NAME¶

DESCRIPTION¶

SECTIONS¶

Macros

User-defined variables may be defined and used later, simplifying the configuration file.

Global Configuration

Global settings for bgpd(8).

Routing Domain Configuration

The definition and properties for BGP MPLS VPNs are set in this section.

Neighbors and Groups

bgpd(8) establishes sessions with neighbors. The neighbor definition and properties are set in this section, as well as grouping neighbors for the ease of configuration.

Filter

Filter rules for incoming and outgoing UPDATES.

include "/etc/bgpd/bgpd-10.0.0.1.filter"

MACROS¶

peer1="1.2.3.4" 
neighbor $peer1 { 
	remote-as 65001 
}

GLOBAL CONFIGURATION¶

AS as-number [as-number]

Set the local autonomous system number to as-number. If the first AS number is a 4-byte AS it is possible to specify a secondary 2-byte AS number which is used for neighbors which do not support 4-byte AS numbers. The default for the secondary AS is 23456.

The AS numbers are assigned by local RIRs, such as:

AfriNIC

for Africa

APNIC

for Asia Pacific

ARIN

for North America and parts of the Caribbean

LACNIC

for Latin America and the Caribbean

RIPE NCC

for Europe, the Middle East, and parts of Asia

For example:

AS 65001
    

sets the local AS to 65001.

The AS numbers 64512 – 65534 are designated for private use. The AS number 23456 is a specially designated Autonomous System Number and should not be used. 4-byte AS numbers are specified as two numbers separated by a dot (ASDOT format), for example:

AS 3.10
    

or as a large number (ASPLAIN format), for example:

AS 196618
    

connect-retry seconds

Set the number of seconds before retrying to open a connection. This timer should be sufficiently large in EBGP configurations. The default is 120 seconds.

dump [rib name] (table|table-mp) file [timeout]

 

dump (all|updates) (in|out) file [timeout]

Dump the RIB, a.k.a. the routing information base, and all BGP messages in Multi-threaded Routing Toolkit (MRT) format. Dumping the RIB is normally an expensive operation, but it should not influence the session handling. It is possible to dump alternate RIB with the use of name.

For example, the following will dump the entire table to the strftime(3)-expanded filename. The table-mp format is multi-protocol capable but often not supported by 3rd-party tools. The timeout is optional:

dump table "/tmp/rib-dump-%H%M" 300
    

Similar to the table dump, but this time all BGP messages and state transitions will be dumped to the specified file:

dump all in "/tmp/all-in-%H%M" 300
    

As before, but only the UPDATE messages will be dumped to the file:

dump updates in "/tmp/updates-in-%H%M" 300
    

It is also possible to dump outgoing messages:

dump all out "/tmp/all-out-%H%M" 300 
# or 
dump updates out "/tmp/updates-out-%H%M" 300
    

fib-update (yes|no)

If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

holdtime seconds

Set the holdtime in seconds. The holdtime is reset to its initial value every time either a KEEPALIVE or an UPDATE message is received from the neighbor. If the holdtime expires the session is dropped. The default is 90 seconds. Neighboring systems negotiate the holdtime used when the connection is established in the OPEN messages. Each neighbor announces its configured holdtime; the smaller one is then agreed upon.

holdtime min seconds

The minimal accepted holdtime in seconds. This value must be greater than or equal to 3.

listen on address

Specify the local IP address bgpd(8) should listen on.

listen on 127.0.0.1
    

log updates

Log received and sent updates.

network address/prefix [set ...]

 

network (inet|inet6) static [set ...]

 

network (inet|inet6) connected [set ...]

