Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
BGPD.CONF(5)		  FreeBSD File Formats Manual		  BGPD.CONF(5)

NAME
     bgpd.conf -- Border Gateway Protocol daemon configuration file

DESCRIPTION
     The bgpd(8) daemon	implements the Border Gateway Protocol version 4 as
     described in RFC 4271.

     The bgpd.conf config file is divided into the following main sections:

     MACROS
	   User-defined	variables may be defined and used later, simplifying
	   the configuration file.

     GLOBAL CONFIGURATION
	   Global settings for bgpd(8).

     SET CONFIGURATION
	   Various lookup tables are defined in	this section.

     NETWORK ANNOUNCEMENTS
	   Networks which should be announced by bgpd(8) are set in this sec-
	   tion.

     MPLS VPN CONFIGURATION
	   The definition and properties for BGP MPLS VPNs are set in this
	   section.

     NEIGHBORS AND GROUPS
	   bgpd(8) establishes sessions	with neighbors.	 The neighbor defini-
	   tion	and properties are set in this section,	as well	as grouping
	   neighbors for the ease of configuration.

     FILTER
	   Filter rules	for incoming and outgoing UPDATES.

     With the exception	of macros, the sections	should be grouped and appear
     in	bgpd.conf in the order shown above.

     The current line can be extended over multiple lines using	a backslash
     (`\').  Comments can be put anywhere in the file using a hash mark	(`#'),
     and extend	to the end of the current line.	 Care should be	taken when
     commenting	out multi-line text: the comment is effective until the	end of
     the entire	block.

     Argument names not	beginning with a letter, digit,	or underscore must be
     quoted.

     Additional	configuration files can	be included with the include keyword,
     for example:

	   include "/etc/bgpd/bgpd-10.0.0.1.filter"

MACROS
     Macros can	be defined that	will later be expanded in context.  Macro
     names must	start with a letter, digit, or underscore, and may contain any
     of	those characters.  Macro names may not be reserved words (for example,
     AS, neighbor, or group).  Macros are not expanded inside quotes.

     For example:

	   peer1="1.2.3.4"
	   neighbor $peer1 {
		   remote-as 65001
	   }

GLOBAL CONFIGURATION
     These settings affect the operation of the	bgpd(8)	daemon as a whole.

     AS	as-number [as-number]
	     Set the local autonomous system number to as-number.  A fallback
	     2-byte AS number may follow a 4-byte AS number for	neighbors that
	     do	not support 4-byte AS numbers.	The standard and default fall-
	     back AS number is 23456.

	     The AS numbers are	assigned by local RIRs,	such as:

	     AfriNIC   for Africa
	     APNIC     for Asia	Pacific
	     ARIN      for North America and parts of the Caribbean
	     LACNIC    for Latin America and the Caribbean
	     RIPE NCC  for Europe, the Middle East, and	parts of Asia

	     The AS numbers 64512 - 65534 are designated for private use.  The
	     AS	number 23456 is	reserved and should not	be used.  4-byte AS
	     numbers may be specified in either	the ASPLAIN format:

		   AS 196618

	     or	in the older ASDOT format:

		   AS 3.10

     connect-retry seconds
	     Set the number of seconds to wait before attempting to re-open a
	     connection.  This timer should be sufficiently large in EBGP con-
	     figurations.  The default is 120 seconds.

     dump [rib name] (table|table-mp|table-v2) file [interval]
     dump (all|updates)	(in|out) file [interval]
	     Dump the RIB, a.k.a. the routing information base,	or dump	ongo-
	     ing BGP activity, in Multi-threaded Routing Toolkit (MRT) format.
	     The file is subject to strftime(3)-expansion.

	     The table-v2 and table-mp RIB formats store multi-protocol	RIBs
	     correctly,	but the	table format does not.	The latter two are
	     provided only to support third-party tools	lacking	support	for
	     the recommended table-v2 format.  Dump an alternative RIB by
	     specifying	name.  Specify an interval in seconds for periodic RIB
	     dumps.

