sflow-rt ddos protect with rtbh

[Dzung Nguyen]

Hello!

I have setup sflow-rt use sflow-rt with ddos protect. I was capture tcpdump have  found when I set  action Drop on ddos protect. bgp from sflow-rt was sent IP and comunity 65535:666 but I found route not discard traffic. 

I'm asking if I need to add 

"flowspec
local-install interface-all" to the configuration for rtbh?

this is config my config I was use cisco asr 9006

community-set RTBH
  65535:666
end-set

route-policy RTBH-IN
  if community matches-any RTBH then
    set next-hop discard
    set local-preference 1000
    set weight 32768
    pass
  endif
  drop
end-policy

route-policy AcceptAll
  done
end-policy

router bgp 135464
address-family ipv4 flowspec
 neighbor 12.16.2.101
  remote-as  135464
  description flowrt
  update-source Bundle-Ether98.66
  address-family ipv4 unicast
   route-policy RTBH-IN in
   soft-reconfiguration inbound always
  !
  address-family ipv4 flowspec
   route-policy AcceptAll in
  !
 !

[Peter Phaal]

You don't need to enable flowspec if you are just doing RTBH. 

It sounds like ddos-protect is running correctly, receiving sFlow, connecting via BGP, and sending the RTBH route. Normally your site edge router wouldn't implement the blackhole itself - it is going to pass RTBH route up to the service provider router so the traffic is dropped upstream so traffic is dropped before it saturates your WAN link.

This looks like an IOS-XR configuration issue. Unfortunately, I don't have access to a router, so I can't be of much help with the router configuration. Are you using uRPF? I did find this document: https://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116386-configure-asr9000-00.html. 

Peter