv6 address family.

Syntax

flow-route flowroute-name

undo flow-route flowroute-name

Default

No Flowspec rule is applied to a Flowspec IPv4 or IPv6 address family.

Views

Flowspec IPv4 address family view

Flowspec IPv6 address family view

Predefined user roles

network-admin

Parameters

flowroute-name: Specifies an existing Flowspec rule by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

If multiple Flowspec rules are applied to a Flowspec IPv4 or IPv6 address family, you can use the display flow-route command on a Flowspec edge router to display the match order of match criteria that are committed. If match criteria in multiple Flowspec rules can match a packet, the packet is matched by the match criterion that appears at the top.

Examples

# Apply Flowspec rule route1 to the Flowspec IPv4 address family in the public network.

<Sysname> system-view

[Sysname] flowspec

[Sysname-flowspec] address-family ipv4

[Sysname-flowspec-ipv4] flow-route route1

# Apply Flowspec rule route1 to the Flowspec IPv6 address family in the public network.

<Sysname> system-view

[Sysname] flowspec

[Sysname-flowspec] address-family ipv6

[Sysname-flowspec-ipv6] flow-route route1

flow-route flow-interface-group

Use flow-route flow-interface-group to associate a Flowspec rule with a Flowspec interface group.

Use undo flow-route flow-interface-group to restore the default.

Syntax

flow-route flowroute-name

undo flow-route flowroute-name

Default

A Flowspec rule is not associated with any Flowspec interface groups.

Views

Flowspec IPv4 address family view

Flowspec IPv6 address family view

Flowspec IPv4 VPN instance address family view

Flowspec IPv6 VPN instance address family view

Predefined user roles

network-admin

Parameters

flowroute-name: Specifies an existing Flowspec rule by its name, a case-sensitive string of 1 to 31 characters.

group-id: Specifies a Flowspec interface group by its ID in the range of 0 to 16383.

Usage guidelines

A Flowspec rule can be associated with more than one Flowspec interface group, and vice versa.

To associate a Flowspec rule already applied in Flowspec IPv4/IPv6 address family view or Flowspec IPv4/IPv6 VPN instance address family view with a Flowspec interface group, first execute the undo flow-route command to remove the Flowspec rule from the Flowspec IPv4 address family.

Examples

# Associate Flowspec rule route1 with Flowspec interface group 1.

<Sysname> system-view

[Sysname] flowspec

[Sysname-flowspec] address-family ipv4

[Sysname-flowspec-ipv4] flow-route route1 flow-interface-group 1

Related commands

flowspec flow-interface-group

flowspec

Use flowspec to enter Flowspec view.

Syntax

flowspec

Views

System view

Predefined user roles

network-admin

Examples

# Enter Flowspec view.

<Sysname> system-view

[Sysname] flowspec

[Sysname-flowspec]

flowspec flow-interface-group

Use flowspec flow-interface-group to create a Flowspec interface group, or enter the view of an existing Flowspec interface group.

Use undo flowspec flow-interface-group to delete a Flowspec interface group.

Syntax

flowspec flow-interface-group group-id

undo flowspec flow-interface-group group-id

Default

No Flowspec interface groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies a Flowspec interface group ID in the range of 0 to 16383.

Usage guidelines

By default, a Flowspec router applies a received Flowspec rule to all interfaces on the device. To apply a received Flowspec rule to only some interfaces, perform the following tasks:

1. Create a Flowspec interface group.

2. Add those interfaces to it by using the interface command to the Flowspec interface group.

3. Associate the Flowspec interface group with the Flowspec rule by using the flow-route flow-interface-group command in Flowspec IPv4 or IPv6 address family view.

Examples

# Create Flowspec interface group 1 and enter its view.

<Sysname> system-view

[Sysname] flowspec flow-interface-group 1

[Sysname-flowspec-interface-group-1]

Related commands

display flowspec flow-interface-group

flow-route flow-interface-group

interface (Flowspec interface group view)

flowspec disable

Use flowspec disable to disable Flowspec on an interface.

Use undo flowspec disable to enable Flowspec on an interface.

Syntax

flowspec disable

undo flowspec disable

Default

Flowspec is enabled on an interface.

Views

Interface view

Predefined user roles

network-admin

ipv6: Disables IPv6 Flowspec.

Usage guidelines

After you disable Flowspec on an interface, the traffic on the interface does not match Flowspec rules.

The flowspec disable command is mutually exclusive with the flowspec refluence command.

The flowspec disable command can only be executed on a main interface, and cannot be executed on a subinterface. After you execute this command on a main interface, it also takes effect on the subinterfaces of the main interface.

