NAME

bgpd.conf —

Border Gateway Protocol daemon configuration file

DESCRIPTION

The bgpd(8) daemon implements the Border Gateway Protocol version 4 as described in RFC 4271.

SECTIONS

The bgpd.conf config file is divided into five main sections.

Macros: User-defined variables may be defined and used later, simplifying the configuration file.
Global Configuration: Global settings for bgpd(8).
Routing Domain Configuration: The definition and properties for BGP MPLS VPNs are set in this section.
Neighbors and Groups: bgpd(8) establishes sessions with neighbors. The neighbor definition and properties are set in this section, as well as grouping neighbors for the ease of configuration.
Filter: Filter rules for incoming and outgoing UPDATES.

With the exception of macros, the sections should be grouped and appear in bgpd.conf in the order shown above.

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, or underscore must be quoted.

Additional configuration files can be included with the include keyword, for example:

include "/etc/bgpd/bgpd-10.0.0.1.filter"

MACROS

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, AS, neighbor, or group). Macros are not expanded inside quotes.

For example:

peer1="1.2.3.4"
neighbor $peer1 {
	remote-as 65001
}

GLOBAL CONFIGURATION

There are quite a few settings that affect the operation of the bgpd(8) daemon globally.

AS as-number [as-number]

Set the local autonomous system number to as-number. If the first AS number is a 4-byte AS it is possible to specify a secondary 2-byte AS number which is used for neighbors which do not support 4-byte AS numbers. The default for the secondary AS is 23456.

The AS numbers are assigned by local RIRs, such as:

AfriNIC: for Africa
APNIC: for Asia Pacific
ARIN: for North America and parts of the Caribbean
LACNIC: for Latin America and the Caribbean
RIPE NCC: for Europe, the Middle East, and parts of Asia

For example:

AS 65001

sets the local AS to 65001.

The AS numbers 64512 – 65534 are designated for private use. The AS number 23456 is a specially designated Autonomous System Number and should not be used. 4-byte AS numbers are specified as two numbers separated by a dot (ASDOT format), for example:

AS 3.10

or as a large number (ASPLAIN format), for example:

AS 196618

connect-retry seconds

Set the number of seconds before retrying to open a connection. This timer should be sufficiently large in EBGP configurations. The default is 120 seconds.

dump [rib name] (table|table-mp|table-v2) file [timeout]

dump (all|updates) (in|out) file [timeout]

Dump the RIB, a.k.a. the routing information base, and all BGP messages in Multi-threaded Routing Toolkit (MRT) format. It is possible to dump alternate RIB with the use of name.

For example, the following will dump the entire table to the strftime(3)-expanded filename. Only the table-v2 format is able to dump a multi-protocol RIB correctly. Both table and table-mp formats are more or less limited when handling multi-protocol entries and are only left around to support 3rd party tools not handling the new format. The timeout is optional:

dump table "/tmp/rib-dump-%H%M" 300

Similar to the table dump, but this time all BGP messages and state transitions will be dumped to the specified file:

dump all in "/tmp/all-in-%H%M" 300

As before, but only the UPDATE messages will be dumped to the file:

dump updates in "/tmp/updates-in-%H%M" 300

It is also possible to dump outgoing messages:

dump all out "/tmp/all-out-%H%M" 300
# or
dump updates out "/tmp/updates-out-%H%M" 300

fib-update (yes|no)

If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

holdtime seconds

Set the holdtime in seconds. The holdtime is reset to its initial value every time either a KEEPALIVE or an UPDATE message is received from the neighbor. If the holdtime expires the session is dropped. The default is 90 seconds. Neighboring systems negotiate the holdtime used when the connection is established in the OPEN messages. Each neighbor announces its configured holdtime; the smaller one is then agreed upon.

holdtime min seconds

The minimal accepted holdtime in seconds. This value must be greater than or equal to 3.

listen on address

Specify the local IP address bgpd(8) should listen on.

listen on 127.0.0.1

log updates

Log received and sent updates.

network address/prefix [set ...]

network (inet|inet6) static [set ...]

network (inet|inet6) connected [set ...]

