bgpd.conf - Border Gateway Protocol daemon configuration
file
The bgpd(8) daemon implements the Border Gateway Protocol
version 4 as
described in RFC 1771.
The bgpd.conf config file is divided into four main sections.
Macros [Toc] [Back]
User-defined variables may be defined and used later,
simplifying
the configuration file.
Global Configuration [Toc] [Back]
Global settings for bgpd(8).
Neighbors and Groups [Toc] [Back]
bgpd(8) establishes sessions with neighbors. The
neighbor definition
and properties are set in this section, as well
as grouping
neighbors for the ease of configuration.
Filter [Toc] [Back]
Filter rules for incoming and outgoing UPDATES.
With the exception of macros, the sections should be grouped
and appear
in bgpd.conf in the order shown above.
Much like cpp(1) or m4(1), macros can be defined that will
later be expanded
in context. Macro names must start with a letter,
and may contain
letters, digits and underscores. Macro names may not be reserved words
(for example, AS, neighbor, or group). Macros are not expanded inside
quotes.
For example,
peer1="1.2.3.4"
neighbor $peer1 {
remote-as 65001
}
There are quite a few settings that affect the operation of
the bgpd(8)
daemon globally.
AS as-number
Set the local autonomous system number to as-number.
The AS numbers
are assigned by local RIRs, such as
RIPE for Europe,
ARIN for America, and
APNIC for the Asian-Pacific region.
For example,
AS 65001
sets the local AS to 65001.
dump (table|table-mp) file [timeout]
dump (all|updates) (in|out) file [timeout]
Dump the RIB, a.k.a. the routing information base,
and all BGP
messages in Multi-threaded Routing Toolkit (MRT)
format. Dumping
the RIB is normally an expensive operation, but it
should not influence
the session handling. Excessive dumping may
result in
delayed update processing.
For example, the following will dump the entire
table to the
strftime(3)-expanded filename. The table-mp format
is multi-protocol
capable but often not supported by 3rd-party
tools. The
timeout is optional:
dump table "/tmp/rib-dump-%H%M" 300
Similar to the table dump, but this time all BGP
messages and
state transitions will be dumped to the specified
file:
dump all in "/tmp/all-in-%H%M" 300
As before, but only the UPDATE messages will be
dumped to the
file:
dump updates in "/tmp/updates-in-%H%M" 300
It is also possible to dump outgoing messages:
dump all out "/tmp/all-out-%H%M" 300
# or
dump updates out "/tmp/updates-out-%H%M" 300
fib-update (yes|no)
If set to no, do not update the Forward Information
Base, a.k.a.
the kernel routing table. The default is yes.
holdtime seconds
Set the holdtime in seconds. The holdtime is reset
to its initial
value every time either a KEEPALIVE or an
UPDATE message is
received from the neighbor. If the holdtime expires
the session
is dropped. The default is 90 seconds. Neighboring
systems negotiate
the holdtime used when the connection is established in
the OPEN messages. Each neighbor announces its configured holdtime;
the smaller one is then agreed upon.
holdtime min seconds
The minimal accepted holdtime in seconds. This value must be
greater than or equal to 3.
listen on address
Specify the local IP address bgpd(8) should listen
on.
listen on 127.0.0.1
log updates
Log received and sent updates.
network address/prefix [set ...]
Announce the specified network as belonging to our
AS.
network 192.168.7.0/24
It is possible to set default AS path attributes per
network
statement:
network 192.168.7.0/24 set localpref 220
See also the ATTRIBUTE SET section.
route-collector (yes|no)
If set to yes, the route selection process is turned
off. The
default is no.
router-id address
Set the router ID to the given IP address, which
must be local to
the machine.
router-id 10.0.0.1
If not given, the BGP ID is determined as the
biggest IP address
assigned to the local machine.
bgpd(8) establishes TCP connections to other BGP speakers
called
neighbors. Each neighbor is specified by a neighbor section, which allows
properties to be set specifially for that neighbor:
neighbor 10.0.0.2 {
remote-as 65002
descr "a neighbor"
}
Multiple neighbors can be grouped together by a group section. Each
neighbor section within the group section inherits all properties from
its group:
group "peering AS65002" {
remote-as 65002
neighbor 10.0.0.2 {
descr "AS65002-p1"
}
neighbor 10.0.0.3 {
descr "AS65002-p2"
}
}
Instead of the neighbor's IP address, an address/netmask
pair may be given:
neighbor 10.0.0.0/8
In this case, the neighbor specification becomes a template,
and if a
neighbor connects from an IP address within the given network, the template
is cloned, inheriting everything from the template but
the remote
address, which is replaced by the connecting neighbor's address. With a
template specification it is valid to omit remote-as; bgpd(8) will then
accept any AS the neighbor presents in the OPEN message.