Examples

# Disable both IPv4 Flowspec and IPv6 Flowspec on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] flowspec disable

Related commands

flowspec refluence

Use flowspec refluence to configure an interface as the input interface for cleaned traffic.

Use undo flowspec refluence to restore the default.

Syntax

flowspec refluence

undo flowspec refluence

Default

An interface is not the input interface for cleaned traffic.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

To prevent DoS/DDoS attacks, you can redirect suspect traffic to a traffic cleaning device through Flowspec. After the traffic cleaning device identifies and drops attack packets, it returns the legitimate packets to the network. To prevent returned legitimate packets from being redirected to the traffic cleaning device again, execute this command on the interface that receives the legitimate packets.

After you execute this command on an interface, the interface forwards the cleaned traffic in the public network no matter whether the interface is bound to a VPN instance.

This command is mutually exclusive with the flowspec disable command.

The flowspec refluence command can only be executed on a main interface, and cannot be executed on a subinterface. After you execute this command on a main interface, it also takes effect on the subinterfaces of the main interface.

Examples

# Configure Ten-GigabitEthernet 3/1/1 as the input interface for cleaned traffic.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] flowspec refluence

Related commands

flowspec disable

if-match

Use if-match to configure a match criterion in a Flowspec rule.

Use undo if-match to delete a match criterion from a Flowspec rule.

Syntax

if-match match-criteria

undo if-match match-criteria

Default

No match criterion is configured in a Flowspec rule.

Views

IPv4 Flowspec rule view

IPv6 Flowspec rule view

Predefined user roles

network-admin

Parameters

match-criteria: Specifies a match criterion. Table 20 shows the available match criteria.

