NAME
bgpd.conf
—
Border Gateway Protocol daemon
configuration file
DESCRIPTION
The bgpd(8) daemon implements the Border Gateway Protocol version 4 as described in RFC 4271.
The bgpd.conf
config file is divided into
the following main sections:
- Macros
- User-defined variables may be defined and used later, simplifying the configuration file.
- Global Configuration
- Global settings for bgpd(8).
- Set Configuration
- Various lookup tables are defined in this section.
- Network Announcements
- Networks which should be announced by bgpd(8) are set in this section.
- MPLS VPN Configuration
- The definition and properties for BGP MPLS VPNs are set in this section.
- Neighbors and Groups
- bgpd(8) establishes sessions with neighbors. The neighbor definition and properties are set in this section, as well as grouping neighbors for the ease of configuration.
- Filter
- Filter rules for incoming and outgoing UPDATES.
With the exception of macros, the sections should be grouped and
appear in bgpd.conf
in the order shown above.
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, or underscore must be quoted.
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/bgpd/bgpd-10.0.0.1.filter"
MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore, and may contain
any of those characters. Macro names may not be reserved words (for example,
AS
, neighbor
, or
group
). Macros are not expanded inside quotes.
For example:
peer1="1.2.3.4" neighbor $peer1 { remote-as 65001 }
GLOBAL CONFIGURATION
There are quite a few settings that affect the operation of the bgpd(8) daemon globally.
AS
as-number [as-number]- Set the local
autonomous
system number to as-number. If the first AS
number is a 4-byte AS it is possible to specify a secondary 2-byte AS
number which is used for neighbors which do not support 4-byte AS numbers.
The default for the secondary AS is 23456.
The AS numbers are assigned by local RIRs, such as:
- AfriNIC
- for Africa
- APNIC
- for Asia Pacific
- ARIN
- for North America and parts of the Caribbean
- LACNIC
- for Latin America and the Caribbean
- RIPE NCC
- for Europe, the Middle East, and parts of Asia
For example:
AS 65001
sets the local AS to 65001.
The AS numbers 64512 – 65534 are designated for private use. The AS number 23456 is a specially designated Autonomous System Number and should not be used. 4-byte AS numbers are specified as two numbers separated by a dot (ASDOT format), for example:
AS 3.10
or as a large number (ASPLAIN format), for example:
AS 196618
connect-retry
seconds- Set the number of seconds before retrying to open a connection. This timer should be sufficiently large in EBGP configurations. The default is 120 seconds.
dump
[rib
name] (table
|table-mp
|table-v2
) file [timeout]dump
(all
|updates
) (in
|out
) file [timeout]- Dump the RIB, a.k.a. the
routing
information base, and all BGP messages in Multi-threaded Routing
Toolkit (MRT) format. It is possible to dump alternate RIB with the use of
name.
For example, the following will dump the entire table to the strftime(3)-expanded filename. Only the
table-v2
format is able to dump a multi-protocol RIB correctly. Bothtable
andtable-mp
formats are more or less limited when handling multi-protocol entries and are only left around to support 3rd party tools not handling the new format. The timeout is optional:dump table "/tmp/rib-dump-%H%M" 300
Similar to the table dump, but this time all BGP messages and state transitions will be dumped to the specified file:
dump all in "/tmp/all-in-%H%M" 300
As before, but only the UPDATE messages will be dumped to the file:
dump updates in "/tmp/updates-in-%H%M" 300
It is also possible to dump outgoing messages:
dump all out "/tmp/all-out-%H%M" 300 # or dump updates out "/tmp/updates-out-%H%M" 300
fib-priority
prio- Set the routing priority to prio. The default is 48.
fib-update
(yes
|no
)- If set to
no
, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default isyes
. holdtime
seconds- Set the holdtime in seconds. The holdtime is reset to its initial value every time either a KEEPALIVE or an UPDATE message is received from the neighbor. If the holdtime expires the session is dropped. The default is 90 seconds. Neighboring systems negotiate the holdtime used when the connection is established in the OPEN messages. Each neighbor announces its configured holdtime; the smaller one is then agreed upon.
holdtime min
seconds- The minimal accepted holdtime in seconds. This value must be greater than or equal to 3.
listen on
address- Specify the local IP address
bgpd(8) should listen on.