Announce the specified network as belonging to our AS. If set to connected, routes to directly attached networks will be announced. If set to static, all static routes will be announced.

network 192.168.7.0/24
    

It is possible to set default AS path attributes per network statement:

network 192.168.7.0/24 set localpref 220
    

See also the ATTRIBUTE SET section.

nexthop qualify via (bgp|default)

If set to bgp, bgpd(8) may use BGP routes to verify nexthops. If set to default, bgpd may use the default route to verify nexthops. By default bgpd will only use static routes or routes added by other routing daemons like ospfd(8).

rde med compare (always|strict)

If set to always, the MED attributes will always be compared. The default is strict, where the MED is only compared between peers belonging to the same AS.

rde rib name [no evaluate]

 

rde rib name [rtable number]

Create an additional RIB named name. It is possible to disable the decision process per RIB with the no evaluate flag. If a rtable is specified, routes will be exported to the given kernel routing table. Currently the routing table must belong to the default routing domain and nexthop verification happens on table 0. Routes in the specified table will not be considered for nexthop verification. Adj-RIB-In and Loc-RIB are created automatically and used as default.

rde route-age (ignore|evaluate)

If set to evaluate, the best path selection will not only be based on the path attributes but also on the age of the route, giving preference to the older, typically more stable, route. In this case the decision process is no longer deterministic. The default is ignore.

route-collector (yes|no)

If set to yes, the route selection process is turned off. The default is no.

router-id address

Set the router ID to the given IP address, which must be local to the machine.

router-id 10.0.0.1
    

If not given, the BGP ID is determined as the biggest IP address assigned to the local machine.

rtable number

Work with the given kernel routing table instead of the default table, 0. Note that table 0 is used for nexthop verification. Routes in the specified table will not be considered for nexthop verification. This is the same as using the following syntax:

rde rib Loc-RIB rtable number
    

socket “path” [restricted]

Set the control socket location to path. If restricted is specified a restricted control socket will be created. By default /var/run/bgpd.sock is used and no restricted socket is created.

transparent-as (yes|no)

If set to yes, AS paths to EBGP neighbors are not prepended with their own AS. The default is no.

ROUTING DOMAIN CONFIGURATION¶

rdomain 1 { 
	descr "a rdomain" 
	rd 65002:1 
	import-target rt 65002:42 
	export-target rt 65002:42 
	network 192.168.1/24 
	depend on mpe0 
}

depend on interface

Routes added to the rdomain will use this interface as the outgoing interface. Normally this will be an MPLS Provider Edge, mpe(4), interface that is part of the rdomain. Local networks will be announced with the MPLS label specified on the interface.

descr description

Add a description. The description is used when logging but has no further meaning to bgpd(8).

export-target subtype as-number:local

 

export-target subtype IP:local

Specify an extended community which will be attached to announced networks. More than one export-target can be specified. See also the ATTRIBUTE SET section for further information about the encoding. The subtype should be set to rt for best compatibility with other implementations.

fib-update (yes|no)

If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

import-target subtype as-number:local

 

import-target subtype IP:local

Only prefixes matching one of the specified import-targets will be imported into the rdomain. More than one import-target can be specified. See also the ATTRIBUTE SET section for further information about the encoding of extended communities. The subtype should be set to rt for best compatibility with other implementations.

network arguments ...

Define which networks should be exported into this VPN. See also the nexthop section in GLOBAL CONFIGURATION for further information about the arguments.

rd as-number:local

 

rd IP:local

The Route Distinguishers uniquely identifies a set of VPN prefixes. Only prefixes matching the rd will be imported into the routing domain. The purpose of the rd is solely to allow one to create distinct routes to a common address prefix. The as-number or IP of a rd should be set to a number or IP that was assigned by an appropriate authority. Whereas local can be chosen by the local operator.

NEIGHBORS AND GROUPS¶

neighbor 10.0.0.2 { 
	remote-as 65002 
	descr "a neighbor" 
}

group "peering AS65002" { 
	remote-as 65002 
	neighbor 10.0.0.2 { 
		descr "AS65002-p1" 
	} 
	neighbor 10.0.0.3 { 
		descr "AS65002-p2" 
	} 
}

neighbor 10.0.0.0/8

announce (all|none|self|default-route)

If set to none, no UPDATE messages will be sent to the neighbor. If set to default-route, only the default route will be announced to the neighbor. If set to all, all generated UPDATE messages will be sent to the neighbor. This is usually used for transit AS's and IBGP peers. The default value for EBGP peers is self, which limits the sent UPDATE messages to announcements of the local AS. The default for IBGP peers is all.