Table 20 Available match criteria

Match criterion type ID	Option	Description
1	destination-ip ipv4-address { mask-length \| mask }	Matches the destination IPv4 address of packets. The ipv4-address argument specifies an IPv4 address in dotted decimal notation. The mask-length argument specifies the mask length in the range of 0 to 32. The mask argument specifies the mask in dotted decimal notation.
1	destination-ipv6 { ipv6-address prefix-length \| ipv6-address/prefix-length }	Matches the destination IPv6 address of packets. The ipv6-address argument specifies an IPv6 address in sets of 16-bit hexadecimal values separated by colons (:). The prefix-length argument specifies the prefix length in the range of 0 to 128. For the ipv6-address/prefix-length argument, the prefix-length argument cannot be 0.
2	source-ip ipv4-address { mask-length \| mask }	Matches the source IPv4 address of packets. The ipv4-address argument specifies an IPv4 address in dotted decimal notation. The mask-length argument specifies the mask length in the range of 0 to 32. The mask argument specifies the mask in dotted decimal notation.
2	source-ipv6 { ipv6-address prefix-length \| ipv6-address/prefix-length }	Matches the source IPv6 address of packets. The ipv6-address argument specifies an IPv6 address in sets of 16-bit hexadecimal values separated by colons (:). The prefix-length argument specifies the prefix length in the range of 0 to 128. For the ipv6-address/prefix-length argument, the prefix-length argument cannot be 0.
3	protocol { proto-list \| proto-name&<1-8> }	Matches a protocol. The proto-list argument specifies a space-separated list of up to eight protocol items. Each item specifies a protocol or a range of protocols by numerical values in the form of proto-start to proto-end. The value for proto-end must be greater than or equal to the value for proto-start. The value range for the proto argument is 0 to 255. The proto-name argument specifies up to eight protocols by keyword. The available keywords are: icmp (1), igmp (2), ipinip (4), tcp (6), egp (8), udp (17), ipv6 (41), rsvp (46), gre (47), esp (50), ospf (89), and pim (103).
3	next-header { next-header-list \| next-header-name&<1-8> }	Matches the protocol in an IPv6 next header. The next-header-list argument specifies a space-separated list of up to eight protocol items. Each item specifies a protocol or a range of protocols by numerical values in the form of next-header-start to next-header-end. The value for next-header-end must be greater than or equal to the value for next-header-start. The value range for the next-header argument is 0 to 255. The next-header-name argument specifies up to eight protocols by keyword. The available keywords are: icmp (1), igmp (2), ipinip (4), tcp (6), egp (8), udp (17), ipv6 (41), rsvp (46), gre (47), esp (50), icmpv6 (58), ospf (89), and pim (103).
4	port port-list	Matches the source and destination port numbers of packets. The port-list argument specifies a space-separated list of up to eight port number items. Each item specifies a port number or a range of port numbers in the form of port-start to port-end. The value for port-end must be greater than or equal to the value for port-start. The value range for the port argument is 0 to 65535.
5	destination-port port-list	Matches the destination port number of packets. The port-list argument specifies a space-separated list of up to eight port number items. Each item specifies a port number or a range of port numbers in the form of port-start to port-end. The value for port-end must be greater than or equal to the value for port-start. The value range for the port argument is 0 to 65535.
6	source-port port-list	Matches the source port number of packets. The port-list argument specifies a space-separated list of up to eight port number items. Each item specifies a port number or a range of port numbers in the form of port-start to port-end. The value for port-end must be greater than or equal to the value for port-start. The value range for the port argument is 0 to 65535.
7	icmp-type type-list	Matches the ICMP type of packets. The type-list argument specifies a space-separated list of up to eight type items. Each item specifies a type or a range of types in the form of type-start to type-end. The value for type-end must be greater than or equal to the value for type-start. The value range for the type argument is 0 to 255.
8	icmp-code code-list	Matches the ICMP code of packets. The code-list argument specifies a space-separated list of up to eight code items. Each item specifies a code or a range of codes in the form of code-start to code-end. The value for code-end must be greater than or equal to the value for code-start. The value range for the code argument is 0 to 255.
9	tcp-flags { match \| not } tcp-flags [ any ]	Matches the TCP flag of packets. The match keyword indicates that the specified TCP flags are successful match criteria. The not keyword indicates that all TCP flags except the specified TCP flags are successful match criteria. The tcp-flags argument specifies a TCP flag value in the range of 0 to 63. This field in the packet is a 6-bit binary value. The any keyword matches all packets with the specified bits as 1 in the binary TCP flag values. For example, to match all packets with the first and third bits as 1 in the TCP flag values, configure the if-match tcp-flags match 5 any command. The decimal TCP flag value 5 corresponds to the binary value 000101.
10	packet-length length-list	Matches the Layer 3 packet length (including Layer 3 header) of packets. The length-list argument specifies a space-separated list of up to 10 length items. Each item specifies a length value or a range of length values in the form of length-start to length-end. The value for length-end must be greater than or equal to the value for length-start. The value range for the length argument is 0 to 65535. In standard system operating mode, this option is available only for the following cards: · CEPC: CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 · CSPEX: CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA · SPE: RX-SPE200-E In SDN-WAN system operating mode, this option is available only for the following cards: · CEPC: CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 · CSPEX: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CSPEX-1802X, CSPEX-1802XA, CSPEX-2612XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA · SPE: RX-SPE200, RX-SPE200-E
11	dscp { dscp-name&<1-8> \| dscp-list }	Matches the DSCP value of packets. The dscp-name argument specifies up to eight DSCP values by keyword. Table 2 shows the available keywords. The dscp-list argument specifies a space-separated list of up to eight DSCP values. Each item specifies a DSCP value or a range of DSCP values in the form of dscp-start to dscp-end. The value for dscp-end must be greater than or equal to the value for dscp-start. The value range for the dscp argument is 0 to 63.
12	fragment-type { match \| not } { fragment \| non-fragment \| fragment-spe-first }	Matches the fragment type. The match keyword indicates that the specified fragment type is a successful match criterion. The not keyword indicates that all fragment types except the specified fragment type are successful match criteria. The fragment keyword matches fragmented packets. The non-fragment keyword matches non-fragmented packets. The fragment-spe-first keyword matches the first fragment of fragmented packets.
13	flow-label flow-label-list	Matches the IPv6 flow label. The flow-label-list argument specifies a space-separated list of up to eight flow label items. Each item specifies a protocol or a range of protocols by numerical values in the form of flow-label-start to flow-label-end. The value for flow-label-end must be greater than or equal to the value for flow-label-start. The value range for the flow-label argument is 0 to 1048575.

Usage guidelines

In a single Flowspec rule, the following rules apply:

· The port port-list option is mutually exclusive with the source-port port-list or destination-port port-list option.

· The relationship among match criteria of different types is logic AND.

· The relationship among match criteria of the same type is logic OR.

If multiple Flowspec rules exist, the device matches the Flowspec rules in ascending order of match criterion type IDs. If a match is found, the matching process stops and the action in the matching Flowspec rule is applied. For the match order of the same-type match criteria, see section 5.1 in RFC 5575.

