Routing Command Reference for Cisco ASR 9000 Series Routers

class-map type traffic (BGP-flowspec)

To define a traffic class and the associated rules that match packets to the class, use the class-map type traffic command inGlobal configuration mode. To remove an existing class map from the router, use the no form of this command.

class-map type traffic match-all class-map-name

Syntax Description


match-all	Specifies a match on all of the match criteria.
`class-map-name`	Name of the class for the class map.

Command Default

None

Command Modes

Global configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to specify class305 as the name of a class and defines a class map for this class.

RP/0/RSP0/CPU0:router# config
RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all class305
RP/0/RSP0/CPU0:router(config-cmap)# match destination-address ipv4 59.2.1.2 255.255.255.0

class type traffic

To associate a previously configured traffic class with the policy map, and to enter the configuration mode for the specified system class, use the class type traffic command in the policy map configuration mode.

class type traffic class-name

Syntax Description


`class-name`	Name of the class for the class map. The class name is used for the class map and to configure policy for the class in the policy map.

Command Default

None

Command Modes

Policy map configuration mode

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to associate a class map with the policy map:

RP/0/RSP0/CPU0:router# config
RP/0/RSP0/CPU0:router(config)# policy-map type pbr p1
RP/0/RSP0/CPU0:router(config-pmap)# class type traffic c1
RP/0/RSP0/CPU0:router(config-pmap-c)# set dscp 34

destination prefix

To filter flowspec based on destination in flowspec network-layer reachability information (NLRI) using RPL, and apply on neighbor attach point, use the destination prefix command in route-policy configuration mode.

destination prefix {prefix-set-name | inline-prefix-set | parameter}

Syntax Description


`prefix-set-name`	Name of a prefix set.
`inline-prefix-set`	Inline prefix set. The inline prefix set must be enclosed in parentheses.
`parameter` parameter	Parameter name. The parameter name must be preceded with a “$.”

Command Default

No default behavior or values

Command Modes

Route-policy configuration

Command History


Release	Modification
Release 5.3.2	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the destination prefix command as a conditional expression within an if statement.

Note

For a list of all conditional expressions available within an if statement, see the if command.
This command takes either a named prefix set or an inline prefix set value as an argument. The condition returns true if the destination entry matches any entry in the prefix set or inline prefix set. An attempt to match a destination using a prefix set that is defined but contains no elements returns false.
The routing policy language (RPL) provides the ability to test destinations for a match to a list of prefix match specifications using the in operator. The destination prefix command is protocol-independent.
In Border Gateway Protocol (BGP), the destination of a route is also known as its network-layer reachability information (NLRI). It comprises a prefix value and a mask length.
RPL supports both 32-bit IPv4 prefixes, specified in dotted-decimal format, and 128-bit IPv6 prefixes, specified in colon-separated hexadecimal format.

Task ID


Task ID	Operations
route-policy	read, write

Examples

In this example, prefix filtering is done based on flowspec destination address:


RP/0/RSP0/CPU0:router(config)# route-policy policy-A
RP/0/RSP0/CPU0:router(config-rpl)# If destination-prefix in pfx then

RP/0/RSP0/CPU0:router(config-rpl-if)# Set next-hop 10.0.0.1
RP/0/RSP0/CPU0:router(config-rpl-if)# Endif
RP/0/RSP0/CPU0:router(config-rpl)# End-policy

In this example, a route policy and its where it is attached is shown:

prefix-set ipv4_flow2
150.1.1.0/24,
150.2.1.0/24
end-set
!

route-policy ipv4_dest_pass
if destination-prefix in ipv4_flow2 then
pass
else
drop
endif
end-policy
!

router bgp 100
bgp router-id 1.1.1.1
address-family ipv4 unicast
!
address-family ipv6 unicast
!
address-family ipv4 flowspec
!
address-family ipv6 flowspec
!
neighbor 33.1.1.2
remote-as 200
address-family ipv4 unicast
route-policy pass in
route-policy pass out
!
address-family ipv4 flowspec
route-policy ipv4_dest_pass in
!
!

drop (BGP-flowspec)

To configure a traffic class to discard packets belonging to a specific class, use the drop command in policy-map class configuration mode. To disable the packet discarding action in a traffic class, use the no form of this command.

drop

no drop

Syntax Description

This command has no keywords or arguments.