listen on 127.0.0.1
log updates
- Log received and sent updates.
nexthop
qualify
via
(bgp
|default
)- If set to
bgp
, bgpd(8) may use BGP routes to verify nexthops. If set todefault
, bgpd may use the default route to verify nexthops. By default bgpd will only use static routes or routes added by other routing daemons like ospfd(8). rde
med
compare
(always
|strict
)- If set to
always
, the MULTI_EXIT_DISC attributes will always be compared. The default isstrict
, where the metric is only compared between peers belonging to the same AS. rde
rib
name [no
evaluate
]rde
rib
name [rtable
number]- Create an additional RIB named name. It is possible
to disable the decision process per RIB with the
no
evaluate
flag. If artable
is specified, routes will be exported to the given kernel routing table. Currently the routing table must belong to the routing domain bgpd(8) was started in. Nexthop verification happens in the table bgpd(8) was started in - routes in the specified table will not be considered.Adj-RIB-In
andLoc-RIB
are created automatically and used as default. rde
route-age
(ignore
|evaluate
)- If set to
evaluate
, the best path selection will not only be based on the path attributes but also on the age of the route, giving preference to the older, typically more stable, route. In this case the decision process is no longer deterministic. The default isignore
. route-collector
(yes
|no
)- If set to
yes
, the route selection process is turned off. The default isno
. router-id
address- Set the router ID to the given IP address, which must be local to the
machine.
router-id 10.0.0.1
If not given, the BGP ID is determined as the biggest IP address assigned to the local machine.
rtable
number- Work with the given kernel routing table instead of the default table,
which is the one
bgpd(8) was started in. For nexthop verification,
bgpd(8) will always consult the default table. This is the same as
using the following syntax:
rde rib Loc-RIB rtable number
socket
"path" [restricted
]- Create a control socket at path. If
restricted
is specified a restricted control socket will be created. By default /var/run/bgpd.sock.<rdomain> is used where <rdomain> is the routing domain in which bgpd has been started. By default, no restricted socket is created. transparent-as
(yes
|no
)- If set to
yes
, AS paths to EBGP neighbors are not prepended with the local AS. The default isno
.
SET CONFIGURATION
bgpd(8) supports sets for looking up collections in an efficent way.
as-set
, prefix-set
, and
origin-set
are used to look up AS numbers, prefixes
and prefixes/source-as pairs respectively. See also the
FILTER section on how these sets are used
in filters. One single roa-set
can be defined which
will be used to validate the origin of each prefix against. The set
collections can span multiple lines and an optional comma is allowed between
elements.
as-set
name{
as-number ...}
- An
as-set
holds a collection of AS numbers and can be used with the AS specific parameter in FILTER rules. Lookups against as-sets are more efficient than a large number of rules which differ only in the AS number. origin-set
name{
address/
lenmaxlen
mlensource-as
asn ...}
- An
origin-set
holds a collection of prefix/source-as pairs and can be used in place where a rules filter for source-as and prefix at the same time.origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511 203.0.113.0/24 source-as 64496 }
prefix-set
name{
address/
len ...}
- A
prefix-set
holds a collection of prefixes and can be used in place of theprefix
parameter in FILTER rules andnetwork
statements. Lookups against prefix-sets are more efficient than a large number of rules which differ only in prefix.A prefix can be followed by the prefixlen operators listed for the
prefix
parameter in the PARAMETERS section.The first example creates a set of prefixes called “private”, to hold a number of RFC 1918 private network blocks. The second example shows the use of prefixlen operators.
prefix-set private { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7 } prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26, 2001:db8::/32 or-longer }
roa-set
{
address/
lenmaxlen
mlensource-as
asn ...}
- An
roa-set
holds a collection of Validated ROA Payloads (VRP). Each received prefix is checked against theroa-set
and the Origin Validation State (OVS) is set.roa-set { 192.0.2.0/24 maxlen 24 source-as 64511 203.0.113.0/24 source-as 64496 }
NETWORK ANNOUNCEMENTS
To announce a specific network as belonging to our AS, a
network
statement is used. By default
bgpd(8) will not announce anything. Filter rules need to be in place
to allow announcement of the right prefixes to each neighbor.
network
address/
prefix [set ...