announce (IPv4|IPv6) (none|unicast|vpn)

For the given address family, control which subsequent address families (at the moment, only none, which disables the announcement of that address family, unicast, and vpn, which allows the distribution of BGP MPLS VPNs, are supported) are announced during the capabilities negotiation. Only routes for that address family and subsequent address family will be announced and processed.

announce as-4byte (yes|no)

If set to no, the 4-byte AS capability is not announced and so native 4-byte AS support is disabled. The default is yes.

announce capabilities (yes|no)

If set to no, capability negotiation is disabled during the establishment of the session. This can be helpful to connect to old or broken BGP implementations. The default is yes.

announce refresh (yes|no)

If set to no, the route refresh capability is not announced. The default is yes.

announce restart (yes|no)

If set to yes, the graceful restart capability is announced. Currently only the End-of-RIB marker is supported and announced by the restart capability. The default is no.

demote group

Increase the carp(4) demotion counter on the given interface group, usually carp, when the session is not in state ESTABLISHED. The demotion counter will be increased as soon as bgpd(8) starts and decreased 60 seconds after the session went to state ESTABLISHED. For neighbors added at runtime, the demotion counter is only increased after the session has been ESTABLISHED at least once before dropping.

For more information on interface groups, see the group keyword in ifconfig(8).

depend on interface

The neighbor session will be kept in state IDLE as long as interface reports no link. For carp(4) interfaces, no link means that the interface is currently backup. This is primarily intended to be used with carp(4) to reduce failover times.

The state of the network interfaces on the system can be viewed using the show interfaces command to bgpctl(8).

descr description

Add a description. The description is used when logging neighbor events, in status reports, for specifying neighbors, etc., but has no further meaning to bgpd(8).

down

Do not start the session when bgpd comes up but stay in IDLE.

dump (all|updates) (in|out) file [timeout]

Do a peer specific MRT dump. Peer specific dumps are limited to all and updates. See also the dump section in GLOBAL CONFIGURATION.

enforce neighbor-as (yes|no)

If set to yes, AS paths whose leftmost AS is not equal to the remote AS of the neighbor are rejected and a NOTIFICATION is sent back. The default value for IBGP peers is no otherwise the default is yes.

holdtime seconds

Set the holdtime in seconds. Inherited from the global configuration if not given.

holdtime min seconds

Set the minimal acceptable holdtime. Inherited from the global configuration if not given.

interface interface

Set an interface used for a nexthop with a link-local IPv6 address. Note that if this is not specified and a link-local IPv6 address is received as nexthop of the peer, it will be marked as invalid and ignored.

ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]

Enable IPsec with static keying. There must be at least two ipsec statements per peer with manual keying, one per direction. authspec specifies the authentication algorithm and key. It can be

sha1 <key> 
md5 <key>
    

encspec specifies the encryption algorithm and key. ah does not support encryption. With esp, encryption is optional. encspec can be

3des <key> 
3des-cbc <key> 
aes <key> 
aes-128-cbc <key>
    

Keys must be given in hexadecimal format.

ipsec (ah|esp) ike

Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up the flows, and a key management daemon such as isakmpd(8) is responsible for managing the session keys. With isakmpd(8), it is sufficient to copy the peer's public key, found in /etc/isakmpd/private/local.pub, to the local machine. It must be stored in a file named after the peer's IP address and must be stored in /etc/isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As bgpd(8) manages the flows on its own, it is sufficient to restrict isakmpd(8) to only take care of keying by specifying the flags -Ka. This can be done in rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) daemons on both sides, the session should be established.

local-address address

When bgpd(8) initiates the TCP connection to the neighbor system, it normally does not bind to a specific IP address. If a local-address is given, bgpd(8) binds to this address first.

max-prefix number [restart number]

Terminate the session after number prefixes have been received (no such limit is imposed by default). If restart is specified, the session will be restarted after number minutes.

multihop hops

Neighbors not in the same AS as the local bgpd(8) normally have to be directly connected to the local machine. If this is not the case, the multihop statement defines the maximum hops the neighbor may be away.

passive

Do not attempt to actively open a TCP connection to the neighbor system.

remote-as as-number

Set the AS number of the remote system.

rib name

Bind the neighbor to the specified RIB.

route-reflector [address]

Act as an RFC 2796 route-reflector for this neighbor. An optional cluster ID can be specified; otherwise the BGP ID will be used.

set attribute ...