There are several neighbor properties:
announce (all|none|self|default-route)
If set to none, no UPDATE messages will be sent to
the neighbor.
If set to default-route, only the default route will
be announced
to the neighbor. If set to all, all generated
UPDATE messages
will be sent to the neighbor. This is usually used
for transit
AS's and IBGP peers. The default value for EBGP
peers is self,
which limits the sent UPDATE messages to announcements of the local
AS. The default for IBGP peers is all.
descr description
Add a description. The description is used when
logging neighbor
events and in status reports, etc., and has no further meaning to
bgpd(8).
dump (all|updates) (in|out) file [timeout]
Do a peer specific MRT dump. Peer specific dumps
are limited to
all and updates. See also the dump section in
GLOBAL
CONFIGURATION.
enforce neighbor-as (yes|no)
If set to yes, AS paths whose leftmost AS is not
equal to the
remote AS of the neighbor are rejected and a
NOTIFICATION is sent
back. The default value for IBGP peers is no otherwise the default
is yes.
holdtime seconds
Set the holdtime in seconds. Inherited from the
global configuration
if not given.
holdtime min seconds
Set the minimal acceptable holdtime. Inherited from
the global
configuration if not given.
ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]
Enable IPsec with static keying. There must be at
least two
ipsec statements per peer with manual keying, one
per direction.
authspec specifies the authentication algorithm and
key. It can
be
sha1 <key>
md5 <key>
encspec specifies the encryption algorithm and key.
ah does not
support encryption. With esp, encryption is optional. encspec
can be
3des <key>
3des-cbc <key>
aes <key>
aes-128-cbc <key>
Keys must be given in hexadecimal format.
ipsec (ah|esp) ike
Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up
the flows, and a key management daemon such as
isakmpd(8) is responsible
for managing the session keys. With
isakmpd(8), it is
sufficient to copy the peer's public key, found in
/etc/isakmpd/private/local.pub, to the local machine. It must be
stored in a file named after the peer's IP address
and must be
stored in /etc/isakmpd/pubkeys/ipv4/. The local
public key must
be copied to the peer in the same way. As bgpd(8)
manages the
flows on its own, it is sufficient to restrict
isakmpd(8) to only
take care of keying by specifying the flags -Ka.
This can be
done in rc.conf.local(8). After starting the isakmpd(8) and
bgpd(8) daemons on both sides, the session should be
established.
local-address address
When bgpd(8) initiates the TCP connection to the
neighbor system,
it normally does not bind to a specific IP address.
If a local-
address is given, bgpd(8) binds to this address
first.
max-prefix number
Limit the amount of prefixes received. No such limit is imposed
by default.
multihop hops
Neighbors not in the same AS as the local bgpd(8)
normally have
to be directly connected to the local machine. If
this is not
the case, the multihop statement defines the maximum
hops the
neighbor may be away.
passive
Do not attempt to actively open a TCP connection to
the neighbor
system.
remote-as as-number
Set the AS number of the remote system.
route-reflector [address]
Act as an RFC 2796 route-reflector for this neighbor. An optional
cluster ID can be specified; otherwise the BGP ID
will be
used.
set attribute ...
Set the AS path attributes to some default per
neighbor or group
block:
set localpref 300
See also the ATTRIBUTE SET section.
tcp md5sig password secret
tcp md5sig key secret
Enable TCP MD5 signatures per RFC 2385. The shared
secret can
either be given as a password or hexadecimal key.
tcp md5sig password mekmidasdigoat
tcp md5sig key deadbeef
bgpd(8) has the ability to allow and deny UPDATES based on
prefix or AS
path attributes. In addition, UPDATES may also be modified
by filter
rules.
For each UPDATE processed by the filter, the filter rules
are evaluated
in sequential order, from first to last. The last matching
allow or deny
rule decides what action is taken.
The following actions can be used in the filter:
allow The UPDATE is passed.
deny The UPDATE is blocked.
match Apply the filter attribute set without influencing
the filter
decision.