Examples

# Configure Flowspec rule route1 to match packets with destination IPv4 address 192.168.100.1/24.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match destination-ip 192.168.100.1 24

# Configure Flowspec rule route1 to match packets with destination port number 80.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match destination-port 80

# Configure Flowspec rule route1 to match packets with DSCP value af11.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match dscp af11

# Configure Flowspec rule route1 to match all fragmented packets.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match fragment-type match fragment

# Configure Flowspec rule route1 to match packets with ICMP code 0.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match icmp-code 0

# Configure Flowspec rule route1 to match packets with ICMP type 1.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match icmp-type 1

# Configure Flowspec rule route1 to match packets with the packet length in the range of 1200 to 1500 bytes.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match packet-length 1200 to 1500

# Configure Flowspec rule route1 to match packets with both the source and destination port numbers as 80.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match port 80

# Configure Flowspec rule route1 to match ICMP packets.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match protocol icmp

# Configure Flowspec rule route1 to match packets with source IPv4 address 192.168.100.1/24.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match destination-ip 192.168.100.1 24

# Configure Flowspec rule route1 to match packets with source port number 23.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match source-port 23

# Configure Flowspec rule route1 to match packets with TCP flag 6.

<Sysname> system-view

[Sysname] flow-route route1

[Sysname-flow-route-route1] if-match tcp-flags match 6

# Configure Flowspec rule route1 to match the IPv6 packets with destination IPv6 address 55:44:77::/24.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route1] if-match destination-ipv6 55:44:77:: 24

# Configure Flowspec rule route1 to match the IPv6 packets with flow label value 6.

<Sysname> system-view

[Sysname] flow-route route1 ipv6

[Sysname-flow-route-ipv6-route1] if-match flow-label 6

interface (Flowspec interface group view)

Use interface to add an interface to the Flowspec interface group.

Use undo interface to remove an interface from the Flowspec interface group.

Syntax

interface interface-type interface-number

undo interface interface-type interface-number

Default

A Flowspec interface group does not contain any interfaces.

Views

Flowspec interface group view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

An interface can belong to only one Flowspec interface group.

A Flowspec interface group can contain a maximum of 128 interfaces.

Examples

# Add Ten-GigabitEthernet 3/1/1 to Flowspec interface group 1.

<Sysname> system-view

[Sysname] flowspec flow-interface-group 1

[Sysname-flowspec-interface-group-1] interface ten-gigabitethernet 3/1/1

Related commands

display flowspec flow-interface-group

peer next-hop-invariable

Use peer next-hop-invariable to configure the device to not change the next hop of routes advertised to EBGP peers.

Use undo peer next-hop-invariable to restore the default.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } next-hop-invariable

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } next-hop-invariable

Default

The device uses its IP address as the next hop of routes advertised to EBGP peers.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP VPNv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP VPNv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters.

ipv4-address: Specifies a peer by its IPv4 address.

mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and mask-length arguments together to specify a subnet. If you specify a subnet in this command, the device does not change the next hop of routes advertised to all dynamic peers in the subnet.

ipv6-address: Specifies a peer by its IPv6 address.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet in this command, the device does not change the next hop of routes advertised to all dynamic peers in the subnet.

Usage guidelines

If you configure a redirection action in a Flowspec rule and also want to apply the redirection action on EBGP peers, configure this command. This command enables the device to use the next hop specified in the apply redirect command in routes advertised to EBGP peers.

Examples

# Configure the device to not change the next hop of routes advertised to peer 1.1.1.1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family vpnv4

[Sysname-bgp-default-af-vpnv4] peer 1.1.1.1 next-hop-invariable

# Configure the device to not change the next hop of routes advertised to peer 1:1::1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 flowspec

[Sysname-bgp-default-af-ipv6-flowspec] peer 1:1::1 next-hop-invariable

peer redirect ip rfc-compatible

Use peer redirect ip rfc-compatible to configure the attribute ID for the redirection next hop in IPv4 Flowspec rules as the RFC-specified ID.

Use undo peer redirect ip rfc-compatible to restore the default.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect ip rfc-compatible

Default

The attribute ID for the redirection next hop in static IPv4 Flowspec rules is 0x0800.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP-VPNv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP-VPNv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters.

ipv4-address: Specifies a peer by its IPv4 address.

mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and mask-length arguments together to specify a subnet. If you specify a mask length, all dynamic peers in the subnet are specified.

ipv6-address: Specifies a peer by its IPv6 address.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a prefix length in this command, all dynamic peers in the subnet are specified.

Usage guidelines

Two attribute IDs for the redirection next hop exist: RFC 8956-specified 0x010C (for IPv4) and 0x000C (for IPv6) and IETF-specified 0x0800 (for both IPv4 and IPv6). To interoperate with a third-party device that does not support IETF-specified 0x0800, you can execute this command.

Examples

# Configure the attribute ID for the redirection next hop in IPv4 Flowspec rules as the RFC-specified 0x010C.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-flowspec-ipv4] peer 1.1.1.1 redirect ip rfc-compatible

peer redirect rt rfc-compatible

Use peer redirect rt rfc-compatible to configure the attribute ID for the redirection VPN target in IPv4 Flowspec rules as the RFC-specified 0x000D.

