Enabling BGP to Carry Flow-Specification Routes
You can allow BGP to carry flow-specification NLRI messages. Flow routes are encapsulated into the flow-specification NLRI and propagated through a network or VPNs, sharing filter-like information. Flow routes are an aggregation of match conditions and resulting actions for packets. They provide you with traffic filtering and rate-limiting capabilities much like firewall filters.
When you enable flow-specification routes, you can do the following:
Configuring Flow-Specification Routes for IPv4 Unicast
To enable MP-BGP to carry flow-specification NLRI for the inet address family, include the flow statement:
 | Note: Unicast flow routes are supported for the default instance, VRF instances, and virtual-router instances only. Instance type is configured by including the instance-type statement at the [edit routing-instance instance-name] hierarchy level. |
For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.
Flow routes received using the BGP NLRI messages are validated before they are installed into the flow routing table instance-name.inetflow.0. The validation procedure is described in the Internet draft draft-ietf-idr-flow-spec-09.txt, Dissemination of Flow Specification Rules. You can bypass the validation process and use your own specific import policy.
To disable the validation procedure and use an import policy instead, include the no-validate statement at the [edit protocols bgp group group-name family inet flow] hierarchy level:
Configuring Flow-Specification Routes for Layer 3 VPNs
On routers only, the VPN compares the route target extended community in the NLRI to the import policy. If there is a match, the VPN can start using the flow routes to filter and rate-limit packet traffic. Received flow routes are installed into the flow routing table instance-name.inetflow.0.
Flow routes can also be propagated throughout a VPN network and shared among VPNs, providing filter and rate-limiting capabilities.
To enable MP-BGP to carry flow-specification NLRI for the inet-vpn address family, include the flow statement at the [edit protocols bgp group group-name family inet-vpn] hierarchy level:
| Note: VPN flow routes are supported for the default instance only. Instance type is configured by including the instance-type statement at the [edit routing-instance instance-name] hierarchy level. |
Flow routes configured for VPNs with family inet-vpn are not automatically validated, so the no-validate statement is not supported at the [edit protocols bgp group group-name family inet-vpn] hierarchy level.
For more information on flow routes, see Configuring Flow Routes and the Internet draft draft-marques-idr-flow-spec-09.txt, Dissemination of Flow Specification Rules.