Announce the specified network as belonging to our AS. If set to connected, routes to directly attached networks will be announced. If set to static, all static routes will be announced.

network 192.168.7.0/24

It is possible to set default AS path attributes per network statement:

network 192.168.7.0/24 set localpref 220

ROUTING DOMAIN CONFIGURATION

bgpd(8) supports the setup and distribution of Virtual Private Networks. It is possible to import and export prefixes between routing domains. Each routing domain is specified by an rdomain section, which allows properties to be set specifically for that rdomain:

rdomain 1 {
	descr "a rdomain"
	rd 65002:1
	import-target rt 65002:42
	export-target rt 65002:42
	network 192.168.1/24
	depend on mpe0
}

There are several routing domain properties:

depend on interface: Routes added to the rdomain will use this interface as the outgoing interface. Normally this will be an MPLS Provider Edge, mpe(4), interface that is part of the rdomain. Local networks will be announced with the MPLS label specified on the interface.
descr description: Add a description. The description is used when logging but has no further meaning to bgpd(8).
export-target subtype as-number:local
export-target subtype IP:local: Specify an extended community which will be attached to announced networks. More than one export-target can be specified. See also the ATTRIBUTE SET section for further information about the encoding. The subtype should be set to rt for best compatibility with other implementations.
fib-update (yes|no): If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.
import-target subtype as-number:local
import-target subtype IP:local: Only prefixes matching one of the specified import-targets will be imported into the rdomain. More than one import-target can be specified. See also the ATTRIBUTE SET section for further information about the encoding of extended communities. The subtype should be set to rt for best compatibility with other implementations.
network arguments ...: Define which networks should be exported into this VPN. See also the nexthop section in GLOBAL CONFIGURATION for further information about the arguments.
rd as-number:local
rd IP:local: The sole purpose of the Route Distinguisher rd is to ensure that possible common prefixes are destinct between VPNs. The rd is neither used to identify the origin of the prefix nor to control into which VPNs the prefix is distributed to. The as-number or IP of a rd should be set to a number or IP that was assigned by an appropriate authority. Whereas local can be chosen by the local operator.

NEIGHBORS AND GROUPS

bgpd(8) establishes TCP connections to other BGP speakers called neighbors. Each neighbor is specified by a neighbor section, which allows properties to be set specifically for that neighbor:

neighbor 10.0.0.2 {
	remote-as 65002
	descr "a neighbor"
}

Multiple neighbors can be grouped together by a group section. Each neighbor section within the group section inherits all properties from its group:

group "peering AS65002" {
	remote-as 65002
	neighbor 10.0.0.2 {
		descr "AS65002-p1"
	}
	neighbor 10.0.0.3 {
		descr "AS65002-p2"
	}
}

Instead of the neighbor's IP address, an address/netmask pair may be given:

neighbor 10.0.0.0/8

In this case, the neighbor specification becomes a template, and if a neighbor connects from an IP address within the given network, the template is cloned, inheriting everything from the template but the remote address, which is replaced by the connecting neighbor's address. With a template specification it is valid to omit remote-as; bgpd(8) will then accept any AS the neighbor presents in the OPEN message.

There are several neighbor properties:

announce (all| none| self| default-route)

If set to none, no UPDATE messages will be sent to the neighbor. If set to default-route, only the default route will be announced to the neighbor. If set to all, all generated UPDATE messages will be sent to the neighbor. This is usually used for transit AS's and IBGP peers. The default value for EBGP peers is self, which limits the sent UPDATE messages to announcements of the local AS. The default for IBGP peers is all.

announce (IPv4|IPv6) (none|unicast|vpn)

For the given address family, control which subsequent address families (at the moment, only none, which disables the announcement of that address family, unicast, and vpn, which allows the distribution of BGP MPLS VPNs, are supported) are announced during the capabilities negotiation. Only routes for that address family and subsequent address family will be announced and processed.

announce as-4byte (yes|no)

If set to no, the 4-byte AS capability is not announced and so native 4-byte AS support is disabled. The default is yes.

announce capabilities (yes|no)