Use undo peer redirect rt rfc-compatible to restore the default.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect rt rfc-compatible

Default

The attribute ID for the redirection VPN target in static IPv4 Flowspec rules is 0x800B.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP-VPNv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP-VPNv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters.

ipv4-address: Specifies a peer by its IPv4 address.

ipv6-address: Specifies a peer by its IPv6 address.

Usage guidelines

Two attribute IDs for the redirection VPN target exist: RFC 8956-specified 0x000D and IETF-specified 0x800B. To interoperate with a third-party device that does not support IETF-specified 0x800B, you can execute this command.

Examples

# Configure the attribute ID for the redirection VPN target in IPv4 Flowspec rules as the RFC-specified 0x000D.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 flowspec

[Sysname-bgp-default-flowspec-ipv6] peer 10::1 redirect rt rfc-compatible

peer redirect-nexthop

Use peer redirect-nexthop to apply the action of redirecting to a next hop in Flowspec rules.

Use undo peer redirect-nexthop to disable the action of redirecting to a next hop in Flowspec rules.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect-nexthop

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } redirect-nexthop

Default

The action of redirecting to a next hop in Flowspec rules is applied.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP IPv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters.

ipv4-address: Specifies a peer by its IPv4 address.

ipv6-address: Specifies a peer by its IPv6 address.

Examples

# In BGP IPv4 Flowspec address family view, disable the action redirecting to a next hop in Flowspec rules received from peer group test.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-flowspec-ipv4] undo peer test redirect-nexthop

peer reflect-client

Use peer reflect-client to configure the device as a route reflector and specify a peer or peer group as a client.

Use undo peer reflect-client to remove the configuration.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } reflect-client

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } reflect-client

Default

Neither the route reflector nor the client is configured.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP VPNv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP VPNv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have been created.

ipv4-address: Specifies a peer by its IPv4 address. The peer must have been created.

mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and mask-length arguments together to specify a subnet. If you specify a subnet, this command configures the device as a route reflector and specifies all dynamic peers in the subnet as clients.

ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet, this command configures the device as a route reflector and specifies all dynamic peers in the subnet as clients.

Usage guidelines

Using route reflectors can solve the issue brought by too many IBGP connections. In an AS, a router acts as a route reflector, and other routers act as clients connecting to the route reflector. The route reflector forwards the routing information received from a client to other clients. In this way, all clients can receive routing information from one another without establishing BGP sessions.

Examples

# In BGP IPv4 Flowspec address family view, configure the local device as a route reflector and specify IBGP peer group test as a client.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-ipv4] peer test reflect-client

# In BGP IPv6 Flowspec address family view, configure the local device as a route reflector and specify IBGP peer group test as a client.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 flowspec

[Sysname-bgp-default-ipv6-flowspec] peer test reflect-client

Related commands

reflect between-clients

reflector cluster-id

peer validation-disable

Use peer validation-disable to disable validation of Flowspec rules from BGP Flowspec peers.

Use undo peer validation-disable to enable this function.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-disable

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-disable

Default

Flowspec rules from BGP Flowspec peers are validated.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies an existing peer group by its name, a case-sensitive string of 1 to 47 characters.

ipv4-address: Specifies an existing peer by its IPv4 address.

mask-length: Specifies a mask length in the range of 0 to 32. If you specify a mask length, all dynamic peers in the subnet are specified.

ipv6-address: Specifies an existing peer by its IPv6 address.

prefix-length: Specifies a prefix length in the range of 0 to 128. If you specify a prefix length, all dynamic peers in the subnet are specified.

Usage guidelines

When the device receives a Flowspec rule with a destination IP address match criterion, it looks up the destination IP address in the routing table for the best unicast route. The validation succeeds if the following conditions exist:

· The unicast route is a BGP route.

· The sender of the BGP route is the same as the sender of the Flowspec rule.

If you want to use a destination IP address that cannot pass the validation as a match criterion, disable this function.

Examples

# In BGP IPv4 Flowspec address family view of the default BGP instance, disable validation of Flowspec rules from BGP Flowspec peer 1.1.1.1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-ipv4-flowspec] peer 1.1.1.1 validation-disable

# In BGP IPv6 Flowspec address family view of the default BGP instance, disable validation of Flowspec rules from BGP Flowspec peer 1:1::1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 flowspec

[Sysname-bgp-default-ipv6-flowspec] peer 1:1::1 validation disable

peer validation-redirect-disable

Use peer validation-redirect-disable to disable validation of the redirection next hops in Flowspec rules from BGP Flowspec peers.

