BGPD.CONF(5) | File Formats Manual | BGPD.CONF(5) |
bgpd.conf
— Border
Gateway Protocol daemon configuration file
The bgpd(8) daemon implements the Border Gateway Protocol version 4 as described in RFC 4271.
The bgpd.conf
config file is divided into
the following main sections:
With the exception of macros, the sections should be grouped and
appear in bgpd.conf
in the order shown above.
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, or underscore must be quoted.
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/bgpd/bgpd-10.0.0.1.filter"
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore, and may contain
any of those characters. Macro names may not be reserved words (for example,
AS
, neighbor
, or
group
). Macros are not expanded inside quotes.
For example:
peer1="1.2.3.4" neighbor $peer1 { remote-as 65001 }
There are quite a few settings that affect the operation of the bgpd(8) daemon globally.
AS
as-number [as-number]The AS numbers are assigned by local RIRs, such as:
For example:
AS 65001
sets the local AS to 65001.
The AS numbers 64512 – 65534 are designated for private use. The AS number 23456 is a specially designated Autonomous System Number and should not be used. 4-byte AS numbers are specified as two numbers separated by a dot (ASDOT format), for example:
AS 3.10
or as a large number (ASPLAIN format), for example:
AS 196618
connect-retry
secondsdump
[rib
name]
(table
|table-mp
|table-v2
)
file [timeout]dump
(all
|updates
)
(in
|out
)
file [timeout]For example, the following will dump the entire table to the
strftime(3)-expanded
filename. Only the table-v2
format is able to
dump a multi-protocol RIB correctly. Both table
and table-mp
formats are more or less limited
when handling multi-protocol entries and are only left around to support
3rd party tools not handling the new format. The timeout is
optional:
dump table "/tmp/rib-dump-%H%M" 300
Similar to the table dump, but this time all BGP messages and state transitions will be dumped to the specified file:
dump all in "/tmp/all-in-%H%M" 300
As before, but only the UPDATE messages will be dumped to the file:
dump updates in "/tmp/updates-in-%H%M" 300
It is also possible to dump outgoing messages:
dump all out "/tmp/all-out-%H%M" 300 # or dump updates out "/tmp/updates-out-%H%M" 300
fib-priority
priofib-update
(yes
|no
)no
, do not update the Forwarding
Information Base, a.k.a. the kernel routing table. The default is
yes
.
holdtime
secondsholdtime min
secondslisten
on
addresslisten on 127.0.0.1
log
updates
nexthop
qualify
via
(bgp
|default
)bgp
,
bgpd(8) may use BGP routes to
verify nexthops. If set to default
, bgpd may use
the default route to verify nexthops. By default bgpd will only use static
routes or routes added by other routing daemons like
ospfd(8).
rde
med
compare
(always
|strict
)always
, the
MULTI_EXIT_DISC attributes will always be compared. The
default is strict
, where the metric is only
compared between peers belonging to the same AS.
rde
rib
name
[no
evaluate
]rde
rib
name
[rtable
number]no
evaluate
flag. If a
rtable
is specified, routes will be exported to
the given kernel routing table. Currently the routing table must belong to
the routing domain bgpd(8)
was started in. Nexthop verification happens in the table
bgpd(8) was started in -
routes in the specified table will not be considered.
Adj-RIB-In
and Loc-RIB
are
created automatically and used as default.
rde
route-age
(ignore
|evaluate
)evaluate
, the best path selection will
not only be based on the path attributes but also on the age of the route,
giving preference to the older, typically more stable, route. In this case
the decision process is no longer deterministic. The default is
ignore
.
route-collector
(yes
|no
)yes
, the route selection process is
turned off. The default is no
.
router-id
addressrouter-id 10.0.0.1
If not given, the BGP ID is determined as the biggest IP address assigned to the local machine.
rtable
numberrde rib Loc-RIB rtable number
socket
"path"
[restricted
]restricted
is specified a restricted control
socket will be created. By default
/var/run/bgpd.sock.<rdomain> is used where
<rdomain> is the routing domain in which bgpd
has been started. By default, no restricted socket is created.
