-
Notifications
You must be signed in to change notification settings - Fork 462
DDoS Mitigation
Thomas Mangin edited this page Nov 10, 2025
·
13 revisions
Automated DDoS protection using BGP FlowSpec
🛡️ ExaBGP pioneered open-source FlowSpec - enabling network-wide DDoS mitigation in seconds
- Overview
- Why FlowSpec for DDoS Mitigation?
- Architecture Patterns
- Detection Integration
- Complete Workflow
- Attack Types and Mitigation
- Implementation Guide
- Production Deployment
- Monitoring and Alerting
- Best Practices
- Troubleshooting
- Real-World Examples
DDoS mitigation with ExaBGP enables automated, network-wide traffic filtering using BGP FlowSpec.
Traditional DDoS response is slow:
- ⏱️ Detection: Minutes to identify attack
- 🔧 Manual intervention: SSH to routers, configure ACLs
- 📝 Error-prone: Manual configuration mistakes
- 🐌 Slow deployment: Can't update hundreds of routers quickly
- 💰 Damage: Attack causes disruption before mitigation
Automated FlowSpec-based mitigation:
- ⚡ Instant detection: Automated systems detect attack patterns
- 🤖 Automated response: ExaBGP generates FlowSpec rules via API
- 🌐 Network-wide: Rules propagate to all edge routers via BGP
- 🚀 Fast: Attack blocked in seconds (not minutes)
- ✅ Reliable: No manual intervention required
vs. RTBH (Remote Triggered Black Hole):
- ✅ Granular filtering: Match on ports, protocols, packet size, TCP flags
- ✅ Surgical mitigation: Rate-limit instead of complete blackhole
- ✅ Reduced collateral damage: Single rule vs. thousands of /32 prefixes
- ✅ Flexible actions: Discard, rate-limit, redirect, or mark traffic
vs. On-Premises Scrubbing:
- ✅ Upstream filtering: Traffic blocked at provider edge (before reaching your network)
- ✅ Bandwidth savings: Attack traffic never consumes your bandwidth
- ✅ Scalability: Leverage provider infrastructure
- ✅ Fast convergence: BGP propagation in seconds
vs. Cloud Scrubbing Services:
- ✅ No third-party dependency: On-premises control
- ✅ Lower cost: No per-GB scrubbing fees
- ✅ Lower latency: No traffic redirection
- ✅ Privacy: Traffic stays in your network
Most common deployment:
┌─────────────────────┐
│ DDoS Detection │ FastNetMon, custom detection
│ System │
└──────────┬──────────┘
│ Attack detected
▼
┌─────────────────────┐
│ ExaBGP │ FlowSpec controller
│ (Central) │ Generates rules via API
└──────────┬──────────┘
│ BGP FlowSpec UPDATE
▼
┌─────────────────────┐
│ Edge Routers │ Cisco, Juniper, Arista, etc.
│ (100s-1000s) │ Apply filters in hardware
└──────────┬──────────┘
│ Filtered traffic
▼
Attack blocked ✅
Characteristics:
- Single ExaBGP instance as FlowSpec controller
- Peers with route reflectors or edge routers
- Rules propagate network-wide via BGP
- Centralized logging and management
For large-scale networks:
┌────────────────┐ ┌────────────────┐
│ ExaBGP │◄───────►│ Route │
│ FlowSpec │ iBGP │ Reflectors │
│ Controller │ │ │
└────────────────┘ └────────┬───────┘
│
┌───────────────┼───────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Edge Router │ │ Edge Router │ │ Edge Router │
│ (Region A) │ │ (Region B) │ │ (Region C) │
└──────────────┘ └──────────────┘ └──────────────┘
Benefits:
- Scalable to thousands of edge routers
- Reduced BGP session overhead
- Regional route reflectors for redundancy
- Standard BGP topology
Combine FlowSpec with scrubbing centers:
┌─────────────────┐
│ Detection │
└────────┬────────┘
│
▼
┌─────────────────┐
│ ExaBGP │
│ Decision Logic │
└────────┬────────┘
│
┌────┴──────────┐
▼ ▼
Small Attack Large Attack
(< 1 Gbps) (> 1 Gbps)
│ │
▼ ▼
FlowSpec FlowSpec
discard redirect to VRF
│
▼
┌──────────────┐
│ Scrubbing │
│ Center │
└──────┬───────┘
│
▼
Clean traffic back
Use cases:
- Small attacks: Block at edge with FlowSpec
- Large volumetric attacks: Redirect to scrubbing
- Graduated response based on attack size
ExaBGP can integrate with various DDoS detection systems:
Open-Source Options:
- FastNetMon - High-performance DDoS detection (native ExaBGP support)
- Custom detection - Build your own using flow analysis tools
Flow Analysis Tools (for custom detection):
- Akvorado - Flow collector and visualizer (can feed custom detection logic)
- pmacct - Flow accounting and analysis
- nfdump/nfsen - NetFlow analysis toolkit
FastNetMon is an open-source DDoS detection system with native ExaBGP integration.