Use undo peer validation-redirect-disable to enable this function.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-redirect-disable

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } validation-redirect-disable

Default

The redirection next hops in Flowspec rules from BGP Flowspec peers are validated.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies an existing peer group by its name, a case-sensitive string of 1 to 47 characters.

ipv4-address: Specifies an existing peer by its IPv4 address.

mask-length: Specifies a mask length in the range of 0 to 32. If you specify a mask length, all dynamic peers in the subnet are specified.

ipv6-address: Specifies an existing peer by its IPv6 address.

prefix-length: Specifies a prefix length in the range of 0 to 128. If you specify a prefix length, all dynamic peers in the subnet are specified.

Usage guidelines

When the device receives a Flowspec rule with a redirect-to-nexthop action, it looks up the next hop IP address in the routing table for the best unicast route. The validation succeeds if the following conditions exist:

· The unicast route is a BGP route.

· The first AS number of the route is the same as the AS number of the BGP peer that sends the Flowspec rule.

To redirect packets to a next hop that cannot pass the validation, disable this function.

Only EBGP peers support this command.

Examples

# In BGP IPv4 Flowspec address family view, disable validation of the redirection next hops in Flowspec rules from BGP Flowspec peer 1.1.1.1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-ipv4-flowspec] peer 1.1.1.1 validation-redirect-disable

# In BGP IPv6 Flowspec address family view, disable validation of the redirection next hops in Flowspec rules from BGP Flowspec peer 1:1::1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 flowspec

[Sysname-bgp-default-ipv6-flowspec] peer 1:1::1 validation-redirect-disable

policy vpn-target

Use policy vpn-target to enable route target filtering of received VPN routes. The VPN routes whose export route target attribute matches the local import route target attribute are added to the routing table.

Use undo policy vpn-target to disable route target filtering, permitting all incoming VPN routes.

Syntax

policy vpn-target

undo policy vpn-target

Default

The route target filtering feature is enabled for received VPN routes.

Views

BGP VPNv4 Flowspec address family view

BGP VPNv6 Flowspec address family view

Predefined user roles

network-admin

Usage guidelines

To reflect all received VPN routes to clients without adding them to the routing table, execute the undo policy vpn-target command.

Examples

# Disable route target filtering of received VPNv4 routes.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family vpnv4

[Sysname-bgp-default-vpnv4] undo policy vpn-target

redirect ip recursive-lookup tunnel

Use redirect ip recursive-lookup tunnel to enable recursion to tunnels for Flowspec rules with an action of redirecting to a next hop.

Use undo redirect ip recursive-lookup tunnel to restore the default.

Syntax

redirect ip recursive-lookup tunnel [ tunnel-selector tunnel-selector-name ]

undo redirect ip recursive-lookup tunnel

Default

Recursion to tunnels is disabled for Flowspec rules with an action of redirecting to a next hop.

Views

BGP IPv4 Flowspec address family view

BGP IPv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

tunnel-selector tunnel-selector-name: Specifies a tunnel selector by its name, a case-sensitive string of 1 to 40 characters. If you do not specify a tunnel selector, the device uses the default tunnel selection order to select tunnels. For information about route recursion, see BGP configuration in Layer 3—IP Routing Configuration Guide. For information about tunnel selectors, see tunnel policy configuration in MPLS Configuration Guide.

Examples

# Enable recursion to tunnels for IPv4 Flowspec rules with an action of redirecting to a next hop.

<Sysname> system-view

[Sysname] bgp 200

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-flowspec-ipv4] redirect ip recursive-lookup tunnel tunnel-selector bgp

reflect between-clients

Use reflect between-clients to enable route reflection between clients.

Use undo reflect between-clients to disable route reflection between clients.

Syntax

reflect between-clients

undo reflect between-clients

Default

Route reflection between clients is enabled.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP VPNv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP VPNv6 Flowspec address family view

Predefined user roles

network-admin

Usage guidelines

When a route reflector is configured, and the clients of a route reflector are fully meshed, route reflection is unnecessary because it consumes more bandwidth resources. You can use the undo reflect between-clients command to disable route reflection instead of modifying network configuration or changing network topology.

After route reflection is disabled between clients, routes can still be reflected between a client and a non-client.

Examples

# In BGP IPv4 Flowspec address family view, disable route reflection between clients.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 unicast

[Sysname-bgp-default-ipv4] undo reflect between-clients

# In BGP IPv6 Flowspec address family view, disable route reflection between clients.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 flowspec

[Sysname-bgp-default-ipv6-flowspec] undo reflect between-clients

Related commands

reflector cluster-id

Use reflector cluster-id to configure the cluster ID for a route reflector.