]- Announce the specified prefix as belonging to our AS.
network
(inet
|inet6
)connected
[set ...
]- Announce routes to directly attached networks.
network prefix-set
name [set ...
]- All networks in the prefix-set name will be announced.
network
(inet
|inet6
)priority
number [set ...
]- Announce routes with the specified priority.
network
(inet
|inet6
)rtlabel
label [set ...
]- Announce routes with the specified label.
network
(inet
|inet6
)static
[set ...
]- Announce all static routes.
It is possible to set default AS path attributes
per network
statement:
network 192.168.7.0/24 set localpref 220
See also the ATTRIBUTE SET section.
MPLS VPN CONFIGURATION
bgpd(8) supports the setup and distribution of Virtual Private
Networks. It is possible to import and export prefixes between routing
domains. Each routing domain is specified by an
rdomain
section, which allows properties to be set
specifically for that rdomain:
rdomain 1 { descr "a rdomain" rd 65002:1 import-target rt 65002:42 export-target rt 65002:42 network 192.168.1/24 depend on mpe0 }
There are several routing domain properties:
depend on
interface- Routes added to the rdomain will use this interface as the outgoing interface. Normally this will be an MPLS Provider Edge, mpe(4), interface that is part of the rdomain. Local networks will be announced with the MPLS label specified on the interface.
descr
description- Add a description. The description is used when logging but has no further meaning to bgpd(8).
export-target
subtype as-number:localexport-target
subtype IP:local- Specify an extended community which will be attached to announced
networks. More than one
export-target
can be specified. See also the ATTRIBUTE SET section for further information about the encoding. The subtype should be set to rt for best compatibility with other implementations. fib-update
(yes
|no
)- If set to
no
, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default isyes
. import-target
subtype as-number:localimport-target
subtype IP:local- Only prefixes matching one of the specified
import-targets
will be imported into the rdomain. More than oneimport-target
can be specified. See also the ATTRIBUTE SET section for further information about the encoding of extended communities. The subtype should be set to rt for best compatibility with other implementations. network
arguments ...- Define which networks should be exported into this VPN. See also the
nexthop
section in GLOBAL CONFIGURATION for further information about the arguments. rd
as-number:localrd
IP:local- The sole purpose of the Route Distinguisher
rd
is to ensure that possible common prefixes are distinct between VPNs. Therd
is neither used to identify the origin of the prefix nor to control into which VPNs the prefix is distributed to. The as-number or IP of ard
should be set to a number or IP that was assigned by an appropriate authority. Whereas local can be chosen by the local operator.
NEIGHBORS AND GROUPS
bgpd(8) establishes TCP connections to other BGP speakers called
neighbors. Each neighbor is specified by a
neighbor
section, which allows properties to be set
specifically for that neighbor:
neighbor 10.0.0.2 { remote-as 65002 descr "a neighbor" }
Multiple neighbors can be grouped together by a
group
section. Each neighbor
section within the group
section inherits all
properties from its group:
group "peering AS65002" { remote-as 65002 neighbor 10.0.0.2 { descr "AS65002-p1" } neighbor 10.0.0.3 { descr "AS65002-p2" } }
Instead of the neighbor's IP address, an address/netmask pair may be given:
neighbor 10.0.0.0/8
In this case, the neighbor specification becomes a
template, and if
a neighbor connects from an IP address within the given network, the
template is
cloned,
inheriting everything from the template but the remote address, which is
replaced by the connecting neighbor's address. With a template specification
it is valid to omit remote-as
;
bgpd(8) will then accept any AS the neighbor presents in the
OPEN message.
There are several neighbor properties:
announce
(all
|default-route
|none
)announce all
is a no-op.announce none
andannounce default-route
are aliases forexport none
andexport default-route
, respectively. These three directives are provided for backward compatibility, but will eventually be removed.announce
(IPv4
|IPv6
) (none
|unicast
|vpn
)- For the given address family, control which subsequent address families
are announced during the capabilities negotiation. Only routes for that
address family and subsequent address families will be announced and
processed.
At the moment, only none, which disables the announcement of that address family, unicast, and vpn, which allows the distribution of BGP MPLS VPNs, are supported.