FastNetMon → sFlow/NetFlow → Analysis → ExaBGP API → FlowSpec
FastNetMon config (/etc/fastnetmon.conf):
# Enable ExaBGP integration
enable_ban_for_tcp_syn_flood = on
enable_ban_for_udp_flood = on
enable_ban_for_icmp_flood = on
# ExaBGP FlowSpec
exabgp = on
exabgp_flow_spec_announces = on
exabgp_command_pipe = /var/run/exabgp.cmd
# Thresholds
ban_for_pps = on
threshold_pps = 20000
ban_for_bandwidth = on
threshold_mbps = 1000ExaBGP config (/etc/exabgp/exabgp.conf):
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
family {
ipv4 flowspec;
}
api {
processes [ fastnetmon ];
}
}
process fastnetmon {
run /etc/exabgp/api/fastnetmon.py;
encoder text;
}Integration script (/etc/exabgp/api/fastnetmon.py):
#!/usr/bin/env python3
"""
FastNetMon integration for ExaBGP FlowSpec
Reads attack notifications and generates FlowSpec rules
"""
import sys
import time
import os
# Named pipe from FastNetMon
PIPE_PATH = "/var/run/exabgp.cmd"
def read_fastnetmon_commands():
"""Read FlowSpec commands from FastNetMon pipe"""
if not os.path.exists(PIPE_PATH):
os.mkfifo(PIPE_PATH)
while True:
with open(PIPE_PATH, 'r') as pipe:
for line in pipe:
command = line.strip()
if command:
# Forward to ExaBGP
sys.stdout.write(command + "\n")
sys.stdout.flush()
sys.stderr.write(f"[FASTNETMON] {command}\n")
time.sleep(2)
read_fastnetmon_commands()Build your own detection system:
#!/usr/bin/env python3
"""
Custom DDoS detection and mitigation
Analyzes traffic patterns and generates FlowSpec rules
"""
import sys
import time
import collections
from datetime import datetime
# Attack detection state
traffic_stats = collections.defaultdict(lambda: {'pps': 0, 'bps': 0})
blocked_sources = set()
# Thresholds
SYN_FLOOD_THRESHOLD = 10000 # SYN packets per second
UDP_FLOOD_THRESHOLD = 50000 # UDP packets per second
BANDWIDTH_THRESHOLD = 1000000000 # 1 Gbps
def analyze_traffic():
"""
Analyze traffic patterns (placeholder - integrate with your monitoring)
Returns: list of detected attacks
"""
# TODO: Integrate with your traffic analysis system
# Examples: sFlow collector, SNMP polling, pcap analysis
attacks = []
for source_ip, stats in traffic_stats.items():
# SYN flood detection
if stats['syn_pps'] > SYN_FLOOD_THRESHOLD:
attacks.append({
'type': 'syn_flood',
'source': source_ip,
'metric': stats['syn_pps'],
'dest_port': stats.get('dest_port', 80)
})
# UDP flood detection
if stats['udp_pps'] > UDP_FLOOD_THRESHOLD:
attacks.append({
'type': 'udp_flood',
'source': source_ip,
'metric': stats['udp_pps']
})
# Bandwidth-based detection
if stats['bps'] > BANDWIDTH_THRESHOLD:
attacks.append({
'type': 'bandwidth_flood',
'source': source_ip,
'metric': stats['bps']
})
return attacks
def mitigate_attack(attack):
"""Generate and announce FlowSpec rule"""
attack_type = attack['type']
source = attack['source']
if source in blocked_sources:
return # Already blocked
if attack_type == 'syn_flood':
dest_port = attack.get('dest_port', 80)
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; destination-port ={dest_port}; "
