Recent disruptions to two undersea internet cables in the Baltic Sea have yet again...
3.8 Flowspec Policies
To review Flowspec policies, select the Routing Policies option from the main menu and proceed to the Flowspec Policies tab.
Flowspec must be enabled globally for each IRP instance under Configuration > Global as well as each router under BGP > Router Name > Advanced tab.
The list displays all the enabled and disabled Flowspec policies configured for a particular IRP instance. Click any of the “Redirect”, “Throttle”, “Drop” or “Redirect IP” options to see a list of policies of a particular type. Flowspec policies are also grouped as follows: Prefix Policies, ASN Policies, Country Policies, and Other Policies (Protocol/DSCP).
Figure 3.8.1: Flowspec policies
Depending on the selected policy type tab, the list highlights:
- The ON/OFF state of each policy
- A source ASN/prefix/country and port(s) for matching packets
- A destination prefix and port(s) for matching packets
- DSCP traffic classification value
- Protocols of matching packets, e.g., TCP, UDP, or ICMP
- Redirect IP or Provider for the redirect to VRF policies
- A note to describe the policy
- The available actions for the policy:
→ Display detailed information about the FlowSpec policy
→ Duplicate the Flowspec policy
→ Edit the Flowspec policy
→ Remove the Flowspec policy
A Flowspec policy is added by clicking on the designated “ADD NEW RULE” button.
Figure 3.8.2: Flowspec policy popup
The first step prompts you to choose the IRP instance as well as the type of Flowspec policy you are about to create. There are 4 options:
- Policy by Prefix
- Policy by ASN
- Policy by Country
- Protocol/DSCP policy
Depending on the selection, some of the following parameters should be configured:
- Source Prefix/ASN/Country/Port(s): The source ASN/prefix and port(s) of the IP packets that match. A prefix in CIDR notation or a single IP address should be provided. Multiple valid TCP/UDP ports can be provided, as well as port ranges.
ASN/Country Flowspec policies can be set up only on the source of IP packets
Ensure that routers are capable of processing a large number of Flowspec rules before setting policies for an AS/Country consisting of a very large number of network segments (prefixes)- Destination Prefix/Port: The destination prefix/port attribute of the IP packets that match. Same rules as for Source Prefix/Port(s) apply
- Protocols: packet protocols that match the policy. Can be filtered down to one or a combination of the following protocols: TCP, UDP, ICMP
- DSCP traffic classification value
- Policy Type: The type of the policy (Throttle, Drop, Redirect, or Redirect IP)
- Provider specifies one of the provider identifiers where traffic will be redirected. The provider is set only for Redirect policies
In order for Redirect policies to be implemented on routers, an extended community value must be assigned to them, and VRF must be configured on the router itself. Consult Noction support for details- Rate limits the allowed bandwidth usage for matching traffic. The value is set only for Throttling policies. The rate specifies a number in the range of 1-4200 Mbps
- Exempted Prefixes/ASNs are the lists excluded from country policies. The fields are relevant to the country policies only.
When creating an ASN Flowspec rule and selecting the Throttle policy type, the value introduced under “Rate limit” applies to individual prefixes within the AS, and not the Autonomous System as a wholeIf the provided Flowspec policy attributes are incomplete or invalid on attempting to submit it, a warning will be raisedFor more details, refer to Flowspec configuration parameters, for example: global.flowspec,
core.flowspec.max, core.flowspec.max_ipv6, bgpd.peer.X.flowspec,peer.X.flowspec.ipv4.redirect_community, peer.X.flowspec.ipv6.redirect_community.
core.flowspec.max, core.flowspec.max_ipv6, bgpd.peer.X.flowspec,peer.X.flowspec.ipv4.redirect_community, peer.X.flowspec.ipv6.redirect_community.