If set to no, capability negotiation is disabled during the establishment of the session. This can be helpful to connect to old or broken BGP implementations. The default is yes.

announce refresh (yes|no)

If set to no, the route refresh capability is not announced. The default is yes.

announce restart (yes|no)

If set to yes, the graceful restart capability is announced. Currently only the End-of-RIB marker is supported and announced by the restart capability. The default is no.

demote group

Increase the carp(4) demotion counter on the given interface group, usually carp, when the session is not in state ESTABLISHED. The demotion counter will be increased as soon as bgpd(8) starts and decreased 60 seconds after the session went to state ESTABLISHED. For neighbors added at runtime, the demotion counter is only increased after the session has been ESTABLISHED at least once before dropping.

For more information on interface groups, see the group keyword in ifconfig(8).

depend on interface

The neighbor session will be kept in state IDLE as long as interface reports no link. For carp(4) interfaces, no link means that the interface is currently backup. This is primarily intended to be used with carp(4) to reduce failover times.

The state of the network interfaces on the system can be viewed using the show interfaces command to bgpctl(8).

descr description

Add a description. The description is used when logging neighbor events, in status reports, for specifying neighbors, etc., but has no further meaning to bgpd(8).

down

Do not start the session when bgpd comes up but stay in IDLE.

dump (all|updates) (in|out) file [timeout]

Do a peer specific MRT dump. Peer specific dumps are limited to all and updates. See also the dump section in GLOBAL CONFIGURATION.

enforce neighbor-as (yes|no)

If set to yes, AS paths whose leftmost AS is not equal to the remote AS of the neighbor are rejected and a NOTIFICATION is sent back. The default value for IBGP peers is no otherwise the default is yes.

holdtime seconds

Set the holdtime in seconds. Inherited from the global configuration if not given.

holdtime min seconds

Set the minimal acceptable holdtime. Inherited from the global configuration if not given.

interface interface

Set an interface used for a nexthop with a link-local IPv6 address. Note that if this is not specified and a link-local IPv6 address is received as nexthop of the peer, it will be marked as invalid and ignored.

ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]

Enable IPsec with static keying. There must be at least two ipsec statements per peer with manual keying, one per direction. authspec specifies the authentication algorithm and key. It can be

sha1 <key>
md5 <key>

encspec specifies the encryption algorithm and key. ah does not support encryption. With esp, encryption is optional. encspec can be

3des <key>
3des-cbc <key>
aes <key>
aes-128-cbc <key>

Keys must be given in hexadecimal format.

ipsec (ah|esp) ike

Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up the flows, and a key management daemon such as isakmpd(8) is responsible for managing the session keys. With isakmpd(8), it is sufficient to copy the peer's public key, found in /usr/local/etc/isakmpd/private/local.pub, to the local machine. It must be stored in a file named after the peer's IP address and must be stored in /usr/local/etc/isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As bgpd(8) manages the flows on its own, it is sufficient to restrict isakmpd(8) to only take care of keying by specifying the flags -Ka. This can be done in rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) daemons on both sides, the session should be established.

local-address address

When bgpd(8) initiates the TCP connection to the neighbor system, it normally does not bind to a specific IP address. If a local-address is given, bgpd(8) binds to this address first.

max-prefix number [restart number]

Terminate the session after number prefixes have been received (no such limit is imposed by default). If restart is specified, the session will be restarted after number minutes.

multihop hops

Neighbors not in the same AS as the local bgpd(8) normally have to be directly connected to the local machine. If this is not the case, the multihop statement defines the maximum hops the neighbor may be away.

passive

Do not attempt to actively open a TCP connection to the neighbor system.

remote-as as-number

Set the AS number of the remote system.

rib name

Bind the neighbor to the specified RIB.

route-reflector [address]

Act as an RFC 4456 route-reflector for this neighbor. An optional cluster ID can be specified; otherwise the BGP ID will be used.

set attribute ...