f"protocol =tcp; tcp-flags [ syn ]; }} "
f"then {{ rate-limit 10000000; }} "
f"}}"
)
elif attack_type == 'udp_flood':
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; protocol =udp; }} "
f"then {{ rate-limit 5000000; }} "
f"}}"
)
elif attack_type == 'bandwidth_flood':
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; }} "
f"then {{ rate-limit 1000000; }} "
f"}}"
)
else:
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; }} "
f"then {{ discard; }} "
f"}}"
)
sys.stdout.write(rule + "\n")
sys.stdout.flush()
blocked_sources.add(source)
timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
sys.stderr.write(
f"[{timestamp}] Blocked {attack_type} from {source} "
f"(metric: {attack['metric']})\n"
)
# Schedule auto-withdrawal after 300 seconds
schedule_withdrawal(rule, 300)
def schedule_withdrawal(rule, timeout):
"""Auto-withdraw rule after timeout"""
import threading
def withdraw_after_timeout():
time.sleep(timeout)
withdraw = rule.replace('announce', 'withdraw')
# Remove 'then' clause for withdrawal
withdraw = withdraw.split('then')[0].rstrip() + '}'
sys.stdout.write(withdraw + "\n")
sys.stdout.flush()
sys.stderr.write(f"[AUTO-WITHDRAW] {withdraw}\n")
thread = threading.Thread(target=withdraw_after_timeout, daemon=True)
thread.start()
# Main detection loop
time.sleep(2)
sys.stderr.write("[DETECTION] Custom DDoS detection started\n")
while True:
attacks = analyze_traffic()
for attack in attacks:
mitigate_attack(attack)
time.sleep(5) # Check every 5 secondsStep 1: Detection
Attack traffic → Edge routers → NetFlow/sFlow → Detection system
Detection triggers when:
- Packets per second > threshold
- Bandwidth > threshold
- Anomaly detected by ML model
- Specific attack patterns identified
Step 2: Rule Generation
# Detection system generates FlowSpec rule
rule = (
"announce flow route { "
"match { source 203.0.113.0/24; destination-port =80; protocol =tcp; } "
"then { discard; } "
"}"
)Step 3: ExaBGP Announcement
# Send to ExaBGP via API
sys.stdout.write(rule + "\n")
sys.stdout.flush()Step 4: BGP Propagation
ExaBGP → BGP UPDATE (FlowSpec) → Route Reflectors → Edge Routers
Convergence time: 1-5 seconds network-wide
Step 5: Traffic Filtering
Edge routers install FlowSpec rule in hardware (TCAM)
→ Matching traffic dropped/rate-limited at wire speed
→ Attack blocked ✅
Step 6: Auto-Withdrawal
# After attack ends (e.g., 5 minutes)
time.sleep(300)
withdraw = "withdraw flow route { match { source 203.0.113.0/24; ... } }"
sys.stdout.write(withdraw + "\n")
sys.stdout.flush()Attack: TCP SYN packets without completing handshake
Detection:
- High SYN rate to specific port
- SYN packets without corresponding ACK
Mitigation:
announce flow route {
match {
destination 100.10.0.100/32; # Target server
destination-port =80|=443; # HTTP/HTTPS
protocol =tcp;
tcp-flags [ syn ]; # SYN flag only
}
then {
rate-limit 10000000; # 10 Mbps
}
}Attack: Spoofed UDP requests to amplification servers (DNS, NTP, SSDP, etc.)