The default is
unicast
for the same address family of the session. announce as-4byte
(yes
|no
)- If set to
no
, the 4-byte AS capability is not announced and so native 4-byte AS support is disabled. The default isyes
. announce capabilities
(yes
|no
)- If set to
no
, capability negotiation is disabled during the establishment of the session. This can be helpful to connect to old or broken BGP implementations. The default isyes
. announce refresh
(yes
|no
)- If set to
no
, the route refresh capability is not announced. The default isyes
. announce restart
(yes
|no
)- If set to
no
, the graceful restart capability is not announced. Currently only the End-of-RIB marker is supported and announced by therestart
capability. The default isyes
. demote
group- Increase the carp(4) demotion counter on the given interface group,
usually carp, when the session is not in state
ESTABLISHED. The demotion counter will be increased as
soon as bgpd(8) starts and decreased 60 seconds after the session went to
state ESTABLISHED. For neighbors added at runtime, the
demotion counter is only increased after the session has been
ESTABLISHED at least once before dropping.
For more information on interface groups, see the
group
keyword in ifconfig(8). depend on
interface- The neighbor session will be kept in state IDLE as long
as interface reports no link. For
carp(4) interfaces, no link means that the interface is currently
backup.
This is primarily intended to be used with
carp(4) to reduce failover times.
The state of the network interfaces on the system can be viewed using the
show interfaces
command to bgpctl(8). descr
description- Add a description. The description is used when logging neighbor events, in status reports, for specifying neighbors, etc., but has no further meaning to bgpd(8).
down
[reason]- Do not start the session when bgpd comes up but stay in
IDLE. If the session is cleared at runtime, after a
down
reason was configured at runtime, the reason is sent as Administrative Shutdown Communication. The reason cannot exceed 128 octets. dump
(all
|updates
) (in
|out
) file [timeout]- Do a peer specific MRT dump. Peer specific dumps are limited to
all
andupdates
. See also thedump
section in GLOBAL CONFIGURATION. enforce local-as
(yes
|no
)- If set to
no
, AS paths will not be checked for AS loop detection. This feature is similar to allowas-in in some other BGP implementations. Since there is no AS path loop check, this feature is dangerous, and requires you to add filters to prevent receiving your own prefixes. The default value isyes
. enforce neighbor-as
(yes
|no
)- If set to
yes
, AS paths whose leftmost AS is not equal to the remote AS of the neighbor are rejected and a NOTIFICATION is sent back. The default value for IBGP peers isno
otherwise the default isyes
. export
(none
|default-route
)- If set to
none
, no UPDATE messages will be sent to the neighbor. If set todefault-route
, only the default route will be announced to the neighbor. holdtime
seconds- Set the holdtime in seconds. Inherited from the global configuration if not given.
holdtime min
seconds- Set the minimal acceptable holdtime. Inherited from the global configuration if not given.
ipsec
(ah
|esp
) (in
|out
)spi
spi-number authspec [encspec]- Enable IPsec with static keying. There must be at least two
ipsec
statements per peer with manual keying, one per direction. authspec specifies the authentication algorithm and key. It can besha1 <key> md5 <key>
encspec specifies the encryption algorithm and key.
ah
does not support encryption. Withesp
, encryption is optional. encspec can be3des <key> 3des-cbc <key> aes <key> aes-128-cbc <key>
Keys must be given in hexadecimal format.
ipsec
(ah
|esp
)ike
- Enable IPsec with dynamic keying. In this mode,
bgpd(8) sets up the flows, and a key management daemon such as
isakmpd(8) is responsible for managing the session keys. With
isakmpd(8), it is sufficient to copy the peer's public key, found
in /etc/isakmpd/local.pub, to the local machine.
It must be stored in a file named after the peer's IP address and must be
stored in /etc/isakmpd/pubkeys/ipv4/. The local
public key must be copied to the peer in the same way. As
bgpd(8) manages the flows on its own, it is sufficient to restrict
isakmpd(8) to only take care of keying by specifying the flags
-Ka
. This can be done in rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) daemons on both sides, the session should be established. local-address
address- When bgpd(8) initiates the TCP connection to the neighbor system, it
normally does not bind to a specific IP address. If a
local-address
is given, bgpd(8) binds to this address first. local-as
as-number [as-number]- Set the AS number sent to the remote system. Used as described above under
GLOBAL CONFIGURATION option
AS
.Since there is no AS path loop check, this option is dangerous, and requires you to add filters to prevent receiving your ASNs. Intended to be used temporarily, for migrations to another AS.