	     The following will	dump the entire	RIB table, at startup and ev-
	     ery 5 minutes thereafter, to a new	file:

		   dump	table-v2 "/tmp/rib-dump-%H%M" 300

	     Dumps of ongoing BGP activity include all BGP state transitions,
	     and all BGP messages in the specified direction.  Use updates to
	     dump only BGP UPDATE messages, without state transitions.	Spec-
	     ify an interval in	seconds	to restart periodically	with a new
	     file:

		   dump	all in "/tmp/all-in-%H%M" 300

     fib-priority prio
	     Set the routing priority to prio.	The default is 48.

     fib-update	(yes|no)
	     If	set to no, do not update the Forwarding	Information Base,
	     a.k.a. the	kernel routing table.  The default is yes.

     holdtime seconds
	     Set the announced holdtime	in seconds.  This is exchanged with a
	     neighbor upon connection establishment, in	the OPEN message, and
	     the shortest holdtime governs the session.

	     The neighbor session is dropped if	the session holdtime passes
	     without receipt of	a KEEPALIVE or an UPDATE message from the
	     neighbor.	The default is 90 seconds.

     holdtime min seconds
	     The minimum acceptable holdtime in	seconds.  This value must be
	     at	least 3.

     listen on address
	     Specify the local IP address for bgpd(8) to listen	on.  The de-
	     fault is to listen	on all local addresses on the current default
	     routing domain.

     log updates
	     Log sent and received BGP update messages.

     nexthop qualify via (bgp|default)
	     If	set to bgp, bgpd(8) may	verify nexthops	using BGP routes.  If
	     set to default, bgpd(8) may verify	nexthops using the default
	     route.  By	default	bgpd(8)	uses only static routes	or routes
	     added by other routing daemons, such as ospfd(8).

     rde med compare (always|strict)
	     If	set to always, the MULTI_EXIT_DISC attributes will always be
	     compared.	The default is strict, where the metric	is only	com-
	     pared between peers belonging to the same AS.

     rde rib name [no evaluate]
     rde rib name [rtable number]
	     Create an additional RIB named name.  The degree to which its
	     routes may	be utilized is configurable.  They may be excluded
	     from the decision process that selects usable routes with the no
	     evaluate flag, and	this precludes their export to any kernel
	     routing table.  By	default	its routes will	be evaluated, but not
	     exported to the kernel.  They may be both evaluated and exported
	     if	associated with	a given	rtable number, which must belong to
	     the routing domain	that bgpd(8) was started in.  This table will
	     not be consulted during nexthop verification unless it is the one
	     that bgpd(8) was started in.  It is unnecessary to	create
	     Adj-RIB-In	and Loc-RIB, which are created automatically and used
	     by	default.

     rde route-age (ignore|evaluate)
	     If	set to evaluate, the route decision process will also consider
	     the age of	the route in addition to its path attributes, giving
	     preference	to the older, typically	more stable, route.  This ren-
	     ders the decision process nondeterministic.  The default is
	     ignore.

     router-id dotted-quad
	     Set the BGP router	ID, which must be non-zero and should be
	     unique within the AS.  By default,	the router ID is the highest
	     IPv4 address assigned to the local	machine.

		   router-id 10.0.0.1

     rtable number
	     Work with the given kernel	routing	table instead of the default
	     table, which is the one bgpd(8) was started in.  For nexthop ver-
	     ification,	bgpd(8)	will always consult the	default	table.	This
	     is	the same as using the following	syntax:

		   rde rib Loc-RIB rtable number

     socket "path" [restricted]
	     Create a control socket at	path.  If restricted is	specified a
	     restricted	control	socket will be created.	 By default
	     /var/run/bgpd.sock._rdomain_ is used where	_rdomain_ is the rout-
	     ing domain	in which bgpd(8) has been started.  By default,	no re-
	     stricted socket is	created.

     transparent-as (yes|no)
	     If	set to yes, AS paths to	EBGP neighbors are not prepended with
	     the local AS.  The	default	is no.

SET CONFIGURATION
     bgpd(8) supports the efficient lookup of data within named	sets.  An
     as-set, a prefix-set, and an origin-set store AS numbers, prefixes, and
     prefixes/source-as	pairs, respectively.  Such sets	may be referenced by
     filter rules; see the FILTER section for details.	It is more efficient
     to	evaluate a set than a long series of rules for filtering each of its
     members.

     One single	roa-set	may be defined,	against	which bgpd(8) will validate
     the origin	of each	prefix.