Use undo reflector cluster-id to restore the default.

Syntax

reflector cluster-id { cluster-id | ipv4-address }

undo reflector cluster-id

Default

A route reflector uses its router ID as the cluster ID.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP VPNv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP VPNv6 Flowspec address family view

Predefined user roles

network-admin

Parameters

cluster-id: Specifies the cluster ID in the form of an integer, in the range of 1 to 4294967295.

ipv4-address: Specifies the cluster ID in the form of an IPv4 address in dotted decimal notation.

Usage guidelines

The route reflector and clients form a cluster. Typically a cluster has one route reflector. The ID of the route reflector is the cluster ID.

You can configure more than one route reflector in a cluster to improve network reliability and prevent a single point of failure. Use this command to configure the same cluster ID for all route reflectors in the cluster to avoid routing loops.

Do not configure the router ID of a client as the cluster ID.

Examples

# In BGP IPv4 Flowspec address family view, set the cluster ID on the local router (a reflector in the cluster) to 80.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 unicast

[Sysname-bgp-default-ipv4] reflector cluster-id 80

# In BGP VPNv6 Flowspec address family view, set the cluster ID on the local router (a reflector in the cluster) to 80.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family vpnv6 flowspec

[Sysname-bgp-default-flowspec-vpnv6] reflector cluster-id 80

Related commands

reflect between-clients

reflector cluster-id

reset flowspec statistics

Use reset flowspec statistics to clear traffic statistics for a Flowspec rule.

Syntax

reset flowspec statistics flow-route-id [ flow-interface-group group-id ]

Views

Any view

Predefined user roles

network-admin

Parameters

flow-interface-group group-id: Specifies a Flowspec interface group by its ID in the range of 0 to 16383. If you do not specify a Flowspec interface group, this command clears traffic statistics for all Flowspec interface groups associated with a Flowspec rule.

Examples

# Clear traffic statistics for Flowspec rule 1.

<Sysname> reset flowspec statistics 1

Related commands

display flowspec statistics

route-distinguisher

Use route-distinguisher to configure a route distinguisher (RD).

Use undo route-distinguisher to restore the default.

Syntax

route-distinguisher route-distinguisher

undo route-distinguisher

Default

No RD is configured.

Views

VPN instance view

VPN instance IPv4 Flowspec family address view

VPN instance IPv6 Flowspec family address view

Predefined user roles

network-admin

Parameters

route-distinguisher: Specifies an RD, a string of 3 to 21 characters in one of the following formats:

· 16-bit AS number:32-bit user-defined number. For example, 101:3.

· 32-bit IP address:16-bit user-defined number. For example, 192.168.122.15:1.

· 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

Usage guidelines

RDs enable VPNs to use the same address space. An RD and an IPv4 prefix form a unique VPN-IPv4 prefix.

If you configure an RD for a VPN instance, all address families in the VPN instance must use the same RD as the VPN instance.

If you do not configure an RD for a VPN instance, address families in the VPN instance can use different RDs.

To configure an RD for a VPN instance, make sure either of the following conditions exists:

· No RDs have been configured for address families in the VPN instance.

In this case, the RD of the VPN instance will be synchronized to all address families in the VPN instance.

· All address families in the VPN instance use the same RD.

In this case, you must configure the same RD as the address families for the VPN instance.

When you remove the RD from an address family, the RD will also be removed from the VPN instance of the address family.

To guarantee global uniqueness for a VPN-IPv4 address, do not set the AS number or IP address in an RD to any private AS number or private IP address.

To modify an RD, execute the undo route-distinguisher command to remove the RD and then execute the route-distinguisher command to configure a new RD.

Examples

# Configure RD 22:1 for the IPv4 Flowspec family address of VPN instance vpn1.

<Sysname> system-view

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1] address-family ipv4 flowspec

[Sysname-vpn-flowspec-ipv4-vpn1] route-distinguisher 22:1

route match-destination

Use route match-destination to use the destination address in Flowspec rules to match routing policies.

Use undo route match-destination to restore the default.

Syntax

route match-destination

undo route match-destination

Default

Route prefix 0.0.0.0/0 is used to match routing policies.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP VPNv4 Flowspec address family view

BGP IPv6 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP VPNv6 Flowspec address family view

Predefined user roles

network-admin

Usage guidelines

A Flowspec rule does not carry route prefix information. By default, the device uses the routing policy that matches the destination in a Flowspec rule to filter or modify the Flowspec rule. The device uses route prefix 0.0.0.0/0 to match the destination address in a routing policy for all Flowspec rules. Therefore, the device cannot perform accurate filtering and route attribute control on Flowspec rules.