log no
- Disable neighbor specific logging.
log updates
- Log received and sent updates for this neighbor.
max-prefix
number [restart
number]- Terminate the session when the maximum number of
prefixes received is exceeded (no such limit is imposed by default). If
restart
is specified, the session will be restarted after number minutes. multihop
hops- Neighbors not in the same AS as the local
bgpd(8) normally have to be directly connected to the local
machine. If this is not the case, the
multihop
statement defines the maximum hops the neighbor may be away. passive
- Do not attempt to actively open a TCP connection to the neighbor system.
remote-as
as-number- Set the AS number of the remote system.
rib
name- Bind the neighbor to the specified RIB.
route-reflector
[address]- Act as an RFC 4456 route-reflector for this neighbor. An optional cluster ID can be specified; otherwise the BGP ID will be used.
set
attribute ...- Set the AS path attributes to some default per
neighbor
orgroup
block:set localpref 300
See also the ATTRIBUTE SET section. Set parameters are applied to the received prefixes; the only exceptions are
prepend-self
,nexthop no-modify
andnexthop self
. These sets are rewritten into filter rules and can be viewed with “bgpd -nv”. tcp md5sig password
secrettcp md5sig key
secret- Enable TCP MD5 signatures per RFC 2385. The shared secret can either be
given as a password or hexadecimal key.
tcp md5sig password mekmitasdigoat tcp md5sig key deadbeef
transparent-as
(yes
|no
)- If set to
yes
, AS paths to EBGP neighbors are not prepended with the local AS. The default is inherited from the globaltransparent-as
setting. ttl-security
(yes
|no
)- Enable or disable ttl-security. When enabled, outgoing packets are sent
using a TTL of 255 and a check is made against an incoming packet's TTL.
For directly connected peers, incoming packets are required to have a TTL
of 255, ensuring they have not been routed. For multihop peers, incoming
packets are required to have a TTL of 256 minus multihop distance,
ensuring they have not passed through more than the expected number of
hops. The default is
no
.
FILTER
bgpd(8) has the ability to allow
and
deny
UPDATES based on
prefix or AS path attributes. In
addition, UPDATES may also be modified by filter
rules.
For each UPDATE processed by the filter, the
filter rules are evaluated in sequential order, from first to last. The last
matching allow
or deny
rule
decides what action is taken. The default action is to deny.
The following actions can be used in the filter:
allow
- The UPDATE is passed.
deny
- The UPDATE is blocked.
match
- Apply the filter attribute set without influencing the filter decision.
PARAMETERS
The rule parameters specify the UPDATES to which a rule applies. An UPDATE always comes from, or goes to, one neighbor. Most parameters are optional, but each can appear at most once per rule. If a parameter is specified, the rule only applies to packets with matching attributes.
- as-type [operator] as-number
- as-type
as-set
name - This rule applies only to UPDATES where the
AS path matches. The part of the AS
path specified by the as-type is matched against
the as-number or the
as-set
name:AS
- (any part)
peer-as
- (leftmost AS number)
source-as
- (rightmost AS number)
transit-as
- (all but the rightmost AS number)
as-number is an AS number as explained above under GLOBAL CONFIGURATION. It may be set to
neighbor-as
, which is expanded to the current neighbor remote AS number, orlocal-as
, which is expanded to the locally assigned AS number.When specifying an
as-set
name the AS path will instead be matched against all the AS numbers in the set.The operator can be unspecified (this case is identical to the equality operator), or one of the numerical operators
= (equal) != (unequal) - (range including boundaries) >< (except range)
>< and - are binary operators (they take two arguments); with these, as-number cannot be set to
neighbor-as
.Multiple as-number entries for a given type or as-type as-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:
deny from any AS { 1, 2, 3 } deny from any { AS 1, source-as 2, transit-as 3 } deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }
community
as-number:
localcommunity
name- This rule applies only to UPDATES where the
community
path attribute is present and matches. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and65535
. Both as-number and local may be set to ‘*’ to do wildcard matching. Alternatively, well-known communities may be given by name instead and includeBLACKHOLE
,GRACEFUL_SHUTDOWN
,NO_EXPORT
,NO_ADVERTISE
,NO_EXPORT_SUBCONFED
, andNO_PEER
. Both as-number and local may be set toneighbor-as
, which is expanded to the current neighbor remote AS number, orlocal-as
, which is expanded to the locally assigned AS number. large-community
as-number:local:local- This rule applies only to UPDATES where the
Large community
path attribute is present and matches. Communities are specified as as-number:local:local, where as-number is an AS number and local is a locally significant number between zero and4294967295
. Both as-number and local may be set to ‘*’ to do wildcard matching. Both as-number and local may be set toneighbor-as
, which is expanded to the current neighbor remote AS number,local-as
, which is expanded to the locally assigned AS number. ext-community
subtype as-number:localext-community
subtype IP:localext-community
subtype numvalueext-community
ovs (valid
|not-found
|invalid
)- This rule applies only to UPDATES where the extended community path attribute is present and matches. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. See also the ATTRIBUTE SET section for further information about the encoding.