     A set definition can span multiple	lines, and an optional comma is	al-
     lowed between elements.

     as-set name { as-number ... }
	     An	as-set stores AS numbers, and can be used with the AS specific
	     parameter in FILTER rules.

     origin-set	name { address/len maxlen mlen source-as asn ... }
	     An	origin-set stores prefix/source-as pairs, and can be used to
	     filter on the combination by using	the origin-set parameter in
	     FILTER rules.

		   origin-set private {	10.0.0.0/8 maxlen 24 source-as 64511
					203.0.113.0/24 source-as 64496 }

     prefix-set	name { address/len ... }
	     A prefix-set stores network prefixes and can be used in place of
	     the prefix	parameter in FILTER rules, and in network statements.
	     A prefix can be followed by the prefixlen operators listed	for
	     the prefix	parameter in the PARAMETERS section.

	     The first example below creates a set of prefixes called
	     "private",	to hold	a number of RFC	1918 private network blocks.
	     The second	example	shows the use of prefixlen operators.

		   prefix-set private {	10.0.0.0/8, 172.16.0.0/12,
					192.168.0.0/16,	fc00::/7 }
		   prefix-set as64496set { 192.0.2.0/24	prefixlen >= 26,
					   2001:db8::/32 or-longer }

     roa-set { address/len maxlen mlen source-as asn ... }
	     The roa-set holds a collection of Validated Route Origin
	     Authorization Payloads (VRP).  Each received prefix is checked
	     against the roa-set, and the Origin Validation State (OVS)	is
	     set.

		   roa-set { 192.0.2.0/24 maxlen 24 source-as 64511
			     203.0.113.0/24 source-as 64496 }

NETWORK	ANNOUNCEMENTS
     network statements	specify	the networks that bgpd(8) will announce	as its
     own.  An announcement must	also be	permitted by the FILTER	rules.	By de-
     fault bgpd(8) announces no	networks.

     network address/prefix [set ...]
	     Announce the specified prefix as belonging	to our AS.

     network (inet|inet6) connected [set ...]
	     Announce routes to	directly attached networks.

     network prefix-set	name [set ...]
	     Announce all networks in the prefix-set name.

     network (inet|inet6) priority number [set ...]
	     Announce routes having the	specified priority.

     network (inet|inet6) rtlabel label	[set ...]
	     Announce routes having the	specified label.

     network (inet|inet6) static [set ...]
	     Announce all static routes.

     Each network statement may	set default AS path attributes:

	   network 192.168.7.0/24 set localpref	220

     See also the ATTRIBUTE SET	section.

MPLS VPN CONFIGURATION
     A vpn section configures a	router to participate in an MPLS Virtual Pri-
     vate Network.  It specifies an mpe(4) interface to	use, a description,
     and various properties of the VPN:

	   vpn "description" on	mpe1 {
		   rd 65002:1
		   import-target rt 65002:42
		   export-target rt 65002:42
		   network 192.168.1/24
	   }

     bgpd(8) will not exchange VPN routes with a neighbor by default, see the
     NEIGHBORS AND GROUPS section.  The	description is used when logging but
     has no further meaning to bgpd(8).

     The mpe(4)	interface will be used as the outgoing interface for routes to
     the VPN, and local	networks will be announced with	the MPLS label speci-
     fied on the interface.  The interface can provide VPN connectivity	for
     another rdomain by	being configured in that rdomain.  The required	rdo-
     main must be configured on	the interface before bgpd(8) uses it.  Multi-
     ple VPNs may be connected to a single rdomain, including the rdomain that
     bgpd(8) is	running	in.

     An	example	hostname.if(5) configuration for an mpe(4) interface providing
     connectivity to rdomain 1:

	   rdomain 1
	   mplslabel 2000
	   inet	192.198.0.1 255.255.255.255
	   up

     The VPN properties	are as follows:

     export-target subtype as-number:local
     export-target subtype IP:local
	     Classify announced	networks by tagging them with an extended
	     community of the given arguments.	The community subtype should
	     be	a route	target,	rt, to ensure interoperability.	 The arguments
	     are further detailed in the ATTRIBUTE SET section.	 More than one
	     export-target can be specified.

     fib-update	(yes|no)
	     If	set to no, do not update the Forwarding	Information Base,
	     a.k.a. the	kernel routing table.  The default is yes.

     import-target subtype as-number:local
     import-target subtype IP:local
	     The rdomain imports only those prefixes tagged with an extended
	     community matching	an import-target.  The community subtype
	     should be a route target, rt, to ensure interoperability.	The
	     arguments are further detailed in the ATTRIBUTE SET section.
	     More than one import-target can be	specified.

     network arguments ...
	     Announce the given	networks within	this VPN; see the NETWORK
	     ANNOUNCEMENTS section.

     rd	as-number:local
     rd	IP:local
	     The Route Distinguisher rd	supplies BGP with namespaces to	disam-
	     biguate VPN prefixes, as these needn't be globally	unique.	 Un-
	     like route	targets, the rd	neither	identifies the origin of the
	     prefix nor	controls into which VPNs the prefix is distributed.
	     The as-number or IP of a rd should	be set to a number or IP that
	     was assigned by an	appropriate authority, whereas local can be
	     chosen by the local operator.