Detection:
- Large UDP responses (> 512 bytes)
- High volume from specific source ports (53, 123, 1900)
Mitigation:
# DNS amplification
announce flow route {
match {
source-port =53; # DNS responses
protocol =udp;
packet-length >512; # Large responses
}
then {
discard;
}
}
# NTP amplification
announce flow route {
match {
source-port =123; # NTP responses
protocol =udp;
packet-length >100;
}
then {
discard;
}
}
# SSDP amplification
announce flow route {
match {
source-port =1900; # SSDP
protocol =udp;
}
then {
discard;
}
}Attack: High volume of HTTP requests
Detection:
- High connection rate to web servers
- Unusual HTTP request patterns
Mitigation:
# Rate-limit HTTP traffic from attack source
announce flow route {
match {
source 10.0.0.0/8; # Attack network
destination-port =80|=443;
protocol =tcp;
}
then {
rate-limit 5000000; # 5 Mbps per source
}
}Attack: High volume of ICMP packets (ping flood, smurf attack)
Detection:
- High ICMP packet rate
- Large ICMP packet sizes
Mitigation:
# Block all ICMP during attack
announce flow route {
match {
protocol =icmp;
}
then {
discard;
}
}
# Or rate-limit ICMP
announce flow route {
match {
protocol =icmp;
icmp-type =8; # Echo request
}
then {
rate-limit 1000000; # 1 Mbps
}
}Attack: Malformed or excessive fragmented packets
Detection:
- High rate of fragmented packets
- Invalid fragment patterns
Mitigation:
# Block all fragmented packets
announce flow route {
match {
fragment [ is-fragment ];
}
then {
discard;
}
}Attack: High bandwidth consumption (> line capacity)
Detection:
- Total bandwidth exceeds threshold
- Traffic from specific sources/networks
Mitigation:
# Aggressive rate-limiting for attack sources
announce flow route {
match {
source 203.0.113.0/24;
}
then {
rate-limit 1000000; # 1 Mbps total
}
}
# Or redirect to scrubbing VRF
announce flow route {
match {
destination 100.10.0.0/24; # Attacked network
}
then {
redirect 65001:999; # Scrubbing VRF
}
}# Using pip
pip3 install exabgp
# Verify installation
exabgp --versionSee Installation Guide for details.
Create config (/etc/exabgp/ddos-mitigation.conf):
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
family {
ipv4 flowspec;
}
api {
processes [ ddos-controller ];
}
}
process ddos-controller {
run /etc/exabgp/api/ddos_controller.py;
encoder text;
}Basic template (/etc/exabgp/api/ddos_controller.py):
#!/usr/bin/env python3
import sys
import time
time.sleep(2)
sys.stderr.write("[DDOS] Controller started\n")
# Your detection logic here
# When attack detected, generate FlowSpec rule:
def block_attack(source_ip, attack_type):
rule = (
f"announce flow route {{ "
f"match {{ source {source_ip}/32; }} "
f"then {{ discard; }} "
f"}}"
)
sys.stdout.write(rule + "\n")
sys.stdout.flush()
sys.stderr.write(f"[DDOS] Blocked {attack_type} from {source_ip}\n")
# Main loop
while True:
# TODO: Integrate with your detection system
time.sleep(10)Cisco IOS-XR:
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
!
address-family ipv4 flowspec
neighbor 192.168.1.2 activate
!
!
flowspec
local-install interface-all
!
Juniper Junos:
protocols {
bgp {
group exabgp {
type external;
peer-as 65001;
neighbor 192.168.1.2 {
family inet {
flow;
}
}
}
}
}
routing-options {
flow {
validation {
local {
enabled;
}
}
}
}
Manual test:
# Start ExaBGP
exabgp /etc/exabgp/ddos-mitigation.conf
# In another terminal, inject test rule
echo "announce flow route { match { source 10.0.0.1/32; } then { discard; } }" > /tmp/exabgp.cmdVerify on router:
# Cisco
show flowspec ipv4 summary
show flowspec ipv4 detail
# Juniper
show firewall filter __flowspec_default_inet__
Deploy redundant ExaBGP instances:
┌────────────────┐ ┌────────────────┐
│ ExaBGP │ │ ExaBGP │
│ Primary │ │ Secondary │
│ 192.168.1.2 │ │ 192.168.1.3 │
└────────┬───────┘ └───────┬────────┘
│ │
└────────────┬────────────┘
│
▼
┌───────────────┐
│ Route │
│ Reflectors │
└───────────────┘
Both instances:
- Run same detection logic