Command Default

Disabled

Command Modes

Policy-map class configuration (config-pmap-c)

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to discard packets:

RP/0/RSP0/CPU0:router#config
RP/0/RSP0/CPU0:router(config)# policy -map type pbr match_dest_110.1.1.x_drop
RP/0/RSP0/CPU0:router(config-pmap)# class type traffic match_dest_110.1.1.x
RP/0/RSP0/CPU0:router(config-pmap-c)# drop

flowspec

To enter BGP flowspec configuration mode, use the flowspec command in Global configuration mode.

flowspec

Syntax Description

This command has no keywords or arguments.

Command Default

No default behavior or values

Command Modes

Global configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example show how to enter flowspec configuration mode.

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# flowspec
RP/0/RSP0/CPU0:router(config-flowspec)#

flowspec disable

To disable flowspec configuration on all interfaces, use the flowspec disable command in interface configuration mode.

ipv4 | ipv6flowspec disable

Syntax Description


ipv4	Specifies IPv4 interfaces.
ipv6	Specifies IPv6 interfaces.

Command Default

No default behavior or values

Command Modes

Interface configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to disable flowspec configuration on all interfaces.

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet 0/2/0/2
RP/0/RSP0/CPU0:router(config-if)# ipv4 flowspec disable

local-install

To apply local installation of flowspec policy on all interfaces, use the local-install command in appropriate command mode.

local-install interface-all

Syntax Description


interface-all	Installs flowspec policy on all interfaces.

Command Default

No default behavior or values

Command Modes

IPv4 address family configuration

IPv6 address family configuration

VRF IPv4 address family configuration

VRF IPv6 address family configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example show how to install flowspec policy on all interfaces under flowspec subaddress family configuration mode.

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# flowspec
RP/0/RSP0/CPU0:router(config-flowspec)# address-family ipv4
RP/0/RSP0/CPU0:router(config-flowspec-af)# local-install interface-all

match destination-address

To identify a specific destination IP address explicitly as a match criterion in a class map, use the match destination-address command in the class map configuration mode. To remove a specific destination IP address from the matching criteria for a class map, use the no form of this command.

match destination-address {ipv4 | ipv6} address

no match destination-address {ipv4 | ipv6} address

Syntax Description


ipv4	Indicates an IPv4 address.
ipv6	Indicates an IPv6 address.
`address`	Specifies a destination address.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match a destination ipv4 address:


RP/0/RSP0/CPU0:router(config)#class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match destination-address ipv4 59.2.1.2 255.255.255.0

match destination-port

To identify a specific destination port as the match criterion for a class map, use the match destination-port command in class map configuration mode. To remove destination port-based match criteria from a class map, use the no form of this command.

match destination-port {destination-port-value | }

no match destination-port {destination-port-value | }

Syntax Description


`destination-port-value`	A port Number. Range is from 0 to 65535.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	The `min-value` and `max-value` variables were added.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match a destination port:


RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match destination-port 1

match fragment-type

To identify a fragment-type as the match criterion for a class map, use the match fragment-type command in class map configuration mode. To remove fragment-type match criteria from a class map, use the no form of this command.

match fragment type [dont-fragment] [first-fragment] [is-fragment] [last-fragment]

no match fragment type [dont-fragment] [first-fragment] [is-fragment] [last-fragment]

Syntax Description


dont-fragment	Matches dont-fragment bit.
first-fragment	Matches first-fragment bit.
is-fragment	Matches is-fragment bit.
last-fragment	Matches last-fragment bit.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match a fragment-type:


RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match fragment-type is-fragment

match icmp code

To identify an ICMP (Internet Control Message Protocol) code as the match criterion for a class map, use the match icmp type command in the class map configuration mode. To remove the icmp code-based match criteria from a class map, use the no form of this command.

match {ipv4 | ipv6} icmp-code {value}

no match {ipv4 | ipv6} icmp-code {value}

Syntax Description


ipv4	Indicates an IPv4 ICMP code.
ipv6	Indicates an IPv6 ICMP code.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match an IPv4 ICMP code:


RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match ipv4 icmp-code 1

match icmp type

To identify an ICMP (Internet Control Message Protocol) type as the match criterion for a class map, use the match icmp type command in class map configuration mode. To remove the icmp type-based match criteria from a class map, use the no form of this command.