NEIGHBORS AND GROUPS
     bgpd(8) establishes TCP connections to other BGP speakers called
     neighbors.	 A neighbor and	its properties are specified by	a neighbor
     section:

	   neighbor 10.0.0.2 {
		   remote-as 65002
		   descr "a neighbor"
	   }

     Neighbors placed within a group section inherit the properties common to
     that group:

	   group "peering AS65002" {
		   remote-as 65002
		   neighbor 10.0.0.2 {
			   descr "AS65002-p1"
		   }
		   neighbor 10.0.0.3 {
			   descr "AS65002-p2"
		   }
	   }

     An	entire network of neighbors may	be accommodated	by specifying an ad-
     dress/netmask pair:

	   neighbor 10.0.0.0/8

     This is a template	that recognises	as a neighbor any connection from
     within the	given network.	Such neighbors inherit their template's	prop-
     erties, except for	their IP address.  A template may omit remote-as;
     bgpd(8) then accepts any AS presented by the neighbor in the OPEN mes-
     sage.

     The neighbor properties are as follows:

     announce (IPv4|IPv6) (none|unicast|vpn)
	     For the given address family, control which subsequent address
	     families are announced during the capabilities negotiation.  Only
	     routes for	that address family and	subsequent address families
	     will be announced and processed.

	     At	the moment, only none, which disables the announcement of that
	     address family, unicast, and vpn, which allows the	distribution
	     of	BGP MPLS VPNs, are supported.

	     The default is unicast for	the same address family	of the ses-
	     sion.

     announce as-4byte (yes|no)
	     If	set to no, the 4-byte AS capability is not announced and so
	     native 4-byte AS support is disabled.  The	default	is yes.

     announce capabilities (yes|no)
	     If	set to no, capability negotiation is disabled during the es-
	     tablishment of the	session.  This can be helpful to connect to
	     old or broken BGP implementations.	 The default is	yes.

     announce refresh (yes|no)
	     If	set to no, the route refresh capability	is not announced.  The
	     default is	yes.

     announce restart (yes|no)
	     If	set to no, the graceful	restart	capability is not announced.
	     Currently only the	End-of-RIB marker is supported and announced
	     by	the restart capability.	 The default is	yes.

     as-override (yes|no)
	     If	set to yes, all	occurrences of the neighbor AS in the AS path
	     will be replaced with the local AS	before running the filters.
	     The Adj-RIB-In still holds	the unmodified AS path.	 The default
	     value is no.

     demote group
	     Increase the carp(4) demotion counter on the given	interface
	     group, usually carp, when the session is not in state
	     ESTABLISHED.  The demotion	counter	will be	increased as soon as
	     bgpd(8) starts and	decreased 60 seconds after the session went to
	     state ESTABLISHED.	 For neighbors added at	runtime, the demotion
	     counter is	only increased after the session has been ESTABLISHED
	     at	least once before dropping.

	     For more information on interface groups, see the group keyword
	     in	ifconfig(8).

     depend on interface
	     The neighbor session will be kept in state	IDLE as	long as
	     interface reports no link.	 For carp(4) interfaces, no link means
	     that the interface	is currently backup.  This is primarily	in-
	     tended to be used with carp(4) to reduce failover times.