- Announce same FlowSpec rules
- BGP handles deduplication
Log all FlowSpec announcements:
import logging
logging.basicConfig(
filename='/var/log/exabgp-ddos.log',
level=logging.INFO,
format='%(asctime)s [%(levelname)s] %(message)s'
)
def announce_flowspec(rule, reason):
sys.stdout.write(rule + "\n")
sys.stdout.flush()
logging.info(f"ANNOUNCE: {rule} - Reason: {reason}")Send alerts to NOC:
import requests
def send_alert(message, severity='high'):
"""Send alert to Slack/PagerDuty/email"""
# Slack webhook
requests.post(
"https://hooks.slack.com/services/YOUR/WEBHOOK/URL",
json={
"text": f":warning: DDoS Alert: {message}",
"username": "ExaBGP DDoS Controller"
}
)
# PagerDuty
requests.post(
"https://events.pagerduty.com/v2/enqueue",
json={
"routing_key": "YOUR_ROUTING_KEY",
"event_action": "trigger",
"payload": {
"summary": message,
"severity": severity,
"source": "ExaBGP"
}
}
)
# When blocking attack
send_alert(f"Blocking SYN flood from {source_ip} to port {port}")1. Attack Metrics:
- Number of active FlowSpec rules
- Attacks detected per hour
- Attack types distribution
- Top attack sources
2. Mitigation Metrics:
- Time to mitigation (detection → blocking)
- Bandwidth saved
- False positive rate
- Rule withdrawal time
3. System Metrics:
- ExaBGP process health
- BGP session state
- API response time
- Rule announcement latency
#!/usr/bin/env python3
"""
Monitor ExaBGP DDoS mitigation metrics
"""
import time
import subprocess
import requests
# Metrics
active_rules = 0
attacks_detected = 0
attacks_blocked = 0
def check_exabgp_health():
"""Check if ExaBGP process is running"""
try:
result = subprocess.run(
['pgrep', '-f', 'exabgp'],
capture_output=True,
timeout=5
)
return result.returncode == 0
except:
return False
def check_bgp_session():
"""Check BGP session state (example for Cisco via SNMP)"""
# TODO: Implement SNMP check or router API
pass
def export_metrics_to_prometheus():
"""Export metrics to Prometheus"""
# Expose metrics endpoint
metrics = f"""
# HELP exabgp_ddos_active_rules Number of active FlowSpec rules
# TYPE exabgp_ddos_active_rules gauge
exabgp_ddos_active_rules {active_rules}
# HELP exabgp_ddos_attacks_detected Total attacks detected
# TYPE exabgp_ddos_attacks_detected counter
exabgp_ddos_attacks_detected {attacks_detected}
# HELP exabgp_ddos_attacks_blocked Total attacks blocked
# TYPE exabgp_ddos_attacks_blocked counter
exabgp_ddos_attacks_blocked {attacks_blocked}
"""
# Write to textfile collector or push to Pushgateway
with open('/var/lib/prometheus/node-exporter/exabgp_ddos.prom', 'w') as f:
f.write(metrics)
while True:
if not check_exabgp_health():
send_alert("ExaBGP process not running!", severity='critical')
export_metrics_to_prometheus()
time.sleep(60)Start conservative, escalate if needed:
# Level 1: Rate-limit (warning)
rate_limit_1 = 50000000 # 50 Mbps
# Level 2: Tighter rate-limit
rate_limit_2 = 10000000 # 10 Mbps
# Level 3: Very tight rate-limit
rate_limit_3 = 1000000 # 1 Mbps
# Level 4: Block completely
# discardNever block critical infrastructure:
WHITELIST = [
'8.8.8.8', # Google DNS
'1.1.1.1', # Cloudflare DNS
# Add your critical IPs
]
def should_block(ip):
return ip not in WHITELISTAlways set TTL on rules:
def announce_with_ttl(rule, ttl=300):
"""Announce rule with auto-withdrawal"""
sys.stdout.write(rule + "\n")
sys.stdout.flush()
# Schedule withdrawal
threading.Timer(ttl, withdraw_rule, args=[rule]).start()Try rate-limiting first:
if attack_severity < 5:
action = f"rate-limit {bandwidth}"
else:
action = "discard"Prevent misconfigurations:
def validate_flowspec_rule(rule):
"""Validate FlowSpec syntax"""
required_keywords = ['announce', 'flow', 'route', 'match', 'then']
for keyword in required_keywords:
if keyword not in rule:
raise ValueError(f"Missing keyword: {keyword}")
# Additional validation
if 'source 0.0.0.0/0' in rule and 'discard' in rule:
raise ValueError("Refusing to blackhole entire internet!")