Set the AS path attributes to some default per neighbor or group block:

set localpref 300
    

See also the ATTRIBUTE SET section. Set parameters are applied to the received prefixes; the only exceptions are prepend-self, nexthop no-modify and nexthop self. These sets are rewritten into filter rules and can be viewed with “bgpd -nv”.

softreconfig (in|out) (yes|no)

Turn soft reconfiguration on or off for the specified direction. If soft reconfiguration is turned on, filter changes will be applied on configuration reloads. If turned off, a BGP session needs to be cleared to apply the filter changes. Enabling softreconfig in will raise the memory requirements of bgpd(8) because the unmodified AS path attributes need to be stored as well. The default is yes.

tcp md5sig password secret

 

tcp md5sig key secret

Enable TCP MD5 signatures per RFC 2385. The shared secret can either be given as a password or hexadecimal key.

tcp md5sig password mekmidasdigoat 
tcp md5sig key deadbeef
    

transparent-as (yes|no)

If set to yes, AS paths to EBGP neighbors are not prepended with their own AS. The default is inherited from the global transparent-as setting.

ttl-security (yes|no)

Enable or disable ttl-security. When enabled, outgoing packets are sent using a TTL of 255 and a check is made against an incoming packet's TTL. For directly connected peers, incoming packets are required to have a TTL of 255, ensuring they have not been routed. For multihop peers, incoming packets are required to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is no.

FILTER¶

allow

The UPDATE is passed.

deny

The UPDATE is blocked.

match

Apply the filter attribute set without influencing the filter decision.

PARAMETERS¶

as-type as-number

This rule applies only to UPDATES where the AS path matches. The as-number is matched against a part of the AS path specified by the as-type. as-number may be set to neighbor-as, which is expanded to the current neighbor remote AS number. as-type is one of the following operators:

AS

(any part)

peer-as

(leftmost AS number)

source-as

(rightmost AS number)

transit-as

(all but the rightmost AS number)

Multiple as-number entries for a given type or as-type as-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any AS { 1, 2, 3 } 
deny from any { AS 1, source-as 2, transit-as 3 } 
deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }
    

community as-number:local

 

community name

This rule applies only to UPDATES where the community path attribute is present and matches. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and 65535. Both as-number and local may be set to ‘*’ to do wildcard matching. Alternatively, well-known communities may be given by name instead and include NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, and NO_PEER. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number.

ext-community subtype as-number:local

 

ext-community subtype IP:local

 

ext-community subtype numvalue

This rule applies only to UPDATES where the extended community path attribute is present and matches. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. See also the ATTRIBUTE SET section for further information about the encoding.

(from|to) peer

This rule applies only to UPDATES coming from, or going to, this particular neighbor. This parameter must be specified. peer is one of the following:

any

Any neighbor will be matched.

address

Neighbors with this address will be matched.

group descr

Neighbors in this group will be matched.

Multiple peer entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from { 128.251.16.1, 251.128.16.2, group hojo }
    

(inet|inet6)

This rule applies only to routes matching the stated address family. The address family needs to be set only in rules that use prefixlen without specifying a prefix beforehand.

max-as-len len

This rule applies only to UPDATES where the AS path has more than len elements.

max-as-seq len

This rule applies only to UPDATES where a single AS number is repeated more than len times.

prefix address/len

This rule applies only to UPDATES for the specified prefix.