	     The state of the network interfaces on the	system can be viewed
	     using the show interfaces command to bgpctl(8).

     descr description
	     Add a description.	 The description is used when logging neighbor
	     events, in	status reports,	for specifying neighbors, etc.,	but
	     has no further meaning to bgpd(8).

     down [reason]
	     Do	not start the session when bgpd(8) comes up but	stay in	IDLE.
	     If	the session is cleared at runtime, after a down	reason was
	     configured	at runtime, the	reason is sent as Administrative Shut-
	     down Communication.  The reason cannot exceed 128 octets.

     dump (all|updates)	(in|out) file [interval]
	     Dump ongoing BGP activity for a particular	neighbor.  See also
	     the dump setting in GLOBAL	CONFIGURATION.

     enforce local-as (yes|no)
	     If	set to no, AS paths will not be	checked	for AS loop detection.
	     This feature is similar to	allowas-in in some other BGP implemen-
	     tations.  Since there is no AS path loop check, this feature is
	     dangerous,	and requires you to add	filters	to prevent receiving
	     your own prefixes.	 The default value is yes.

     enforce neighbor-as (yes|no)
	     If	set to yes, AS paths whose leftmost AS is not equal to the
	     remote AS of the neighbor are rejected and	a NOTIFICATION is sent
	     back.  The	default	value for IBGP peers is	no otherwise the de-
	     fault is yes.

     export (none|default-route)
	     If	set to none, no	UPDATE messages	will be	sent to	the neighbor.
	     If	set to default-route, only the default route will be announced
	     to	the neighbor.  When export is modified the neighbor session
	     needs to be reset to become active.

     holdtime seconds
	     Set the holdtime in seconds.  Inherited from the global configu-
	     ration if not given.

     holdtime min seconds
	     Set the minimal acceptable	holdtime.  Inherited from the global
	     configuration if not given.

     ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]
	     Enable IPsec with static keying.  There must be at	least two
	     ipsec statements per peer with manual keying, one per direction.
	     authspec specifies	the authentication algorithm and key.  It can
	     be

		   sha1	<key>
		   md5 <key>

	     encspec specifies the encryption algorithm	and key.  ah does not
	     support encryption.  With esp, encryption is optional.  encspec
	     can be

		   3des	<key>
		   3des-cbc <key>
		   aes <key>
		   aes-128-cbc <key>

	     Keys must be given	in hexadecimal format.	After changing set-
	     tings a session needs to be reset to use the new keys.

     ipsec (ah|esp) ike
	     Enable IPsec with dynamic keying.	In this	mode, bgpd(8) sets up
	     the flows,	and a key management daemon such as isakmpd(8) is re-
	     sponsible for managing the	session	keys.  With isakmpd(8),	it is
	     sufficient	to copy	the peer's public key, found in
	     /etc/isakmpd/local.pub, to	the local machine.  It must be stored
	     in	a file named after the peer's IP address and must be stored in
	     /etc/isakmpd/pubkeys/ipv4/.  The local public key must be copied
	     to	the peer in the	same way.  As bgpd(8) manages the flows	on its
	     own, it is	sufficient to restrict isakmpd(8) to only take care of
	     keying by specifying the flags -Ka.  This can be done in
	     rc.conf.local(8).	After starting the isakmpd(8) and bgpd(8) dae-
	     mons on both sides, the session should be established.  After
	     changing settings a session needs to be reset to use the new
	     keys.

     local-address address
	     When bgpd(8) initiates the	TCP connection to the neighbor system,
	     it	normally does not bind to a specific IP	address.  If a
	     local-address is given, bgpd(8) binds to this address first.

     local-as as-number	[as-number]
	     Set the AS	number sent to the remote system.  Used	as described
	     above under GLOBAL	CONFIGURATION option AS.

	     Since there is no AS path loop check, this	option is dangerous,
	     and requires you to add filters to	prevent	receiving your ASNs.
	     Intended to be used temporarily, for migrations to	another	AS.

     log no  Disable neighbor specific logging.

     log updates
	     Log received and sent updates for this neighbor.

     max-prefix	number [restart	number]
	     Terminate the session when	the maximum number of prefixes re-
	     ceived is exceeded	(no such limit is imposed by default).	If
	     restart is	specified, the session will be restarted after number
	     minutes.

     multihop hops
	     Neighbors not in the same AS as the local bgpd(8) normally	have
	     to	be directly connected to the local machine.  If	this is	not
	     the case, the multihop statement defines the maximum hops the
	     neighbor may be away.

     passive
	     Do	not attempt to actively	open a TCP connection to the neighbor
	     system.

     remote-as as-number
	     Set the AS	number of the remote system.

     rib name
	     Bind the neighbor to the specified	RIB.

     route-reflector [address]
	     Act as an RFC 4456	route-reflector	for this neighbor.  An op-
	     tional cluster ID can be specified; otherwise the BGP ID will be
	     used.