Execute this command to use the destination address in a Flowspec rule as the route prefix to match routing policies. Therefore, you can flexibly filter or modify Flowspec rules.

This command must be used with the peer route-policy command, and a destination address match criterion must be configured in the routing policy.

Examples

# In BGP IPv4 Flowspec address family view, use the destination address in Flowspec rules to match routing policies.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-flowspec-ipv4] undo route match-destination

Related commands

if-match

peer route-policy (Layer 3—IP Routing Command Reference)

routing-table bgp-rib-only (Layer 3—IP Routing Command Reference)

route validation-mode include-as

Use route validation-mode include-as to validate destination address match criteria for only Flowspec rules that contain the AS_SET or AS_SEQ AS_Path attribute.

Use undo route validation-mode include-as to restore the default.

Syntax

route validation-mode include-as

undo route validation-mode include-as

Default

Destination address match criteria are validated for all Flowspec rules.

Views

BGP IPv4 Flowspec address family view

BGP-VPN IPv4 Flowspec address family view

BGP-VPN IPv6 Flowspec address family view

BGP IPv6 Flowspec address family view

Predefined user roles

network-admin

Usage guidelines

By default, a BGP peer validates destination address match criteria in all received Flowspec rules. When a BGP peer receives a Flowspec rule with a destination address match criterion, it looks up the routing table for an optimum unicast route. If the unicast route is a BGP route and the distributor is the same as the distributor of the Flowspec rule, the Flowspec rule passes validation. Then, the match criteria and actions in the Flowspec rule are applied. If the Flowspec rule fails validation, the BGP peer does not apply the match criteria and actions in the Flowspec rule.

This command allows a BGP peer to not validate the destination address match criteria in Flowspec rules with an AS_Path attribute other than the AS_SET and AS_SEQ types.

Examples

# In BGP IPv4 Flowspec address family view, validate destination address match criteria for only Flowspec rules that contain the AS_SET or AS_SEQ AS_Path attribute.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 flowspec

[Sysname-bgp-default-flowspec-ipv4] route validation-mode include-as

vpn-target

Use vpn-target to configure route targets for a VPN instance.

Use undo vpn-target to remove the specified or all route targets of a VPN instance.

Syntax

vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]

undo vpn-target { all | vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ] }

Default

No route targets are configured for a VPN instance.

Views

VPN instance view

VPN instance IPv4 Flowspec family address view

VPN instance IPv6 Flowspec family address view

Predefined user roles

network-admin

Parameters

vpn-target&<1-8>: Specifies a space-separated list of up to eight route targets.

A route target is a string of 3 to 21 characters in one of the following formats:

· 16-bit AS number:32-bit user-defined number. For example, 101:3.

· 32-bit IP address:16-bit user-defined number. For example, 192.168.122.15:1.

· 32-bit AS number:16-bit user-defined number, where the AS number must not be less than 65536. For example, 65536:1.

both: Uses the specified route targets as both import targets and export targets. The both keyword is also used when you do not specify any of the following keywords: both, export-extcommunity, and import-extcommunity.

export-extcommunity: Uses the specified route targets as export targets.

import-extcommunity: Uses the specified route targets as import targets.

all: Removes all route targets.

Usage guidelines

MPLS L3VPN uses route targets to control the advertisement of VPN routing information. A PE adds the configured export targets into the route target attribute of routes advertised to a peer. The peer uses the local import targets to match the route targets of received routes. If a match is found, the peer adds the routes to the routing table of the VPN instance.

You can repeat the vpn-target command to configure multiple route targets.

Route targets configured in VPN instance view applies to both the IPv4 Flowspec family address and the IPv6 Flowspec family address of the VPN instance. Route targets configured in VPN instance IPv4 Flowspec family address view apply only to the IPv4 Flowspec family address of the VPN instance. Route targets configured in VPN instance IPv6 Flowspec family address view apply only to the IPv6 Flowspec family address of the VPN instance.

Route targets configured in VPN instance IPv4 Flowspec family address view have higher priority than route targets configured in VPN instance view. Route targets configured in VPN instance IPv6 Flowspec family address view have higher priority than route targets configured in VPN instance view.

Examples

# Configure route targets for VPN instance vpn1.

<Sysname> system-view

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[Sysname-vpn-instance-vpn1] vpn-target 4:4 import-extcommunity

[Sysname-vpn-instance-vpn1] vpn-target 5:5 both

12-ACL and QoS Command Reference

address-family ipv4

description (Flowspec interface group view)

peer reflect-client

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

Company Information

News & Events

Contact Us