transparent-as
(yes
|no
)yes
, AS paths to EBGP
neighbors are not prepended with the local AS. The default is
no
.bgpd(8) supports sets
for looking up collections in an efficent way.
as-set
, prefix-set
, and
origin-set
are used to look up AS numbers, prefixes
and prefixes/source-as pairs respectively. See also the
FILTER section on how these sets are used
in filters. One single roa-set
can be defined which
will be used to validate the origin of each prefix against. The set
collections can span multiple lines and an optional comma is allowed between
elements.
as-set
name {
as-number ... }
as-set
holds a collection of AS numbers and can
be used with the AS specific parameter in
FILTER rules. Lookups against as-sets are
more efficient than a large number of rules which differ only in the AS
number.
origin-set
name {
address/
len
maxlen
mlen
source-as
asn ...
}
origin-set
holds a collection of
prefix/source-as pairs and can be used in place where a rules filter for
source-as and prefix at the same time.
origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511 203.0.113.0/24 source-as 64496 }
prefix-set
name {
address/
len
... }
prefix-set
holds a collection of prefixes and
can be used in place of the prefix
parameter in
FILTER rules and
network
statements. Lookups against prefix-sets
are more efficient than a large number of rules which differ only in
prefix.
A prefix can be followed by the prefixlen operators listed for
the prefix
parameter in the
PARAMETERS section.
The first example creates a set of prefixes called “private”, to hold a number of RFC 1918 private network blocks. The second example shows the use of prefixlen operators.
prefix-set private { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7 } prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26, 2001:db8::/32 or-longer }
roa-set
{
address/
len
maxlen
mlen
source-as
asn ...
}
roa-set
holds a collection of Validated ROA
Payloads (VRP). Each received prefix is checked against the
roa-set
and the Origin Validation State (OVS) is
set.
roa-set { 192.0.2.0/24 maxlen 24 source-as 64511 203.0.113.0/24 source-as 64496 }
To announce a specific network as belonging to our AS, a
network
statement is used. By default
bgpd(8) will not announce
anything. Filter rules need to be in place to allow announcement of the
right prefixes to each neighbor.
network
address/
prefix
[set ...
]network
(inet
|inet6
)
connected
[set ...
]network prefix-set
name
[set ...
]network
(inet
|inet6
)
priority
number
[set ...
]network
(inet
|inet6
)
rtlabel
label
[set ...
]network
(inet
|inet6
)
static
[set ...
]It is possible to set default AS path attributes
per network
statement:
network 192.168.7.0/24 set localpref 220
See also the ATTRIBUTE SET section.
bgpd(8) supports the
setup and distribution of Virtual Private Networks. It is possible to import
and export prefixes between routing domains. Each routing domain is
specified by an rdomain
section, which allows
properties to be set specifically for that rdomain:
rdomain 1 { descr "a rdomain" rd 65002:1 import-target rt 65002:42 export-target rt 65002:42 network 192.168.1/24 depend on mpe0 }
There are several routing domain properties:
depend
on
interfacedescr
descriptionexport-target
subtype
as-number:localexport-target
subtype
IP:localexport-target
can be
specified. See also the ATTRIBUTE
SET section for further information about the encoding. The
subtype should be set to rt
for best compatibility with other implementations.
fib-update
(yes
|no
)no
, do not update the Forwarding
Information Base, a.k.a. the kernel routing table. The default is
yes
.
import-target
subtype
as-number:localimport-target
subtype
IP:localimport-targets
will be imported into the rdomain.
More than one import-target
can be specified. See
also the ATTRIBUTE SET section for
further information about the encoding of extended communities. The
subtype should be set to rt
for best compatibility with other implementations.
network
arguments ...nexthop
section in
GLOBAL CONFIGURATION for
further information about the arguments.
rd
as-number:localrd
IP:localrd
is
to ensure that possible common prefixes are distinct between VPNs. The
rd
is neither used to identify the origin of the
prefix nor to control into which VPNs the prefix is distributed to. The
as-number or IP of a
rd
should be set to a number or IP that was
assigned by an appropriate authority. Whereas local
can be chosen by the local operator.bgpd(8) establishes
TCP connections to other BGP speakers called neighbors.
