BGP Flowspec allows to propagate filtering rules using the BGP machinery. When using the base flowspec specification, the advertised filters will be installed to every BGP Flowspec speakers without any control on the targeted interfaces or filtering direction.
The IETF document draft-ietf-idr-flowspec-interfaceset extends BGP Flowspec with a new attribute that specifies the target set of interfaces. I recently upstreamed a patch in ExaBGP to support draft-ietf-idr-flowspec-interfaceset. This short post describes the associated configuration.
s@SRV:~/github$ more exabgp/conf.txt
neighbor 10.1.0.1 {
local-address 40.1.0.2;
router-id 10.1.0.2;
peer-as 65000;
local-as 65000;
flow {
route MYROUTE {
match {
source 1.1.1.1/32;
destination 2.2.2.2/32;
}
scope {
interface-set [ transitive:input:3:3 non-transitive:output:12:1 transitive:input-output:1:1 ];
}
then {
discard;
}
}
}
}
The last ExaBGP code can be retrieved at https://github.com/Exa-Networks/exabgp.
The IETF document draft-ietf-idr-flowspec-interfaceset extends BGP Flowspec with a new attribute that specifies the target set of interfaces. I recently upstreamed a patch in ExaBGP to support draft-ietf-idr-flowspec-interfaceset. This short post describes the associated configuration.
s@SRV:~/github$ more exabgp/conf.txt
neighbor 10.1.0.1 {
local-address 40.1.0.2;
router-id 10.1.0.2;
peer-as 65000;
local-as 65000;
flow {
route MYROUTE {
match {
source 1.1.1.1/32;
destination 2.2.2.2/32;
}
scope {
interface-set [ transitive:input:3:3 non-transitive:output:12:1 transitive:input-output:1:1 ];
}
then {
discard;
}
}
}
}
A new configuration stanza called "scope" has been added to the flow/route hierarchy. The scope allows the configuration of interface-sets extended communities that will be associated to the flowspec route.
The configuration supports both transitive and non-transitive versions of the interface-set extended community.
The format of the interface-set is <T>:<direction>:<as>:<group-id> where:
- <T> describes the flavor of the community to be used: transitive or non-transitive.
- <direction> describes the direction of the filter when applied on an interface: input, output or input-output.
- <as> describes the AS number of the node owning the interface-set.
- <group-id> describes the identifier of the group of interfaces where the filter will be applied.
The last ExaBGP code can be retrieved at https://github.com/Exa-Networks/exabgp.