- (
from
|to
) peer - This rule applies only to UPDATES coming from, or going
to, this particular neighbor. This parameter must be specified.
peer is one of the following:
any
- Any neighbor will be matched.
ibgp
- All IBGP neighbors will be matched.
ebgp
- All EBGP neighbors will be matched.
- address
- Neighbors with this address will be matched.
group
descr- Neighbors in this group will be matched.
AS
as-number- Neighbors with this AS will be matched.
Multiple peer entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:
deny from { 128.251.16.1, 251.128.16.2, group hojo }
- (
inet
|inet6
) - Match only routes in the IPv4 or IPv6 address families, respectively.
inet
is an alias for "prefix 0.0.0.0/0 prefixlen >= 0";inet6
is an alias for "prefix ::/0 prefixlen >= 0". max-as-len
len- This rule applies only to UPDATES where the AS path has more than len elements.
max-as-seq
len- This rule applies only to UPDATES where a single AS number is repeated more than len times.
nexthop
address- This rule applies only to UPDATES where the nexthop is equal to address. The address can be set to neighbor in which case the nexthop is compared against the address of the neighbor. Nexthop filtering is not supported on locally announced networks and one must take into consideration previous rules overwriting nexthops.
origin-set
name- This rule applies only to UPDATES that match the given origin-set name.
ovs
(valid
|not-found
|invalid
)- This rule applies only to UPDATES where the Origin Validation State (OVS) matches.
prefix
address/
lenprefix
address/
lenprefixlen
rangeprefix
address/
lenor-longer
prefix
address/
lenmaxlen
mlen- This rule applies only to UPDATES for the specified
prefix.
Multiple entries may be specified, separated by commas or whitespace, if enclosed in curly brackets:
deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer }
Multiple lists can also be specified, which is useful for macro expansion:
good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }" ugly="{ 127.0.0.1/8, 169.254.0.0/16 }" deny from any prefix { $good $bad $ugly }
Prefix length ranges are specified by using these operators:
= (equal) != (unequal) < (less than) <= (less than or equal) > (greater than) >= (greater than or equal) - (range including boundaries) >< (except range)
>< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12:
prefixlen 8-12
Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0–7 and 13–32:
prefixlen 8><12
This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16:
prefix 10.0.0.0/8 prefixlen > 16
or-longer
is a shorthand for:prefix
address/
lenprefixlen
>=
lenmaxlen
mlen is a shorthand for:prefix
address/
lenprefixlen
<=
mlen prefix-set
name [or-longer
]- This rule applies only to UPDATES that match the given
prefix-set name. With
or-longer
, the UPDATES will match any prefix in the prefix-set whereaddress
/
lenprefixlen
>=
len quick
- If an UPDATE matches a rule which has the
quick
option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. rib
name- Apply rule only to the specified RIB. This only applies for received updates, so not for rules using the to peer parameter.
set
attribute ...- All matching rules can set the AS path attributes to some default. The set of every matching rule is applied, not only the last matching one. See also the following section.
ATTRIBUTE SET
AS path attributes can be modified with
set
.
set
can be used on
network
statements, in
neighbor
or group
blocks,
and on filter rules. Attribute sets can be expressed as lists.