     set attribute ...
	     Set the AS	path attributes	to some	default	per neighbor or	group
	     block:

		   set localpref 300

	     See also the ATTRIBUTE SET	section.  Set parameters are applied
	     to	the received prefixes; the only	exceptions are prepend-self,
	     nexthop no-modify and nexthop self.  These	sets are rewritten
	     into filter rules and can be viewed with "bgpd -nv".

     tcp md5sig	password secret
     tcp md5sig	key secret
	     Enable TCP	MD5 signatures per RFC 2385.  The shared secret	can
	     either be given as	a password or hexadecimal key.

		   tcp md5sig password mekmitasdigoat
		   tcp md5sig key deadbeef
	     After changing keys a session needs to be reset to	use the	new
	     keys.

     transparent-as (yes|no)
	     If	set to yes, AS paths to	EBGP neighbors are not prepended with
	     the local AS.  The	default	is inherited from the global
	     transparent-as setting.

     ttl-security (yes|no)
	     Enable or disable ttl-security.  When enabled, outgoing packets
	     are sent using a TTL of 255 and a check is	made against an	incom-
	     ing packet's TTL.	For directly connected peers, incoming packets
	     are required to have a TTL	of 255,	ensuring they have not been
	     routed.  For multihop peers, incoming packets are required	to
	     have a TTL	of 256 minus multihop distance,	ensuring they have not
	     passed through more than the expected number of hops.  The	de-
	     fault is no.

FILTER
     bgpd(8) filters all BGP UPDATE messages, including	its own	announcements,
     and blocks	them by	default.  Filter rules may match on neighbor, direc-
     tion, prefix or AS	path attributes.  Filter rules may also	modify AS path
     attributes.

     For each UPDATE processed by the filter, the filter rules are evaluated
     in	sequential order, from first to	last.  The last	matching allow or deny
     rule decides what action is taken.	 The default action is to deny.

     The following actions can be used in the filter:

     allow     The UPDATE is passed.

     deny      The UPDATE is blocked.

     match     Apply the filter	attribute set without influencing the filter
	       decision.

PARAMETERS
     The rule parameters specify the UPDATES to	which a	rule applies.  An
     UPDATE always comes from, or goes to, one neighbor.  Most parameters are
     optional, but each	can appear at most once	per rule.  If a	parameter is
     specified,	the rule only applies to packets with matching attributes.

     as-type [operator]	as-number
     as-type as-set name
	     This rule applies only to UPDATES where the AS path matches.  The
	     part of the AS path specified by the as-type is matched against
	     the as-number or the as-set name:

	     AS		  (any part)
	     peer-as	  (leftmost AS number)
	     source-as	  (rightmost AS	number)
	     transit-as	  (all but the rightmost AS number)

	     as-number is an AS	number as explained above under	GLOBAL
	     CONFIGURATION.  It	may be set to neighbor-as, which is expanded
	     to	the current neighbor remote AS number, or local-as, which is
	     expanded to the locally assigned AS number.

	     When specifying an	as-set name the	AS path	will instead be
	     matched against all the AS	numbers	in the set.

	     The operator can be unspecified (this case	is identical to	the
	     equality operator), or one	of the numerical operators

		   =	   (equal)
		   !=	   (unequal)
		   -	   (range including boundaries)
		   ><	   (except range)

	     ><	and - are binary operators (they take two arguments); with
	     these, as-number cannot be	set to neighbor-as.

	     Multiple as-number	entries	for a given type or as-type as-number
	     entries may also be specified, separated by commas	or whitespace,
	     if	enclosed in curly brackets:

		   deny	from any AS { 1, 2, 3 }
		   deny	from any { AS 1, source-as 2, transit-as 3 }
		   deny	from any { AS {	1, 2, 3	}, source-as 4,	transit-as 5 }

     community as-number:local
     community name
	     This rule applies only to UPDATES where the community path	attri-
	     bute is present and matches.  Communities are specified as
	     as-number:local, where as-number is an AS number and local	is a
	     locally significant number	between	zero and 65535.	 Both
	     as-number and local may be	set to `*' to do wildcard matching.
	     Alternatively, well-known communities may be given	by name	in-
	     stead and include BLACKHOLE, GRACEFUL_SHUTDOWN, NO_EXPORT,
	     NO_ADVERTISE, NO_EXPORT_SUBCONFED,	and NO_PEER.  Both as-number
	     and local may be set to neighbor-as, which	is expanded to the
	     current neighbor remote AS	number,	or local-as, which is expanded
	     to	the locally assigned AS	number.