Each neighbor is specified by a neighbor
section,
which allows properties to be set specifically for that neighbor:
neighbor 10.0.0.2 { remote-as 65002 descr "a neighbor" }
Multiple neighbors can be grouped together by a
group
section. Each neighbor
section within the group
section inherits all
properties from its group:
group "peering AS65002" { remote-as 65002 neighbor 10.0.0.2 { descr "AS65002-p1" } neighbor 10.0.0.3 { descr "AS65002-p2" } }
Instead of the neighbor's IP address, an address/netmask pair may be given:
neighbor 10.0.0.0/8
In this case, the neighbor specification becomes a
template, and if
a neighbor connects from an IP address within the given network, the
template is
cloned,
inheriting everything from the template but the remote address, which is
replaced by the connecting neighbor's address. With a template specification
it is valid to omit remote-as
;
bgpd(8) will then accept any AS
the neighbor presents in the OPEN message.
There are several neighbor properties:
announce
(all
| default-route
|
none
)announce all
is a no-op. announce
none
and announce default-route
are aliases
for export none
and export
default-route
, respectively. These three directives are provided
for backward compatibility, but will eventually be removed.
announce
(IPv4
|IPv6
)
(none
|unicast
|vpn
)At the moment, only none, which disables the announcement of that address family, unicast, and vpn, which allows the distribution of BGP MPLS VPNs, are supported.
The default is unicast
for the same
address family of the session.
announce as-4byte
(yes
|no
)no
, the 4-byte AS capability is not
announced and so native 4-byte AS support is disabled. The default is
yes
.
announce capabilities
(yes
|no
)no
, capability negotiation is disabled
during the establishment of the session. This can be helpful to connect to
old or broken BGP implementations. The default is
yes
.
announce refresh
(yes
|no
)no
, the route refresh capability is not
announced. The default is yes
.
announce restart
(yes
|no
)no
, the graceful restart capability is
not announced. Currently only the End-of-RIB marker is supported and
announced by the restart
capability. The default
is yes
.
demote
groupFor more information on interface groups, see the
group
keyword in
ifconfig(8).
depend
on
interfaceThe state of the network interfaces on the system can be
viewed using the show interfaces
command to
bgpctl(8).
descr
descriptiondown
[reason]down
reason was configured
at runtime, the reason is sent as Administrative
Shutdown Communication. The reason cannot exceed 128
octets.
dump
(all
|updates
)
(in
|out
)
file [timeout]all
and updates
. See also
the dump
section in
GLOBAL CONFIGURATION.
enforce
local-as
(yes
|no
)no
, AS paths will not
be checked for AS loop detection. This feature is similar to allowas-in in
some other BGP implementations. Since there is no AS path loop check, this
feature is dangerous, and requires you to add filters to prevent receiving
your own prefixes. The default value is yes
.
enforce
neighbor-as
(yes
|no
)yes
, AS paths whose
leftmost
AS is not equal to the
remote
AS of the neighbor are rejected and a
NOTIFICATION
is sent back. The default value for IBGP peers is
no
otherwise the default is
yes
.
export
(none
|default-route
)none
, no UPDATE
messages will be sent to the neighbor. If set to
default-route
, only the default route will be
announced to the neighbor.
holdtime
secondsholdtime min
secondsipsec
(ah
|esp
)
(in
|out
)
spi
spi-number authspec
[encspec]ipsec
statements per peer with manual keying, one
per direction. authspec specifies the authentication
algorithm and key. It can be
sha1 <key> md5 <key>
encspec specifies the encryption
algorithm and key. ah
does not support
encryption. With esp
, encryption is optional.
encspec can be
3des <key> 3des-cbc <key> aes <key> aes-128-cbc <key>
Keys must be given in hexadecimal format.
ipsec
(ah
|esp
)
ike
-Ka
. This
can be done in
rc.conf.local(8).