Multiple address/len entries may be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 }
    

Multiple lists can also be specified, which is useful for macro expansion:

good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" 
bad="{ 224.0.0.0/4, 240.0.0.0/4 }" 
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }" 
 
deny from any prefix { $good $bad $ugly }
    

prefixlen range

This rule applies only to UPDATES for prefixes where the prefixlen matches. Prefix length ranges are specified by using these operators:

=	(equal) 
!=	(unequal) 
<	(less than) 
<=	(less than or equal) 
>	(greater than) 
>=	(greater than or equal) 
-	(range including boundaries) 
><	(except range)
    

>< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12:

prefixlen 8-12
    

Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0–7 and 13–32:

prefixlen 8><12
    

prefixlen can be used together with prefix.

This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16:

prefix 10.0.0.0/8 prefixlen > 16
    

quick

If an UPDATE matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.

rib name

Apply rule only to the specified RIB. This only applies for received updates, so not for rules using the to peer parameter.

set attribute ...

All matching rules can set the AS path attributes to some default. The set of every matching rule is applied, not only the last matching one. See also the following section.

ATTRIBUTE SET¶

community [delete] as-number:local

 

community [delete] name

Set or delete the COMMUNITIES AS path attribute. Communities are specified as as-number:local, where as-number is an AS number and local is a locally-significant number between zero and 65535. Alternately, well-known communities may be specified by name: NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, or NO_PEER.

ext-community [delete] subtype as-number:local

 

ext-community [delete] subtype IP:local

 

ext-community [delete] subtype numvalue

Set or delete the Extended Community AS path attribute. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. The type is selected depending on the encoding of the global part. Two-octet AS Specific Extended Communities and Four-octet AS Specific Extended Communities are encoded as as-number:local. Four-octet encoding is used if the as-number is bigger then 65535 or if the AS_DOT encoding is used. IPv4 Address Specific Extended Communities are encoded as IP:local. Opaque Extended Communities are encoded with a single numeric value. Currently the following subtypes are supported:

rt       Route Target 
soo      Source of Origin 
odi      OSPF Domain Identifier 
ort      OSPF Route Type 
ori      OSPF Router ID 
bdc      BGP Data Collection
    

Not all type and subtype value pairs are allowed by IANA and the parser will ensure that no invalid combination is created.

localpref number

Set the LOCAL_PREF AS path attribute. If number starts with a plus or minus sign, LOCAL_PREF will be adjusted by adding or subtracting number; otherwise it will be set to number. The default is 100.

med number

 

metric number

Set the MULTI_EXIT_DISC AS path attribute. If number starts with a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding or subtracting number; otherwise it will be set to number.

origin (igp|egp|incomplete)

Set the ORIGIN AS path attribute to mark the source of this route as being injected from an igp protocol, an egp protocol or being an aggregated route.

nexthop (address|blackhole|reject|self|no-modify)

Set the NEXTHOP AS path attribute to a different nexthop address or use blackhole or reject routes. If set to no-modify, the nexthop attribute is not modified. Unless set to self, the nexthop is left unmodified for IBGP sessions. self forces the nexthop to be set to the local interface address.

set nexthop 192.168.0.1 
set nexthop blackhole 
set nexthop reject 
set nexthop no-modify 
set nexthop self
    

pftable table

Add the prefix in the update to the specified pf(4) table, regardless of whether or not the path was selected for routing. This option may be useful in building realtime blacklists.

prepend-neighbor number

Prepend the neighbor's AS number times to the AS path.

prepend-self number

Prepend the local AS number times to the AS path.

rtlabel label

Add the prefix to the kernel routing table with the specified label.

weight number

The weight is used to tip prefixes with equally long AS paths in one or the other direction. A prefix is weighed at a very late stage in the decision process. If number starts with a plus or minus sign, the weight will be adjusted by adding or subtracting number; otherwise it will be set to number. Weight is a local non-transitive attribute and a bgpd-specific extension. For prefixes with equally long paths, the prefix with the larger weight is selected.

FILES¶

/etc/bgpd.conf

bgpd(8) configuration file

SEE ALSO¶

HISTORY¶