Refer to the exhibit. A network operator recently configured BGP FlowSpec for the internal IT network. What will be inferred from the configuration deployed on the network?
A.
The policy is configured locally on CSR1 and drops all traffic for TCP ports 80 and 443
B.
The policy is configured locally on CSR1 and currently has no active traffic
C.
The policy is learned via BGP FlowSpec and drops all traffic for TCP ports 80 and 443
D.
The policy is learned via BGP FlowSpec and has active traffic
C: (bgp.1) is displayed in the clients that receive policies from bgp flowspec
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/215637-configure-bgp-ipv6-flowspec.html
A is the best answer. The policy is locally configured on the router and drops all traffic either destined to 10.6.5.0/24 network or HTTP and HTTPS traffic.
The bgp in the Actions row indicates that this flow is received via BGP, so this rules out answers A and B. D cannot be correct because the counters displayed on the output are not a "rate" but rather a total of previously matched traffic, so we cannot know if there is traffic currently on the interface that is matching this flow. C is correct because the rule is received via BGP and the action to be taken is to set a traffic rate of 0, meaning drop the traffic.
I cannot get past the word "all traffic" -> in a Network Engineer's language, when you say ALL Traffic for TCP Port 80 -> it means '''''''''Destination-IP = ANY "AND" TCP-Port = 80'''''''''' -> which is obviously not true because the policy has a specific Destination-IP written. Therefore, my vote goes for D which is also correct saying that it's learnt via BGP and has Active Traffic on it (as evidenced by the Matched/Dropped Packet count).
For a locally configured we see:
RP/0/0/CPU0:P1#show flowspec ipv4 detail
Fri Jul 12 02:05:45.266 UTC
AFI: IPv4
Flow :Dest:88.88.88.88/32
Actions :Traffic-rate: 0 bps (policy.1.FLOWSPEC-PMAP.FLOWSPEC)
For a BGP learnt wee see:
PE1#show flowspec ipv4 detail
AFI: IPv4
Flow :Dest:88.88.88.88/32
Actions :Traffic-rate: 0 bps (bgp.1)
Statistics (packets/bytes)
Matched : 0/0
Dropped : 0/0
Hence, answer is D.
We are not dropping ALL traffic, only traffic for ports 80/443 to addresses 10.6.5.0/24
I rectify my previous answer…. According to Lab test, answer seems to be “C”. Also, in this document explain traffic rate output:
https://www.cisco.com/c/en/us/td/docs/routers/ncs6000/software/ncs6k-7-4/routing/configuration/guide/b-routing-cg-ncs6000-74x/implementing-bgp-flowspec.html
“A traffic-rate of 0 causes discarding of all traffic for the particular flow.”
Option C is right. Cause it does not say it drops "ALL THE TRAFFIC", it says "it drops all the traffic "FOR" port TCP and UDP". Remember HTTP and HTTPS are TCP.
Packets matched and dropped is just a counter, not necessarily means there is current active traffic passing by. So D is not right.
I think this is a trick question where you don't pick the apparent obvious answer, it needs more checking. The output shows what was learned from the BGP flowspec policy and in there it tells us what is configured in the policy to match, what actions and the match/drops for any active traffic:
Policy is configured for:
Dest:10.6.5.0/24
Destination ports 80 and 443
Actions: traffic-rate: 0 bps
So traffic matching the above will be dropped
We see there is active traffic from Matched 12 and Dropped 12 packets
But the policy is NOT configured to drop ALL traffic (ie to any destination) for TCP ports 80 and 443, only traffic for destination 10.6.5.0/24 and ports 80 and 443. It would include TCP and UDP as the protocol has not been configured for specific protocol 6 (TCP) or 17 (UDP)
C is not correct for what we see configured.
I still think D is correct because indeed this policy is learned via BGP Flowsec and does have active traffic on it as shows by the Matched and Dropped counters.
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSPG-3012.pdf
I go for D
Why?
Policy is learned via BGP Flowspec
It has active traffic shown by the matches and drops
The configuration does NOT drop ALL TCP ports 80 and 443 from what we see. It is only port 80 and 443 for destination 10.6.5.0/24, protocol number is missing for TCP/UDP.
Anybody agree or disagree?
The correct answer is C.
If it was locally configured, it would list the name of the policy-map tied to it.
Showing (bgp.1) means that's configured on another node , and this one is the client.
(just replicated this in GNS3)
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
murmelika
Highly Voted 3 years, 10 months agonolbi
Highly Voted 3 years, 11 months agoPund
3 years, 9 months agoGabriel_Miachon
Most Recent 4 days agoAlirezaNetWorld
1 month, 3 weeks agoric859
4 months, 1 week agoManuJi
5 months, 3 weeks agoenco
8 months, 3 weeks agosushil_bhattacharjee
1 year agosushil_bhattacharjee
1 year agoariasse
1 year, 1 month agoariasse
6 months, 1 week agoariasse
6 months, 1 week agoMephystopheles
1 year, 9 months agothejag
2 years agopluissenbol
2 years, 1 month agothejag
2 years, 1 month agoDUsoo
2 years, 1 month agothejag
2 years, 1 month agothejag
2 years, 1 month agostratosph3re
2 years, 5 months agokakalman
2 years, 5 months ago