This feature enables Flowspec rules to be leaked from one VRF to another. When combined with the ability to apply Flowspec rules from one VRF to interfaces in another VRF, this feature makes it possible to combine rules from different source VRFs into a target VRF, and apply the target VRF’s rules on the interfaces of the source VRFs. For example, in the diagram below, interface Ethernet1 is in VRF Red, Ethernet2 and 3 are in VRF Orange. Suppose Flowspec rules are received from BGP peers on interfaces Ethernet1, 2, and 3. Without this feature, the rules in VRF Red can only be applied on interface Ethernet1, and the rules in VRF Orange can only be applied on interfaces Ethernet2 and 3. Using this feature, the received rules can be leaked from VRFs Red and Orange to VRF Purple, and the leaked rules can be applied on interfaces Ethernet1, 2, and 3.

EOS 4.21.3F introduces support for BGP Flowspec, as defined in RFC5575 and RFC7674. The typical use case is to filter or redirect DDoS traffic on edge routers.