match {ipv4 | ipv6} icmp-type {value}

no match {ipv4 | ipv6} icmp-type {value}

Syntax Description


ipv4	Indicates an IPv4 ICMP type.
ipv6	Indicates an IPv6 ICMP type.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match an IPv4 ICMP type:


RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match ipv4 icmp-type 1

match packet length

To specify the packet length in the IP header as a match criterion in a class map, use the match packet length command in class-map configuration mode. To remove a previously specified packet length as a match criterion, use the no form of this command.

match packet length {value | }

no match packet length {value | }

Syntax Description


`value`	IP packet length. Range is from 0 to 65535.

Command Default

No default behavior or values.

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match a packet length value:


RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match packet length 3

match source-address

To identify a specific source MAC address or an IP address explicitly as a match criterion in a class map, use the match source-address command in the class map configuration mode. To remove a specific source MAC address or an IP address from the matching criteria for a class map, use the no form of this command.

match source-address { mac | ipv4 | ipv6 } address

no match source-address { mac | ipv4 | ipv6 } address

Syntax Description


mac	Indicates a MAC address.
ipv4	Indicates an IPv4 address.
ipv6	Indicates an IPv6 address.
`address`	Specifies a source address.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 3.7.2	This command was introduced for MAC addresses.
Release 5.2.0	Support for IP addresses was added.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The match source-address command specifies a source address that is used as the match criterion against which packets are checked to determine if they belong to the class specified by the class map.

To use the match source-address command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. If you specify more than one match source-address command in a class map, only the last command entered applies.

This command is supported on an input service policy only.

Layer 2 match criteria on a Layer 3 target, or Layer 3 match criteria on a Layer 2 target is not allowed.

The match source-address command is supported on egress Layer 2 interfaces, Layer 2 subinterfaces, and Layer 3 physical interfaces. Layer 3 physical interfaces are supported, because it is possible for a Layer 3 interface to have underlying Layer 2 subinterfaces.

The match source-address command is allowed on a policy map that is attached to an Ethernet interface. The command is invalid on a policy that is attached to a Packet-over-SONET/SDH (POS) interface or a routed VLAN subinterface.

The match 48-bit MAC address is specified in xxxx.xxxx.xxxx format on L2VPN PE interfaces.

Examples

This example shows how to match a source MAC address:


RP/0/RSP0/CPU0:router(config)# class-map match-any A
RP/0/RSP0/CPU0:router(config-cmap)# match source-address mac 0003.f0d0.2356

This example shows how to match a source IPv4 address:


RP/0/RSP0/CPU0:router(config)#class-map type traffic match-all A
RP/0/RSP0/CPU0:router(config-cmap)# match source-address ipv4 59.2.1.2 255.255.255.0

match source-port

To identify a specific source port as the match criterion for a class map, use the match source port command in class map configuration mode. To remove source port-based match criteria from a class map, use the no form of this command.

match source-port {source-port-value | }

no match source-port {source-port-value | }

Syntax Description


`source-port-value`	A port Number. Range is from 0 to 65535.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match a source port:


RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match source-port 1

match tcp flag

To identify a TCP flag as the match criterion for a class map, use the match tcp flag command in class map configuration mode. To remove the tcp flag based match criteria from a class map, use the no form of this command.

match tcp-flag value any

no match tcp-flag valueany

Syntax Description


`value`	TCP flag value. Range is from 1 to 4095 (hexadecimal).
any	Specifies a match based on any bit in the TCP flag.

Command Default

No default behavior or values

Command Modes

Class map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to match a TCP flag:


RP/0/RSP0/CPU0:router(config)# class-map type traffic match-all
RP/0/RSP0/CPU0:router(config-cmap)# match tcp flag 2 any

redirect (BGP Flowspec)

To route the policy based routing (PBR) traffic to distributed denial-of-service scrubber (DDoS), use the redirect command in policy-map configuration mode. To return the PBR traffic to normal route, use the no form of this command.

redirect {default-route | nexthop } {IPv4-address | IPv6-address | route-target {AS-number: index| IPv4-address: index} | vrf vrf-name}

no redirect [ default-route | nexthop ]

Syntax Description


default-route	Forwards to the default nexthop for this packet
nexthop	Forwards to specified nexthop
`IPv4 address`	Input IPv4 Nexthop address
`IPv6 address`	Input IPv6 Nexthop address
route-target	Enter specific route-target string
`AS-number: index`	Enter 2-byte or 4-byte autonomous system number (AS) and index in hexa decimal or decimal format.
`IPv4-address: index`	Enter IPv4 address and index in hexa decimal or decimal format.
vrf`vrf-name`	Enter specific VRF name for the nexthop.