return TrueSymptoms: FlowSpec rules announced but not filtering traffic
Diagnosis:
# Cisco
show flowspec ipv4
show flowspec ipv4 summary
# Juniper
show firewall filter __flowspec_default_inet__
Common causes:
- FlowSpec not enabled on router
- BGP session down
- FlowSpec validation failing
- Hardware limitations (TCAM full)
Solutions:
# Enable FlowSpec
router bgp 65000
address-family ipv4 flowspec
neighbor 192.168.1.2 activate
# Enable local installation
flowspec
local-install interface-all
Symptoms: No BGP UPDATEs sent
Diagnosis:
# Check ExaBGP logs
exabgp -d /etc/exabgp/ddos.conf 2>&1 | tee exabgp.log
# Look for errors
grep ERROR exabgp.logCommon causes:
- API process not running
- Syntax error in FlowSpec rule
- stdout not flushed
Solutions:
# Always flush stdout
sys.stdout.write(rule + "\n")
sys.stdout.flush() # Critical!
# Check process is running
ps aux | grep ddos_controllerSymptoms: Legitimate traffic blocked
Diagnosis:
- Monitor user complaints
- Analyze blocked traffic patterns
- Review FlowSpec match conditions
Solutions:
- Make rules more specific
- Use rate-limiting instead of discard
- Implement whitelisting
- Adjust detection thresholds
Symptoms: Slow rule propagation (> 10 seconds)
Diagnosis:
# Measure BGP convergence time
time exabgp announce-rule.py
# Check BGP timers
show bgp neighbor 192.168.1.2Solutions:
- Reduce BGP timers (keepalive, hold-time)
- Use route reflectors for scalability
- Optimize detection script performance
Scenario: Regional ISP with 100 edge routers
Architecture:
- Central ExaBGP FlowSpec controller
- FastNetMon for detection (analyzing sFlow)
- Route reflectors for BGP scalability
Results:
- Detection to mitigation: 3 seconds average
- 50+ attacks blocked per day
- 99.9% uptime maintained
- Bandwidth savings: ~500 Gbps/month
Scenario: Enterprise with multiple data centers
Architecture:
- ExaBGP + custom Python detection
- Integration with SIEM (Splunk)
- Hybrid approach (FlowSpec + cloud scrubbing)
Attack handling:
- Small attacks (< 1 Gbps): FlowSpec at edge
- Large attacks (> 1 Gbps): Redirect to cloud scrubbing
- Auto-escalation based on attack size
Results:
- 95% of attacks handled at edge
- Scrubbing costs reduced by 70%
- No service outages in 12 months
Scenario: Hosting provider protecting customer VMs
Architecture:
- ExaBGP per customer (multi-tenant)
- Custom detection with sFlow/NetFlow analysis
- Per-customer FlowSpec rules
Features:
- Customer portal for rule visibility
- Automatic protection for all customers
- Granular per-VM filtering
Results:
- 1000+ customers protected
- Sub-second mitigation
- Customer satisfaction: 98%
- FlowSpec Overview - FlowSpec fundamentals
- Match Conditions - All match types
- Actions Reference - All actions
- Text API Reference - FlowSpec commands
- API Commands - Command reference
- API Overview - API architecture
- Debugging - Troubleshooting guide
- Monitoring - Monitoring setup
Ready to deploy DDoS mitigation? See Quick Start to begin →
👻 Ghost written by Claude (Anthropic AI)
Getting Started
Configuration
- Configuration Syntax
- Neighbor Configuration
- Directives A-Z
- Templates
- Environment Variables
- Process Configuration
API
- API Overview
- Text API Reference
- JSON API Reference
- API Commands
- Writing API Programs
- Error Handling
- Production Best Practices
Address Families
- Overview
- IPv4 Unicast
- IPv6 Unicast
- FlowSpec
- EVPN
- L3VPN
- BGP-LS
- VPLS
- SRv6 / MUP
- Multicast
- RT Constraint
Features
Use Cases
Tools
Operations
Reference
- Architecture
- Design
- Attribute Reference
- Command Reference
- BGP State Machine
- Capabilities
- Communities
- Examples Index
- Glossary
- RFC Support
Integration
Migration
Community
External