Set the AS path attributes to some default per neighbor or group block:

set localpref 300

See also the ATTRIBUTE SET section. Set parameters are applied to the received prefixes; the only exceptions are prepend-self, nexthop no-modify and nexthop self. These sets are rewritten into filter rules and can be viewed with “bgpd -nv”.

softreconfig (in|out) (yes|no)

Turn soft reconfiguration on or off for the specified direction. If soft reconfiguration is turned on, filter changes will be applied on configuration reloads. If turned off, a BGP session needs to be cleared to apply the filter changes. Enabling softreconfig in will raise the memory requirements of bgpd(8) because the unmodified AS path attributes need to be stored as well. The default is yes.

tcp md5sig password secret

tcp md5sig key secret

Enable TCP MD5 signatures per RFC 2385. The shared secret can either be given as a password or hexadecimal key.

tcp md5sig password mekmidasdigoat
tcp md5sig key deadbeef

transparent-as (yes|no)

If set to yes, AS paths to EBGP neighbors are not prepended with their own AS. The default is inherited from the global transparent-as setting.

ttl-security (yes|no)

Enable or disable ttl-security. When enabled, outgoing packets are sent using a TTL of 255 and a check is made against an incoming packet's TTL. For directly connected peers, incoming packets are required to have a TTL of 255, ensuring they have not been routed. For multihop peers, incoming packets are required to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is no.

FILTER

bgpd(8) has the ability to allow and deny UPDATES based on prefix or AS path attributes. In addition, UPDATES may also be modified by filter rules.

For each UPDATE processed by the filter, the filter rules are evaluated in sequential order, from first to last. The last matching allow or deny rule decides what action is taken.

The following actions can be used in the filter:

allow: The UPDATE is passed.
deny: The UPDATE is blocked.
match: Apply the filter attribute set without influencing the filter decision.

PARAMETERS

The rule parameters specify the UPDATES to which a rule applies. An UPDATE always comes from, or goes to, one neighbor. Most parameters are optional, but each can appear at most once per rule. If a parameter is specified, the rule only applies to packets with matching attributes.

as-type as-number

This rule applies only to UPDATES where the AS path matches. The as-number is matched against a part of the AS path specified by the as-type. as-number may be set to neighbor-as, which is expanded to the current neighbor remote AS number. as-type is one of the following operators:

AS: (any part)
peer-as: (leftmost AS number)
source-as: (rightmost AS number)
transit-as: (all but the rightmost AS number)

Multiple as-number entries for a given type or as-type as-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any AS { 1, 2, 3 }
deny from any { AS 1, source-as 2, transit-as 3 }
deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }

community as-number:local

community name

This rule applies only to UPDATES where the community path attribute is present and matches. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and 65535. Both as-number and local may be set to ‘*’ to do wildcard matching. Alternatively, well-known communities may be given by name instead and include NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, and NO_PEER. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number.

ext-community subtype as-number:local

ext-community subtype IP:local

ext-community subtype numvalue

This rule applies only to UPDATES where the extended community path attribute is present and matches. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. See also the ATTRIBUTE SET section for further information about the encoding.

(from|to) peer

This rule applies only to UPDATES coming from, or going to, this particular neighbor. This parameter must be specified. peer is one of the following:

any: Any neighbor will be matched.
address: Neighbors with this address will be matched.
group descr: Neighbors in this group will be matched.

Multiple peer entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from { 128.251.16.1, 251.128.16.2, group hojo }

(inet|inet6)

This rule applies only to routes matching the stated address family. The address family needs to be set only in rules that use prefixlen without specifying a prefix beforehand.

max-as-len len

This rule applies only to UPDATES where the AS path has more than len elements.

max-as-seq len

This rule applies only to UPDATES where a single AS number is repeated more than len times.

nexthop address

This rule applies only to UPDATES where the nexthop is equal to address. The address can be set to neighbor in which case the nexthop is compared against the address of the neighbor. Nexthop filtering is not supported on locally announced networks and one must take into consideration previous rules overwriting nexthops.

prefix address/len

This rule applies only to UPDATES for the specified prefix.

