Feature Requirements |
Series |
Models |
|---|---|---|
BGP IPv6 Flow Specification may encounter the following configuration conflicts: 1, If both a port type and a source or destination port type are configured in the same BGP IPv6 Flow Specification route, a conflict occurs. 2, If a port type or a source or destination port type and an ICMPTYPE or ICMPCODE type is configured in the same BGP Flow Specification route, a conflict occurs. 3, If a non-TCP/UDP protocol type and a port type or a source or destination port type are configured in the same BGP IPv6 Flow Specification route, a conflict occurs. 4, If a non-ICMP protocol type and an ICMPTYPE or ICMPCODE type are configured in the same BGP IPv6 Flow Specification route, a conflict occurs. 5, The rule type configured in the BGP IPv6 Flowspec route is not supported. 6, The rule parameter configured in the BGP IPv6 Flowspec route is out of the valid range. 7, The valid range of same-type rules configured in a BGP IPv6 Flowspec route is null. After a conflict rule is configured, the rule is not delivered. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP Flow Specification does not support last fragment check. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP Flow Specification does not deliver the rule with TCP-FLAG being NOT 0. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP Flow Specification may encounter the following configuration conflicts: 1, If both a port type and a source or destination port type are configured in the same BGP Flow Specification route, a conflict occurs. 2, If a port type or a source or destination port type and a TCP flag type are configured in the same BGP Flow Specification route but no protocol type is configured, a conflict occurs. 3, If a port type, a source or destination port type, or a TCP flag type and an ICMPTYPE or ICMPCODE type is configured in the same BGP Flow Specification route, a conflict occurs. 4, If a non-TCP/UDP protocol type and a port type or a source or destination port type are configured in the same BGP Flow Specification route, a conflict occurs. 5, If a non-TCP protocol type and a TCP flag type are configured in the same BGP Flow Specification route, a conflict occurs. 6, If a non-ICMP protocol type and an ICMPTYPE or ICMPCODE type are configured in the same BGP Flow Specification route, a conflict occurs. 7, The rule type configured in the BGP Flowspec route is not supported. 8, The rule parameter configured in the BGP Flowspec route is out of the valid range. 9, The valid range of same-type rules configured in a BGP Flowspec route is null. After a conflict rule is configured, the rule is not delivered. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
If both the redirection next-hop IP address and redirection vpn-target are configured for BGP Flow Specification, redirection vpn-target takes effect. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP Flow Specification does not support the redirect-to-next-hop action of replication. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP IPv6 Flow Specification does not support matching rules based on fragment-type, tcp-flags, packet-length, or dscp. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
If rate limiting is configured for Flowspec, MF classification, and QPPB, the rate limiting takes effect as follows: The forwarding actions or non-forwarding actions take effect in specific order. For a non-forwarding action:QPPB > MF classification > Flowspec. For an action of redirecting traffic to a VPN: MF classification > QPPB > Flowspec. For an action of redirecting traffic to a next hop: Flowspec > MF classification > QPPB. Non-forwarding actions in Flowspec include: rate limiting and re-marking DSCP. Forwarding actions include: redirecting traffic to a VPN and redirecting traffic to a next hop. If a forwarding action and a non-forwarding action are configured, both actions take effect. Two-level CAR is supported. Third-level CAR does not take effect. CAR takes effect in the following order: QPPB > MF classification > Flowspec. The preceding restrictions do not apply to interface CAR, which can take effect in QPPB, MF classification, and Flowspec at the same time. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
The BGP FlowSpec protection takes effect on unicast packets, not on reserved multicast packets to be sent to the CPU of a device. By default, the device is disabled from matching such multicast packets against an MF traffic classification rule. After this function is enabled, BGP FlowSpec protection also takes effect on the reserved multicast packets to be sent to the CPU. In this case, the function of preventing protocol disconnections does not take effect. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP Flow Specification does not deliver the rule with TCP-FLAG being any-match 0. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
The flowspec refluence and traffic-policy commands are mutually exclusive on an interface. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
Protocol protection is enabled by default. FlowSpec processing is not performed on packets with destination addresses set to the local address. Such packets are processed based on the local CPU security policy for attack prevention. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
If rate limiting is configured for Flowspec, MF classification, and QPPB, the rate limiting takes effect as follows: The forwarding actions or non-forwarding actions take effect in specific order. For a non-forwarding action:QPPB > MF classification > Flowspec. For an action of redirecting traffic to a VPN: MF classification > QPPB > Flowspec. For an action of redirecting traffic to a next hop: Flowspec > MF classification > QPPB. Non-forwarding actions in Flowspec include: rate limiting and re-marking DSCP. Forwarding actions include: redirecting traffic to a VPN and redirecting traffic to a next hop. If a forwarding action and a non-forwarding action are configured, both actions take effect. Two-level CAR is supported. Third-level CAR does not take effect. CAR takes effect in the following order: QPPB > MF classification > Flowspec. The preceding restrictions do not apply to interface CAR, which can take effect in QPPB, MF classification, and Flowspec at the same time. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP Flow Specification protection does not take effect for reserved multicast protocol packets of BGP, LDP, and OSPF. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
BGP IPv6 Flow Specification can match fragment packets, but cannot identify whether a packet is the first fragment or a subsequent fragment. 1. In the static configuration scenario, the rule for matching the first fragment and subsequent fragments cannot be configured. 2. In the dynamic advertisement scenario, if the rule is for matching the first fragment or subsequent fragments, the rule does not take effect. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
When the flowspec ipv4-fragment-rule switch command is configured or deleted, the IPv4 fragment filtering rules for BGP Flow Specification routes become invalid temporarily. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |