NAME

DESCRIPTION

SECTIONS

Macros

User-defined variables may be defined and used later, simplifying the configuration file.

Global Configuration

Global settings for bgpd(8).

Neighbors and Groups

bgpd(8) establishes sessions with neighbors. The neighbor definition and properties are set in this section, as well as grouping neighbors for the ease of configuration.

Filter

Filter rules for incoming and outgoing UPDATES.

include "/etc/bgpd/bgpd-10.0.0.1.filter"

MACROS

peer1="1.2.3.4"
neighbor $peer1 {
	remote-as 65001
}

GLOBAL CONFIGURATION

ASas-number[as-number]

Set the local autonomous system number to as-number. If the first AS number is a 4-byte AS it is possible to specifiy a secondary 2-byte AS number which is used for neighbors which do not support 4-byte AS numbers. The default for the secondary AS is 23456.

The AS numbers are assigned by local RIRs, such as:

AfriNIC

for Africa

APNIC

for Asia Pacific

ARIN

for North America and parts of the Caribbean

LACNIC

for Latin America and the Caribbean

RIPE NCC

for Europe, the Middle East, and parts of Asia

For example:

AS 65001

sets the local AS to 65001.

The AS numbers 64512 \(en 65534 are designated for private use. The AS number 23456 is a specially designated Autonomous System Number and should not be used. 4-byte AS numbers are specified as two numbers separated by a dot. For example:

AS 3.10

dump (table) file[timeout]

dump (all) (in) file[timeout] Dump the RIB, a.k.a. the routing information base, and all BGP messages in Multi-threaded Routing Toolkit (MRT) format. Dumping the RIB is normally an expensive operation, but it should not influence the session handling. Excessive dumping may result in delayed update processing.

For example, the following will dump the entire table to the strftime(3/Ns) filename. The table-mp format is multi-protocol capable but often not supported by 3rd-party tools. The timeout is optional:

dump table "/tmp/rib-dump-%H%M" 300

Similar to the table dump, but this time all BGP messages and state transitions will be dumped to the specified file:

dump all in "/tmp/all-in-%H%M" 300

As before, but only the UPDATE messages will be dumped to the file:

dump updates in "/tmp/updates-in-%H%M" 300

It is also possible to dump outgoing messages:

dump all out "/tmp/all-out-%H%M" 300
# or
dump updates out "/tmp/updates-out-%H%M" 300

fib-update (yes) If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

holdtimeseconds

Set the holdtime in seconds. The holdtime is reset to its initial value every time either a KEEPALIVE or an UPDATE message is received from the neighbor. If the holdtime expires the session is dropped. The default is 90 seconds. Neighboring systems negotiate the holdtime used when the connection is established in the OPEN messages. Each neighbor announces its configured holdtime; the smaller one is then agreed upon.

holdtimemin seconds

The minimal accepted holdtime in seconds. This value must be greater than or equal to 3.

listenon address

Specify the local IP address bgpd(8) should listen on.

listen on 127.0.0.1

logupdates

Log received and sent updates.

network address [set...\&]

network (inet) static[set...\&]

network (inet) connected[set...\&] Announce the specified network as belonging to our AS. If set to connected, routes to directly attached networks will be announced. If set to static, all static routes will be announced.

network 192.168.7.0/24

It is possible to set default AS path attributes per network statement:

network 192.168.7.0/24 set localpref 220

See also the section.

nexthop qualify via (bgp) If set to bgp, bgpd(8) may use BGP routes to verify nexthops. If set to default, bgpd may use the default route to verify nexthops. By default bgpd will only use static routes or routes added by other routing daemons like ospfd(8).

rde med compare (always) If set to always, the MED attributes will always be compared. The default is strict, where the MED is only compared between peers belonging to the same AS.

rde route-age (ignore) If set to evaluate, the best path selection will not only be based on the path attributes but also on the age of the route, giving preference to the older, typically more stable, route. In this case the decision process is no longer deterministic. The default is ignore.

route-collector (yes) If set to yes, the route selection process is turned off. The default is no.

router-idaddress

Set the router ID to the given IP address, which must be local to the machine.

router-id 10.0.0.1

If not given, the BGP ID is determined as the biggest IP address assigned to the local machine.

rtablenumber

Work with the given kernel routing table instead of the default table, 0. Note that this table is used for nexthop verification as well. Directly connected networks are always taken into account, even though their routes live in table 0.

transparent-as (yes) If set to yes, AS paths to EBGP neighbors are not prepended with their own AS. The default is no.

NEIGHBORS AND GROUPS

neighbor 10.0.0.2 {
	remote-as 65002
	descr "a neighbor"
}

group "peering AS65002" {
	remote-as 65002
	neighbor 10.0.0.2 {
		descr "AS65002-p1"
	}
	neighbor 10.0.0.3 {
		descr "AS65002-p2"
	}
}

neighbor 10.0.0.0/8

announce .Sm off (all\*(Ba none \*(Ba self\*(Ba default-route ) .Sm on If set to none, no UPDATE messages will be sent to the neighbor. If set to default-route, only the default route will be announced to the neighbor. If set to all, all generated UPDATE messages will be sent to the neighbor. This is usually used for transit AS's and IBGP peers. The default value for EBGP peers is self, which limits the sent UPDATE messages to announcements of the local AS. The default for IBGP peers is all.

announce (IPv4) (none) For the given address family, control which subsequent address families (at the moment, only none, which disables the announcement of that address family, and unicast are supported) are announced during the capabilities negotiation. Only routes for that address family and subsequent address family will be announced and processed.

announcecapabilities (yes) If set to no, capability negotiation is disabled during the establishment of the session. This can be helpful to connect to old or broken BGP implementations. The default is yes.

demotegroup

Increase the carp(4) demotion counter on the given interface group, usually carp, when the session is not in state ESTABLISHED. The demotion counter will be increased as soon as bgpd(8) starts and decreased 60 seconds after the session went to state ESTABLISHED. For neighbors added at runtime, the demotion counter is only increased after the session has been ESTABLISHED at least once before dropping.

For more information on interface groups, see the group keyword in ifconfig(8).

dependon interface

The neighbor session will be kept in state IDLE as long as interface reports no link. For carp(4) interfaces, no link means that the interface is currently backup. This is primarily intended to be used with carp(4) to reduce failover times.

The state of the network interfaces on the system can be viewed using the -showinterfaces command to bgpctl(8).

descrdescription

Add a description. The description is used when logging neighbor events, in status reports, for specifying neighbors, etc., but has no further meaning to bgpd(8).

down

Do not start the session when bgpd comes up but stay in IDLE.

dump (all) (in) file[timeout] Do a peer specific MRT dump. Peer specific dumps are limited to all and updates. See also the dump section in

enforceneighbor-as (yes) If set to yes, AS paths whose leftmost AS is not equal to the remote AS of the neighbor are rejected and a NOTIFICATION is sent back. The default value for IBGP peers is no otherwise the default is yes.

holdtimeseconds

Set the holdtime in seconds. Inherited from the global configuration if not given.

holdtimemin seconds

Set the minimal acceptable holdtime. Inherited from the global configuration if not given.

ipsec (ah) (in) spispi-numberauthspec [encspec] Enable IPsec with static keying. There must be at least two ipsec statements per peer with manual keying, one per direction. authspec specifies the authentication algorithm and key. It can be

sha1 
md5 

encspec specifies the encryption algorithm and key. ah does not support encryption. With esp, encryption is optional. encspec can be

3des 
3des-cbc 
aes 
aes-128-cbc 

Keys must be given in hexadecimal format.

ipsec (ah) ike Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up the flows, and a key management daemon such as isakmpd(8) is responsible for managing the session keys. With isakmpd(8), it is sufficient to copy the peer's public key, found in /etc/isakmpd/private/local.pub, to the local machine. It must be stored in a file named after the peer's IP address and must be stored in /etc/isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As bgpd(8) manages the flows on its own, it is sufficient to restrict isakmpd(8) to only take care of keying by specifying the flags -Ka. This can be done in rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) daemons on both sides, the session should be established.

local-addressaddress

When bgpd(8) initiates the TCP connection to the neighbor system, it normally does not bind to a specific IP address. If a local-address is given, bgpd(8) binds to this address first.

max-prefixnumber [restartnumber] Terminate the session after number prefixes have been received (no such limit is imposed by default). If restart is specified, the session will be restarted after number minutes.

multihophops

Neighbors not in the same AS as the local bgpd(8) normally have to be directly connected to the local machine. If this is not the case, the multihop statement defines the maximum hops the neighbor may be away.

passive

Do not attempt to actively open a TCP connection to the neighbor system.

remote-asas-number

Set the AS number of the remote system.

route-reflector[address]

Act as an RFC 2796 route-reflector for this neighbor. An optional cluster ID can be specified; otherwise the BGP ID will be used.

setattribute...

Set the AS path attributes to some default per neighbor or group block:

set localpref 300

See also the section. Set parameters are applied to the received prefixes; the only exceptions are prepend-self, nexthopno-modify and nexthopself. These sets are rewritten into filter rules and can be viewed with “bgpd -nv”.

softreconfig (in) (yes) Turn soft reconfiguration on or off for the specified direction. If soft reconfiguration is turned on, filter changes will be applied on configuration reloads. If turned off, a BGP session needs to be cleared to apply the filter changes. Enabling softreconfigin will raise the memory requirements of bgpd(8) because the unmodified AS path attributes need to be stored as well. The default is yes.

tcpmd5sig password secret

tcpmd5sig key secret

Enable TCP MD5 signatures per RFC 2385. The shared secret can either be given as a password or hexadecimal key.

tcp md5sig password mekmidasdigoat
tcp md5sig key deadbeef

ttl-security (yes) Enable or disable ttl-security. When enabled, outgoing packets are sent using a TTL of 255 and a check is made against an incoming packet's TTL. For directly connected peers, incoming packets are required to have a TTL of 255, ensuring they have not been routed. For multihop peers, incoming packets are required to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is no.

FILTER

allow

The UPDATE is passed.

deny

The UPDATE is blocked.

match

Apply the filter attribute set without influencing the filter decision.

PARAMETERS

as-typeas-number

This rule applies only to UPDATES where the AS path matches. The as-number is matched against a part of the AS path specified by the as-type. as-type is one of the following operators:

AS

(any part)

peer-as

(leftmost AS number)

source-as

(rightmost AS number)

transit-as

(all but the rightmost AS number)

Multiple as-number entries for a given type or as-typeas-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any AS { 1, 2, 3 }
deny from any { AS 1, source-as 2, transit-as 3 }
deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }

community as-number

communityname

This rule applies only to UPDATES where the community path attribute is present and matches. Communities are specified as as-number, where as-number is an AS number and local is a locally significant number between zero and 65535. Both as-number and local may be set to ‘*’ to do wildcard matching. Alternatively, well-known communities may be given by name instead and include NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, and NO_PEER. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number.

(from) peer This rule applies only to UPDATES coming from, or going to, this particular neighbor. This parameter must be specified. peer is one of the following:

any

Any neighbor will be matched.

address

Neighbors with this address will be matched.

groupdescr

Neighbors in this group will be matched.

Multiple peer entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from { 128.251.16.1, 251.128.16.2, group hojo }

(inet)

This rule applies only to routes matching the stated address family. The address family needs to be set only in rules that use prefixlen without specifying a prefix beforehand.

prefix address This rule applies only to UPDATES for the specified prefix.

Multiple address entries may be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 }

Multiple lists can also be specified, which is useful for macro expansion:

good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bad="{ 224.0.0.0/4, 240.0.0.0/4 }"
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"

deny from any prefix { $good $bad $ugly }

prefixlenrange

This rule applies only to UPDATES for prefixes where the prefixlen matches. Prefix length ranges are specified by using these operators:

=	(equal)
!=	(unequal)
<	(less than)
<=	(less than or equal)
>	(greater than)
>=	(greater than or equal)
-	(range including boundaries)
><	(except range)

>< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12:

prefixlen 8-12

Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0\(en7 and 13\(en32:

prefixlen 8><12

prefixlen can be used together with prefix.

This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16:

prefix 10.0.0.0/8 prefixlen > 16

quick

If an UPDATE matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.

setattribute...

All matching rules can set the AS path attributes to some default. The set of every matching rule is applied, not only the last matching one. See also the following section.

ATTRIBUTE SET

community[delete] as-number

community[delete] name Set or delete the COMMUNITIES AS path attribute. Communities are specified as as-number, where as-number is an AS number and local is a locally-significant number between zero and 65535. Alternately, well-known communities may be specified by name: NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, or NO_PEER.

localprefnumber

Set the LOCAL_PREF AS path attribute. If number starts with a plus or minus sign, LOCAL_PREF will be adjusted by adding or subtracting number; otherwise it will be set to number.

mednumber

metricnumber

Set the MULTI_EXIT_DISC AS path attribute. If number starts with a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding or subtracting number; otherwise it will be set to number.

nexthop .Sm off (address\*(Ba blackhole\*(Ba reject\*(Ba self\*(Ba no-modify) .Sm on Set the NEXTHOP AS path attribute to a different nexthop address or use blackhole or reject routes. If set to no-modify, the nexthop attribute is not modified. Unless set to self, the nexthop is left unmodified for IBGP sessions. self forces the nexthop to be set to the local interface address.

set nexthop 192.168.0.1
set nexthop blackhole
set nexthop reject
set nexthop no-modify
set nexthop self

pftabletable

Add the prefix in the update to the specified pf(4) table, regardless of whether or not the path was selected for routing. This option may be useful in building realtime blacklists.

prepend-neighbornumber

Prepend the neighbor's AS number times to the AS path.

prepend-selfnumber

Prepend the local AS number times to the AS path.

rtlabellabel

Add the prefix with the specified label to the kernel routing table.

weightnumber

The weight is used to tip prefixes with equally long AS paths in one or the other direction. A prefix is weighed at a very late stage in the decision process. If number starts with a plus or minus sign, the weight will be adjusted by adding or subtracting number; otherwise it will be set to number. Weight is a local non-transitive attribute and a bgpd-specific extension. For prefixes with equally long paths, the prefix with the larger weight is selected.

FILES

/etc/bgpd.conf

bgpd(8) configuration file

SEE ALSO

HISTORY