After starting the
isakmpd(8) and
bgpd(8) daemons on both
sides, the session should be established.
local-address
addresslocal-address
is given,
bgpd(8) binds to this address
first.
local-as
as-number [as-number]AS
.
Since there is no AS path loop check, this option is dangerous, and requires you to add filters to prevent receiving your ASNs. Intended to be used temporarily, for migrations to another AS.
log
no
log
updates
max-prefix
number [restart
number]restart
is specified, the session will be
restarted after number minutes.
multihop
hopsmultihop
statement defines the maximum hops the
neighbor may be away.
passive
remote-as
as-numberrib
nameroute-reflector
[address]set
attribute ...neighbor
or group
block:
set localpref 300
See also the ATTRIBUTE
SET section. Set parameters are applied to the received prefixes;
the only exceptions are prepend-self
,
nexthop no-modify
and nexthop
self
. These sets are rewritten into filter rules and can be
viewed with “bgpd -nv”.
tcp md5sig
password
secrettcp md5sig
key
secrettcp md5sig password mekmitasdigoat tcp md5sig key deadbeef
transparent-as
(yes
|no
)yes
, AS paths to EBGP
neighbors are not prepended with the local AS. The default is inherited
from the global transparent-as
setting.
ttl-security
(yes
|no
)no
.bgpd(8) has the
ability to allow
and deny
UPDATES based on prefix or
AS path attributes. In addition, UPDATES
may also be modified by filter rules.
For each UPDATE processed by the filter, the
filter rules are evaluated in sequential order, from first to last. The last
matching allow
or deny
rule
decides what action is taken. The default action is to deny.
The following actions can be used in the filter:
The rule parameters specify the UPDATES to which a rule applies. An UPDATE always comes from, or goes to, one neighbor. Most parameters are optional, but each can appear at most once per rule. If a parameter is specified, the rule only applies to packets with matching attributes.
as-set
nameas-set
name:
AS
peer-as
source-as
transit-as
as-number is an AS number as explained
above under GLOBAL
CONFIGURATION. It may be set to neighbor-as
,
which is expanded to the current neighbor remote AS number, or
local-as
, which is expanded to the locally
assigned AS number.
When specifying an as-set
name the AS path will instead be matched against
all the AS numbers in the set.
The operator can be unspecified (this case is identical to the equality operator), or one of the numerical operators
= (equal) != (unequal) - (range including boundaries) >< (except range)
>< and - are binary operators (they take two arguments);
with these, as-number cannot be set to
neighbor-as
.
Multiple as-number entries for a given type or as-type as-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:
deny from any AS { 1, 2, 3 } deny from any { AS 1, source-as 2, transit-as 3 } deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }
community
as-number:
localcommunity
namecommunity
path attribute is present and matches.
Communities are specified as
as-number:local, where
as-number is an AS number and
local is a locally significant number between zero
and 65535
. Both as-number
and local may be set to ‘*’ to do
wildcard matching. Alternatively, well-known communities may be given by
name instead and include BLACKHOLE
,
GRACEFUL_SHUTDOWN
,
NO_EXPORT
, NO_ADVERTISE
,
NO_EXPORT_SUBCONFED
, and
NO_PEER
. Both as-number and
local may be set to
neighbor-as
, which is expanded to the current
neighbor remote AS number, or local-as
, which is
expanded to the locally assigned AS number.
large-community
as-number:local:localLarge community
path attribute is present and
matches. Communities are specified as
as-number:local:local,
where as-number is an AS number and
local is a locally significant number between zero
and 4294967295
. Both
as-number and local may be set
to ‘*’ to do wildcard matching. Both
as-number and local may be set
to neighbor-as
, which is expanded to the current
neighbor remote AS number, local-as
, which is
expanded to the locally assigned AS number.
