Create a BGP Flowspec

Perform the following steps to create a new BGP Flowspec:

1. Navigate to Configuration > BGP > Flowspec.
2. On the Flowspec page, click Create. The Create Flowspec Rule page appears.

Table 116 : BGP Flowspec Fields

Field	Purpose
Name	Enter a name for the BGP Flowspec.
Description	Enter a short description.
Operational Mode	Select one of the following options: Disabled—Select the option to send the Flowspec configuration to the edge router Enabled—Select the option to pull back the Flowspec configuration from the edge router.
Auto Remove on Stop Mitigation	Select the check box to automatically remove the Flowspec rule from A10 Defend Orchestrator App and TPS device after the mitigation stops. The system-created BGP Flowspecs are always removed after the mitigation stops.
Zone	Select a zone to deploy BGP FlowSpec on all the IPs or subnets in the zone.
Mitigator Group	Select a mitigator group on which you want to configure the BGP Flowspec.
Traffic Filtering Action	Select one of the following options that must be applied if the traffic matches the Flowspec configuration: Deny—The router denies or blocks the traffic. Marking - DSCP—The router can change the Differentiated Services (DiffServ) Code Point (DSCP) value in the IP header to the specified value. If you select Marking DSCP as a traffic filtering action, you must enter a DSCP value. Marking - IPv6 Traffic Class—The router can change the IPv6 Traffic Class value in the IP header to the specified value. If you select Marking - IPv6 Traffic Class as a traffic filtering action, you must enter a Traffic Class. Traffic Rate—The router can apply the rate limiter, in bytes per second, to apply to the traffic. If you select Traffic Rate as a traffic filtering action, you must enter a Traffic Rate. Redirect to TPS (Extended Community)—The router sends the traffic to the TPS device. Use the TPS outside interface IP address when redirecting traffic to TPS. If you select Redirect to TPS (Extended Community) as a traffic filtering action, you must configure mitigator interface also. To configure the outside interface IP, go to Devices > Device List. For more information, see Device List. Redirect to TPS (NLRI)—The router sends the traffic to the TPS device. Use the TPS outside interface IP address when redirecting traffic to TPS. If you select Redirect to TPS (NLRI) as a traffic filtering action, you must configure mitigator interface also. To configure the outside interface IP, go to Devices > Device List. For more information, see Device List. NOTE: Depending upon the source and destination address type, next-hop-nlri should use either IPv4 or IPv6 address for the mitigator outside interface IP in the Redirect to TPS (NLRI). Redirect to VRF—The router sends the traffic to the VRF device. VRF Target String—Enter the VRF route target. IP Host RT—Enter Route target IP. Index—Enter Route target IP index. NOTE: VRF target string and IP Host RT/Index are mutually exclusive. Traffic Action—The attack traffic can be sampled to gather information about the attack. If you select Traffic Action as a traffic filtering action, you must configure terminal action and sample log also.
Mitigators	Displays the following: Mitigator DDoS Outside the Interface IP
Copy Actions	Select this check box to request the router to mirror the traffic to TPS.
Filter by Source	Configure the following options to filter the traffic by source interfaces: Source Address Type—Select Source Address Type such as IPv4 or IPv6. Source IP—Enter a source IP address of the incoming traffic that you want to filter. If you select this option, the Source Subnet field is disabled. Source Subnet—Enter the subnet of the incoming traffic that you want to filter between 1-63 characters. If you select this option, the Source IP Host field is disabled. Source Port—Click Plus (+) sign to enter the appropriate information for the following: Operator—Select an option from the drop-down list. Number—Enter a value.
Filter by Destination	Configure the following options to filter the traffic by destination interfaces: Destination Address Type—Select Destination Address Type such as IPv4 or IPv6. Destination IP—Enter a Destination IP address of the outgoing traffic that you want to filter. If you select this option, the Destination Subnet field is disabled. Destination Subnet—Enter the subnet of the outgoing traffic that you want to filter between 1-63 characters. If you select this option, the Destination IP Host field is disabled. Destination Port—Click Plus (+) sign to enter the appropriate information for the following: Operator—Select an option from the drop-down list. Number—Enter a value.
Filter by Additional Attributes	Configure the attributes to any of these criteria to filter the traffic: Protocols Source and Destination Ports ICMP Types ICMP Codes Click Plus (+) sign to enter the appropriate information for the following: Operator—Select an option from the drop-down list. Number / Type / Code—Enter a value.
TCP Flags	Select one of the following options to determine the presence or absence of the TCP Flags defined under TCP Flags Bitmask: Match Any No Match Match All
TCP Flags Bitmask	Enter a value between 1-26 characters and select one of the following check boxes: CWR ECE URG ACK PSH RST SYN FIN
Fragmentation	Select one of the following check boxes: Is fragment First fragment Last fragment Don't fragment
Packet Lengths	Click Plus (+) sign to enter the appropriate information for the following: Operator—Select Equals, Greater than, Less than, or Between option from the drop-down list. Length / DSCP—Enter a value.
DSCPs

3. Perform one of the following:

   • Save—Allows you to save the BGP Flowspec configuration.
   • Save and Deploy— Allows you to save and deploy the BGP Flowspec configuration and the associated mitigator group.

NOTE:

A10 Defend Orchestrator App does not allow you to update the system created flowspec rule if Deployed and Enabled. When you Edit the rule, Save and Save & Deploy buttons are greyed out and a message is displayed "Please undeploy System created rule to modify."