The following attributes can be modified:
community
[delete] as-number:localcommunity
[delete] name- Set or delete the
COMMUNITIES
AS path attribute. Communities are specified as
as-number:local, where
as-number is an AS number and
local is a locally significant number between zero
and
65535
. Alternately, well-known communities may be specified by name:GRACEFUL_SHUTDOWN
,NO_EXPORT
,NO_ADVERTISE
,NO_EXPORT_SUBCONFED
, orNO_PEER
. Fordelete
, both as-number and local may be set to ‘*’ to do wildcard matching. large-community
[delete] as-number:local:locallarge-community
[delete] name- Set or delete the
Large
Communities path attribute. Communities are specified as
as-number:local:local,
where as-number is an AS number and
local is a locally significant number between zero
and
4294967295
. Fordelete
, both as-number and local may be set to ‘*’ to do wildcard matching. ext-community
[delete] subtype as-number:localext-community
[delete] subtype IP:localext-community
[delete] subtype numvalueext-community
[delete] ovs (valid
|not-found
|invalid
)- Set or delete the
Extended
Community AS path attribute. Extended Communities are specified by
a subtype and normally two values, a globally unique
part (e.g. the AS number) and a local part. The type is selected depending
on the encoding of the global part. Two-octet AS Specific Extended
Communities and Four-octet AS Specific Extended Communities are encoded as
as-number:local. Four-octet
encoding is used if the as-number is bigger than
65535 or if the AS_DOT encoding is used. IPv4 Address Specific Extended
Communities are encoded as
IP:local. Opaque Extended
Communities are encoded with a single numeric value. The
ovs subtype can only be set to
valid, not-found, or
invalid. Currently the following subtypes are
supported:
bdc BGP Data Collection defgw Default Gateway esi-lab ESI Label esi-rt ES-Import Route Target l2vid L2VPN Identifier mac-mob MAC Mobility odi OSPF Domain Identifier ort OSPF Route Type ori OSPF Router ID ovs BGP Origin Validation State rt Route Target soo Route Origin / Source of Origin srcas Source AS vrfri VRF Route Import
Not all type and subtype value pairs are allowed by IANA and the parser will ensure that no invalid combination is created.
localpref
number- Set the LOCAL_PREF AS path attribute. If number starts with a plus or minus sign, LOCAL_PREF will be adjusted by adding or subtracting number; otherwise it will be set to number. The default is 100.
med
numbermetric
number- Set the MULTI_EXIT_DISC AS path attribute. If number starts with a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding or subtracting number; otherwise it will be set to number.
origin
(igp
|egp
|incomplete
)- Set the ORIGIN AS path attribute to mark the source of this route as being injected from an igp protocol, an egp protocol or being an aggregated route.
nexthop
(address|blackhole
|reject
|self
|no-modify
)- Set the
NEXTHOP
AS path attribute to a different nexthop address or use blackhole or
reject routes. If set to
no-modify,
the nexthop attribute is not modified. Unless set to
self, the nexthop is left unmodified for IBGP sessions.
self forces the nexthop to be set to the local interface
address.
set nexthop 192.168.0.1 set nexthop blackhole set nexthop reject set nexthop no-modify set nexthop self
pftable
table- Add the prefix in the update to the specified pf(4) table, regardless of whether or not the path was selected for routing. This option may be useful in building realtime blacklists.
prepend-neighbor
number- Prepend the neighbor's AS number times to the AS path.
prepend-self
number- Prepend the local AS number times to the AS path.
rtlabel
label- Add the prefix to the kernel routing table with the specified label.
weight
number- The weight is used to tip prefixes with equally long AS paths in one or the other direction. A prefix is weighed at a very late stage in the decision process. If number starts with a plus or minus sign, the weight will be adjusted by adding or subtracting number; otherwise it will be set to number. Weight is a local non-transitive attribute and a bgpd-specific extension. For prefixes with equally long paths, the prefix with the larger weight is selected.
FILES
- /etc/bgpd.conf
- bgpd(8) configuration file
SEE ALSO
strftime(3), ipsec(4), pf(4), tcp(4), bgpctl(8), bgpd(8), ipsecctl(8), isakmpd(8), rc.conf.local(8)
HISTORY
The bgpd.conf
file format first appeared
in OpenBSD 3.5.