ext-community
subtype
as-number:localext-community
subtype
IP:localext-community
subtype numvalueext-community
ovs (valid
|
not-found
| invalid
)from
|to
)
peerany
ibgp
ebgp
group
descrAS
as-numberMultiple peer entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:
deny from { 128.251.16.1, 251.128.16.2, group hojo }
inet
|inet6
)inet
is an alias for "prefix 0.0.0.0/0
prefixlen >= 0"; inet6
is an alias for
"prefix ::/0 prefixlen >= 0".
max-as-len
lenmax-as-seq
lennexthop
addressorigin-set
nameovs
(valid
| not-found
|
invalid
)prefix
address/
lenprefix
address/
len
prefixlen
rangeprefix
address/
len
or-longer
prefix
address/
len
maxlen
mlenMultiple entries may be specified, separated by commas or whitespace, if enclosed in curly brackets:
deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer }
Multiple lists can also be specified, which is useful for macro expansion:
good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }" ugly="{ 127.0.0.1/8, 169.254.0.0/16 }" deny from any prefix { $good $bad $ugly }
Prefix length ranges are specified by using these operators:
= (equal) != (unequal) < (less than) <= (less than or equal) > (greater than) >= (greater than or equal) - (range including boundaries) >< (except range)
>< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12:
prefixlen 8-12
Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0–7 and 13–32:
prefixlen 8><12
This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16:
prefix 10.0.0.0/8 prefixlen > 16
or-longer
is a shorthand for:
prefix
address/
lenprefixlen
>=
len
maxlen
mlen is a
shorthand for:
prefix
address/
lenprefixlen
<=
mlen
prefix-set
name [or-longer
]or-longer
, the UPDATES will
match any prefix in the prefix-set where
address
/
lenprefixlen
>=
len
quick
quick
option set, this rule is considered the last
matching rule, and evaluation of subsequent rules is skipped.
rib
nameset
attribute ...AS path attributes can be modified with
set
.
set
can be used on
network
statements, in
neighbor
or group
blocks,
and on filter rules. Attribute sets can be expressed as lists.
The following attributes can be modified:
community
[delete]
as-number:localcommunity
[delete] name65535
. Alternately, well-known communities may
be specified by name: GRACEFUL_SHUTDOWN
,
NO_EXPORT
, NO_ADVERTISE
,
NO_EXPORT_SUBCONFED
, or
NO_PEER
. For delete
, both
as-number and local may be set
to ‘*’ to do wildcard matching.
large-community
[delete]
as-number:local:locallarge-community
[delete] name4294967295
. For
delete
, both as-number and
local may be set to ‘*’ to do wildcard
matching.
ext-community
[delete] subtype
as-number:localext-community
[delete] subtype
IP:localext-community
[delete] subtype
numvalueext-community
[delete] ovs
(valid
| not-found
|
invalid
)bdc BGP Data Collection defgw Default Gateway esi-lab ESI Label esi-rt ES-Import Route Target l2vid L2VPN Identifier mac-mob MAC Mobility odi OSPF Domain Identifier ort OSPF Route Type ori OSPF Router ID ovs BGP Origin Validation State rt Route Target soo Route Origin / Source of Origin srcas Source AS vrfri VRF Route Import
Not all type and subtype value pairs are allowed by IANA and the parser will ensure that no invalid combination is created.
localpref
numbermed
numbermetric
numberorigin
(igp
|egp
|incomplete
)nexthop
(address|blackhole
|reject
|self
|no-modify
)set nexthop 192.168.0.1 set nexthop blackhole set nexthop reject set nexthop no-modify set nexthop self
pftable
tableprepend-neighbor
numberprepend-self
numberrtlabel
labelweight
numberstrftime(3), ipsec(4), pf(4), tcp(4), bgpctl(8), bgpd(8), ipsecctl(8), isakmpd(8), rc.conf.local(8)
The bgpd.conf
file format first appeared
in OpenBSD 3.5.
October 6, 2018 | OpenBSD-6.4 |