When the base router BGP instance receives a non-VPN-aware flow IPv4 or IPv6 route that is considered valid and best, the system attempts to construct an IPv4 or IPv6 filter entry from the NLRI contents and actions encoded in the UPDATE message. If successful, the filter entry is added to the system-created ‟fSpec-0” IPv4 embedded filter or to the ‟fSpec-0” IPv6 embedded filter. These embedded filters can be inserted into configured IPv4 and IPv6 filter policies that are applied to ingress traffic on a selected set of the base router IP interfaces. These interfaces can include network interfaces, IES SAP interfaces, and IES spoke SDP interfaces.
When the VPRN BGP instance receives a non-VPN-aware flow IPv4 or IPv6 route from a BGP peer of the VPRN or imports a VPN-aware FlowSpec-VPN IPv4 or IPv6 route that was received in the base router BGP instance and considered to be valid and best, the system attempts to construct an IPv4 or IPv6 filter entry from the NLRI contents and actions encoded in the UPDATE message. If successful, the filter entry is added to the system-created "fSpec-$vprnid" IPv4 embedded filter or to the "fSpec-$vprnid" IPv6 embedded filter. $vprnid represents a parameter value that is unique to each VPRN. These embedded filters can be inserted into configured IPv4 and IPv6 filter policies that are applied to ingress traffic on one or more of the IP interfaces on the VPRN.
When FlowSpec rules are embedded into a user-defined filter policy, configure the insertion point of the rules using the following commands:
MD-CLI
configure filter ip-filter embed flowspec offset
configure filter ipv6-filter embed flowspec offsetclassic CLI
configure filter ip-filter embed-filter flowspec offset
configure filter ipv6-filter embed-filter flowspec offsetThe sum of the configured maximum number of FlowSpec routes and offset must not exceed the maximum filter entry ID range.