Multiple address/len entries may be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 }

Multiple lists can also be specified, which is useful for macro expansion:

good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bad="{ 224.0.0.0/4, 240.0.0.0/4 }"
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"

deny from any prefix { $good $bad $ugly }

prefixlen range

This rule applies only to UPDATES for prefixes where the prefixlen matches. Prefix length ranges are specified by using these operators:

=	(equal)
!=	(unequal)
<	(less than)
<=	(less than or equal)
>	(greater than)
>=	(greater than or equal)
-	(range including boundaries)
><	(except range)

>< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12:

prefixlen 8-12

Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0–7 and 13–32:

prefixlen 8><12

prefixlen can be used together with prefix.

This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16:

prefix 10.0.0.0/8 prefixlen > 16

quick

If an UPDATE matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.

rib name

Apply rule only to the specified RIB. This only applies for received updates, so not for rules using the to peer parameter.

set attribute ...

All matching rules can set the AS path attributes to some default. The set of every matching rule is applied, not only the last matching one. See also the following section.

ATTRIBUTE SET

AS path attributes can be modified with set.

set can be used on network statements, in neighbor or group blocks, and on filter rules. Attribute sets can be expressed as lists.

The following attributes can be modified:

community [delete] as-number:local

community [delete] name

Set or delete the COMMUNITIES AS path attribute. Communities are specified as as-number:local, where as-number is an AS number and local is a locally-significant number between zero and 65535. Alternately, well-known communities may be specified by name: NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, or NO_PEER.

ext-community [delete] subtype as-number:local

ext-community [delete] subtype IP:local

ext-community [delete] subtype numvalue

Set or delete the Extended Community AS path attribute. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. The type is selected depending on the encoding of the global part. Two-octet AS Specific Extended Communities and Four-octet AS Specific Extended Communities are encoded as as-number:local. Four-octet encoding is used if the as-number is bigger then 65535 or if the AS_DOT encoding is used. IPv4 Address Specific Extended Communities are encoded as IP:local. Opaque Extended Communities are encoded with a single numeric value. Currently the following subtypes are supported:

rt       Route Target
soo      Source of Origin
odi      OSPF Domain Identifier
ort      OSPF Route Type
ori      OSPF Router ID
bdc      BGP Data Collection

Not all type and subtype value pairs are allowed by IANA and the parser will ensure that no invalid combination is created.

localpref number

Set the LOCAL_PREF AS path attribute. If number starts with a plus or minus sign, LOCAL_PREF will be adjusted by adding or subtracting number; otherwise it will be set to number. The default is 100.

med number

metric number

Set the MULTI_EXIT_DISC AS path attribute. If number starts with a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding or subtracting number; otherwise it will be set to number.

origin (igp| egp| incomplete)

Set the ORIGIN AS path attribute to mark the source of this route as being injected from an igp protocol, an egp protocol or being an aggregated route.

nexthop (address| blackhole| reject| self| no-modify)

Set the NEXTHOP AS path attribute to a different nexthop address or use blackhole or reject routes. If set to no-modify, the nexthop attribute is not modified. Unless set to self, the nexthop is left unmodified for IBGP sessions. self forces the nexthop to be set to the local interface address.

set nexthop 192.168.0.1
set nexthop blackhole
set nexthop reject
set nexthop no-modify
set nexthop self

pftable table

Add the prefix in the update to the specified pf(4) table, regardless of whether or not the path was selected for routing. This option may be useful in building realtime blacklists.

prepend-neighbor number

Prepend the neighbor's AS number times to the AS path.

prepend-self number

Prepend the local AS number times to the AS path.

rtlabel label

Add the prefix to the kernel routing table with the specified label.

weight number

The weight is used to tip prefixes with equally long AS paths in one or the other direction. A prefix is weighed at a very late stage in the decision process. If number starts with a plus or minus sign, the weight will be adjusted by adding or subtracting number; otherwise it will be set to number. Weight is a local non-transitive attribute and a bgpd-specific extension. For prefixes with equally long paths, the prefix with the larger weight is selected.

FILES

/usr/local/etc/bgpd.conf: bgpd(8) configuration file

HISTORY

The bgpd.conf file format first appeared in OpenBSD 3.5.