Command Default

None

Command Modes

Policy-map configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The example shows how to redirect PBR traffic to virtual routing and forwarding (VRF) instance:

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# policy-map type pbr test1
RP/0/RSP0/CPU0:router(config-pmap)# class type traffic test1
RP/0/RSP0/CPU0:router(config-pmap-c)# redirect nexthot vrf vrf1

service-policy

To configure service policy on a flowspec subaddress family interface, use the service-policy command in appropriate command mode.

service-policy type pbr policy-name

Syntax Description


type	Specifies type of the service policy.
pbr	Specifies a policy-based routing (PBR) policy map.
`policy-name`	Name of the policy map.

Command Default

No default behavior or values

Command Modes

IPv4 address family configuration

IPv6 address family configuration

VRF IPv4 address family configuration

VRF IPv6 address family configuration

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows how to setup service policy.

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# flowspec
RP/0/RSP0/CPU0:router(config-flowspec)# address-family ipv4
RP/0/RSP0/CPU0:router(config-flowspec-af)# service-policy type pbr policy100

show flowspec

To display flowspec policy information for an interface, use the show flowspec command in EXEC mode.

show flowspec {afi-all | client | ipv4 | ipv6 | summary | vrf}

Syntax Description


afi-all	Displays flowspec policy applied on IPv4 and IPv6 interfaces.
client	Displays flowspec client interfaces.
ipv4	Displays flowspec policy applied on IPv4 interfaces.
ipv6	Displays flowspec policy applied on IPv6 interfaces.
summary	Displays flowspec policy summary on all interfaces.
vrf	Displays flowspec policy applied on VRF interfaces.

Command Default

No default behavior or values

Command Modes

EXEC

Command History


Release	Modification
Release 5.2.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

This example shows sample output from show flowspec command when vrf , ipv4 and summary keywords are used.

RP/0/RSP0/CPU0:router# show flowspec vrf vrf1 ipv4 summary
Mon May 19 12:59:41.226 PDT
Flowspec VRF+AFI table summary:
VRF: vrf1
  AFI: IPv4
    Total Flows:              3
    Total Service Policies:   1

source prefix

To filter flowspec based on source in flowspec network-layer reachability information (NLRI) using RPL, and apply on neighbor attach point, use the source prefix command in route-policy configuration mode.

source prefix {prefix-set-name | inline-prefix-set | parameter}

Syntax Description


`prefix-set-name`	Name of a prefix set.
`inline-prefix-set`	Inline prefix set. The inline prefix set must be enclosed in parentheses.
`parameter`	Parameter name. The parameter name must be preceded with a “$.”

Command Default

No default behavior or values

Command Modes

Route-policy configuration

Command History


Release	Modification
Release 5.3.2	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the source prefix command as a conditional expression within an if statement. A comparison that references a prefix set with zero elements in it returns false.

Note

For a list of all conditional expressions available within an if statement, see the if command.
The source of a BGP route is the IP peering address of the neighboring router from which the route was received.
The prefix set can contain both IPv4 and IPv6 prefix specifications.

Task ID


Task ID	Operations
route-policy	read, write

Examples

In this example, prefix filtering is done based on flowspec source address:


RP/0/RSP0/CPU0:router(config)# route-policy policy-A
RP/0/RSP0/CPU0:router(config-rpl)# If source-prefix in my-prefix-set then
pass

Related Commands


Command	Description
prefix-set	Enters a prefix set configuration mode and defines a prefix set.

Bias-Free Language

Results

Chapter: BGP Flowspec Commands

BGP Flowspec Commands

class-map type traffic (BGP-flowspec)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

class type traffic

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

destination prefix

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Task ID

Examples

drop (BGP-flowspec)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

flowspec

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

flowspec disable

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

local-install

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

match destination-address

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

match destination-port

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

match fragment-type

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

match icmp code

Syntax Description

Command Default

Command Modes