BGP Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

PDF

BGP flowspec IPv6 packet length

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Introduces BGP flowspec IPv6 packet length functionality and provides instructions for enabling IPv6 packet length support, enhancing traffic filtering capabilities in IPv6 environments.

A BGP flowspec IPv6 packet length support feature is a BGP flowspec feature that

  • enables matching and filtering IPv6 packets based on their length attribute

  • allows enforcement of network policies that consider IPv6 packet size, and

  • is configurable via the hw-module profile flowspec ipv6-packet-len-enable command and requires hardware reload to activate.

IPv6 address structure and flowspec matching criteria

Table 1. Feature History Table

Feature Name

Release Information

Feature Description

Enabling BGP Flowspec for IPv6 Packet Length

Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is now supported on:

  • 8011-32Y8L2H2FH

  • 8011-12G12X4Y-A

  • 8011-12G12X4Y-D

Enabling BGP Flowspec for IPv6 Packet Length

Release 25.3.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on Cisco 8011-4G24Y4H-I routers.

Enabling BGP Flowspec for IPv6 Packet Length

Release 25.1.1

Introduced in this release on: Fixed Systems (8700 [ASIC: K100])(select variants only*)

*This feature is supported on Cisco 8712-MOD-M routers.

Enabling BGP Flowspec for IPv6 Packet Length

Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

*This feature is supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 88-LC1-36EH

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

Enabling BGP Flowspec for IPv6 Packet Length

Release 7.10.1

Services such as end-to-end security, quality of service (QoS), and globally unique addresses are now supported for IPv6 packet lengths, which allows your networks to scale and provides them with global reachability. Support for IPv6 packet lengths also means that, in terms of the matching criteria, support for BGP Network Layer Reachability Information (BGP NLRI) type-10 flowspec for IPv6 is added.

This feature introduces the following to enable BGP flowspec for IPv6 packet length:

An IPv6 address is 128 bits (16 bytes), structured as eight 16-bit hexadecimal blocks separated by colons in the format x:x:x:x:x:x:x:x. BGP flowspec uses match conditions that can reference IPv6 packet length fields, which are 16 bits wide.

See Supported matching criteria section for details on BGP NLRI Flowspec types and their matching fields.

IPv6 flowspec packet length policies

  • An operator could define a flowspec policy to drop all IPv6 packets with a length between 0 and 65535 bytes, affecting traffic based on packet size.

  • Flowspec rules can match on /128 IPv6 addresses, either full source or destination address.

Enable BGP flowspec IPv6 packet length support

Enable hardware support for matching IPv6 packet length in BGP flowspec policies.

By default, BGP flowspec IPv6 packet length matching is disabled. Enabling this feature allows you to create and enforce flowspec policies that match IPv6 packets based on their length, on supported hardware.

Before you begin

  • Verify that your hardware platform supports the IPv6 packet length feature.

  • Ensure you have access and permission to reload the router.

Follow these steps to enable the BGP flowspec IPv6 packet length feature:

Procedure

1.

Enable the flowspec IPv6 packet length profile.

Example:

Router(config)#hw-module profile flowspec ipv6-packet-len-enable
Router(config)#commit

You must reload the chassis for this setting to take effect.
2.

Define a traffic class.

Example:


Router(config)# class-map type traffic match-all class1
Router(config-cmap)# match protocol tcp
Router(config-cmap)# match destination-address ipv6 2:1:1::1/64
Router(config-cmap)# match packet length 0 65535
Router(config-cmap)# end-class-map
3.

Define a policy map and associate the action.

Example:

Router(config)# policy-map type pbr policy1
Router(config-pmap)# class type traffic class1
Router(config-pmap-c)# drop
Router(config-pmap-c)# end
4.

Use the show flowspec ipv6 detail command to verify the flowspec policy that is applied on IPv6 interfaces.

Example:

Router# show flowspec  ipv6 detail

Thu Dec 15 09:51:29.018 UTC
 
AFI: IPv6
  Flow           :Source:193:95::/0-112,TCPFlags:=0x10,Length:>=0&<=65535
    Actions      :Traffic-rate: 0 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :             7202356/921901568          
      Transmitted         :                   0/0                  
      Dropped             :             7202356/921901568          
  Flow           :Source:193:96::/0-112,TCPFlags:=0x10,Length:>=0&<=65535
    Actions      :Traffic-rate: 0 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :             7203124/950812368          
      Transmitted         :                   0/0                  
      Dropped             :             7203124/950812368          
  Flow           :Source:193:97::/0-112,TCPFlags:=0x10,Length:>=0&<=65535
    Actions      :Traffic-rate: 0 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :             7203444/950854608          
      Transmitted         :                   0/0                  
      Dropped             :             7203444/950854608          
  Flow           :Source:193:98::/0-112,TCPFlags:=0x10,Length:>=0&<=65535
    Actions      :Traffic-rate: 0 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :             7204032/922116096          
      Transmitted         :                   0/0                  
      Dropped             :             7204032/922116096          
  Flow           :Source:193:99::/0-112,TCPFlags:=0x10,Length:>=0&<=65535
    Actions      :Traffic-rate: 0 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :             7202944/950788608          
      Transmitted         :                   0/0                  
      Dropped             :             7202944/950788608
------More--------
5.

Use the show flowspec afi-all detail command to verify the flowspec policy applied on IPv4 and IPv6 interfaces.

Example:

Router# show flowspec afi-all detail
Tue Aug 16 08:41:29.893 UTC
 
AFI: IPv6
  Flow           :Dest:193:1::2/0-128,Source:192:1::/0-64,NH:=6,DPort:>=7000&<=20000,SPort:>=7000&<=20000,Length:>=100&<=300,DSCP:=10
    Actions      :DSCP: af21  (policy.1.v6_pm_policymap_set1.v6_cm_1)
    Statistics                        (packets/bytes)
      Matched             :                   0/0                 
      Transmitted         :                   0/0                 
      Dropped             :                   0/0                 
  Flow           :DSCP:=18
    Actions      :Traffic-rate: 0 bps  (policy.1.v6_pm_policymap_drop1.v6_cm_dscp)
    Statistics                        (packets/bytes)
      Matched             :               17487/2238336           
      Transmitted         :                   0/0                 
      Dropped             :               17487/2238336

IPv6 packet length matching is enabled for BGP flowspec on the router. You can now create and apply flowspec policies that use IPv6 packet length as a matching condition.