Flowspec on UW System Network

Flowspec on UW System Network

uwsys.net supports BGP Flowspec for members.  By BGP peering with us, uwsys.net routers will drop traffic destined to networks.  When possible [rare], flowspec rules -may- be passed on to upstreams that support BGP Flowspec.

Requirements:

  • One or more direct BGP peering sessions used for announcing FlowSpec rules.
  • While we can technically use the same BGP session as your normal prefix announcement session [if applicable], having two sessions means a misconfiguration of the FlowSpec BGP session is less likely to affect production traffic.  We can also set more appropriate filters and limits on each session separately.
What can this service do?
  • Drop traffic destined to your network based on source address of an outside host
  • Drop traffic destined to your local host, but only for a certain port
  • While it can be used to drop traffic destined to a local host on your network based on IP address [v4 or v6], using BGP blackhole is a less resource intensive way to accomplish a similar thing.
Other info:
  • flowspec counters automatically show up in GNMIS.  Flowspec is listed as an 'app', so you can use a search as follows to get flowspec results: https://stats.uwsys.net/cgi-bin/gnmis.fcgi?app=%3Dflowspec&verbose=true
Contact engineers via uwsys.net if you are interested in this service.



See Also:




Keywords:Flowspec on UW System Network   Doc ID:54311
Owner:Michael H.Group:University of Wisconsin System Network
Created:2015-07-24 07:53 CSTUpdated:2015-11-24 13:55 CST
Sites:University of Wisconsin System Network
Feedback:  1   0