The rule parameters specify the UPDATES to which a rule applies. An
UPDATE always comes from, or goes to, one neighbor. Most
parameters are
optional, but each can appear at most once per rule. If a
parameter is
specified, the rule only applies to packets with matching
attributes.
as-type as-number
This rule applies only to UPDATES where the AS path
matches. The
as-number is matched against a part of the AS path
specified by
the as-type. as-type is one of the following operators:
AS (any part)
source-as (rightmost AS number)
transit-as (all but the rightmost AS number)
Multiple as-number entries for a given type or
as-type as-number
entries may also be specified, separated by commas
or whitespace,
if enclosed in curly brackets:
deny from any AS { 1, 2, 3 }
deny from any { AS 1, source-as 2, transit-as
3 }
deny from any { AS { 1, 2, 3 }, source-as 4,
transit-as 5 }
community as-number:local
community name
This rule applies only to UPDATES where the
community path attribute
is present and matches. Communities are
specified as as-
number:local, where as-number is an AS number and
local is a locally
significant number between zero and 0xffff.
Both as-number
and local may be set to `*' to do wildcard matching.
Alternatively,
well-known communities may be given by name
instead and
include NO_EXPORT, NO_ADVERTISE, and
NO_EXPORT_SUBCONFED.
(from|to) peer
This rule applies only to UPDATES coming from, or
going to, this
particular neighbor. This parameter must be specified. peer is
one of the following:
any Any neighbor will be matched.
address Neighbors with this address will be
matched.
group descr Neighbors in this group will be
matched.
Multiple peer entries may also be specified, separated by commas
or whitespace, if enclosed in curly brackets:
deny from { 128.251.16.1, 251.128.16.2, group
hojo }
prefix address/len
This rule applies only to UPDATES for the specified
prefix.
Multiple address/len entries may be specified, separated by commas
or whitespace, if enclosed in curly brackets:
deny from any prefix { 192.168.0.0/16,
10.0.0.0/8 }
Multiple lists can also be specified, which is useful for macro
expansion:
good="{ 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }"
bad="{ 224.0.0.0/4, 240.0.0.0/4 }"
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"
deny from any prefix { $good $bad $ugly }
prefixlen range
This rule applies only to UPDATES for prefixes where
the prefixlen
matches. Prefix length ranges are specified
by using
these operators:
= (equal)
!= (unequal)
< (less than)
<= (less than or equal)
> (greater than)
>= (greater than or equal)
- (range including boundaries)
>< (except range)
>< and - are binary operators (they take two arguments). For instance,
to match all prefix lengths >= 8 and <= 12,
and hence the
CIDR netmasks 8, 9, 10, 11 and 12:
prefixlen 8-12
Or, to match all prefix lengths < 8 or > 12, and
hence the CIDR
netmasks 0-7 and 13-32:
prefixlen 8><12
prefixlen can be used together with prefix.
This will match all prefixes in the 10.0.0.0/8 netblock with netmasks
longer than 16:
prefix 10.0.0.0/8 prefixlen > 16
quick If an UPDATE matches a rule which has the quick option set, this
rule is considered the last matching rule, and evaluation of subsequent
rules is skipped.
set attribute ...
All matching rules can set the AS path attributes to
some default.
The set of every matching rule is applied,
not only the
last matching one. See also the following section.
AS path attributes can be modified with set.
set can be used on network statements, in neighbor or group
blocks, and
on filter rules. Attribute sets can be expressed as lists.
The following attributes can be modified:
community as-number:local
community name
Set the COMMUNITIES AS path attribute. Communities
are specified
as as-number:local, where as-number is an AS number
and local is
a locally-significant number between zero and
0xffff. Alternately,
well-known communities may be specified by name:
NO_EXPORT,
NO_ADVERTISE, or NO_EXPORT_SUBCONFED.
localpref number
Set the LOCAL_PREF AS path attribute.
med number
Set the MULTI_EXIT_DISC AS path attribute.
nexthop (address|blackhole|reject)
Set the NEXTHOP AS path attribute to a different
nexthop address,
or use blackhole or reject routes.
set nexthop 192.168.0.1
set nexthop blackhole
set nexthop reject
pftable table
Add the prefix in the update to the specified pf(4)
radix table,
regardless of whether or not the path was selected
for routing.
This option may be useful in building realtime
blacklists.
prepend-self number
Prepend the local AS number times to the AS path.
/etc/bgpd.conf bgpd(8) configuration file
strftime(3), ipsec(4), pf(4), tcp(4), bgpctl(8), bgpd(8),
ipsecadm(8),
isakmpd(8), rc.conf.local(8)
The bgpd.conf file format first appeared in OpenBSD 3.5.
OpenBSD 3.6 March 10, 2004
[ Back ] |