     large-community as-number:local:local
	     This rule applies only to UPDATES where the Large community path
	     attribute is present and matches.	Communities are	specified as
	     as-number:local:local, where as-number is an AS number and	local
	     is	a locally significant number between zero and 4294967295.
	     Both as-number and	local may be set to `*'	to do wildcard match-
	     ing, neighbor-as, which is	expanded to the	current	neighbor re-
	     mote AS number, or	local-as, which	is expanded to the locally as-
	     signed AS number.

     ext-community subtype as-number:local
     ext-community subtype IP:local
     ext-community subtype numvalue
     ext-community ovs (valid |	not-found | invalid)
	     This rule applies only to UPDATES where the extended community
	     path attribute is present and matches.  Extended Communities are
	     specified by a subtype and	normally two values, a globally	unique
	     part (e.g.	the AS number) and a local part.  Both as-number and
	     local may be set to neighbor-as, which is expanded	to the current
	     neighbor remote AS	number,	or local-as, which is expanded to the
	     locally assigned AS number.  Wildcard matching is supported for
	     local, numvalue and subtype.  If wildcard matching	is used	on the
	     subtype then numvalue also	needs to be set	to `*'.	 See also the
	     ATTRIBUTE SET section for further information about the encoding.

     (from|to) peer
	     This rule applies only to UPDATES coming from, or going to, this
	     particular	neighbor.  This	parameter must be specified.  peer is
	     one of the	following:

	     any	  Any neighbor will be matched.
	     ibgp	  All IBGP neighbors will be matched.
	     ebgp	  All EBGP neighbors will be matched.
	     address	  Neighbors with this address will be matched.
	     group descr  Neighbors in this group will be matched.
	     AS	as-number
			  Neighbors with this AS will be matched.

	     Multiple peer entries may also be specified, separated by commas
	     or	whitespace, if enclosed	in curly brackets:

		   deny	from { 128.251.16.1, 251.128.16.2, group hojo }

     (inet|inet6)
	     Match only	routes in the IPv4 or IPv6 address families, respec-
	     tively.  inet is an alias for "prefix 0.0.0.0/0 prefixlen >= 0";
	     inet6 is an alias for "prefix ::/0	prefixlen >= 0".

     max-as-len	len
	     This rule applies only to UPDATES where the AS path has more than
	     len elements.

     max-as-seq	len
	     This rule applies only to UPDATES where a single AS number	is re-
	     peated more than len times.

     nexthop address
	     This rule applies only to UPDATES where the nexthop is equal to
	     address.  The address can be set to neighbor in which case	the
	     nexthop is	compared against the address of	the neighbor.  Nexthop
	     filtering is not supported	on locally announced networks and one
	     must take into consideration previous rules overwriting nexthops.

     origin-set	name
	     This rule applies only to UPDATES that match the given origin-set
	     name.

     ovs (valid	| not-found | invalid)
	     This rule applies only to UPDATES where the Origin	Validation
	     State (OVS) matches.

     prefix address/len
     prefix address/len	prefixlen range
     prefix address/len	or-longer
     prefix address/len	maxlen mlen
	     This rule applies only to UPDATES for the specified prefix.

	     Multiple entries may be specified,	separated by commas or white-
	     space, if enclosed	in curly brackets:

		   deny	from any prefix	{ 192.168.0.0/16, 10.0.0.0/8 or-longer }

	     Multiple lists can	also be	specified, which is useful for macro
	     expansion:

		   good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
		   bad="{ 224.0.0.0/4 prefixlen	>= 4, 240.0.0.0/4 prefixlen >= 4 }"
		   ugly="{ 127.0.0.1/8,	169.254.0.0/16 }"

		   deny	from any prefix	{ $good	$bad $ugly }

	     Prefix length ranges are specified	by using these operators:

		   =	   (equal)
		   !=	   (unequal)
		   <	   (less than)
		   <=	   (less than or equal)
		   >	   (greater than)
		   >=	   (greater than or equal)
		   -	   (range including boundaries)
		   ><	   (except range)

	     ><	and - are binary operators (they take two arguments).  For in-
	     stance, to	match all prefix lengths >= 8 and <= 12, and hence the
	     CIDR netmasks 8, 9, 10, 11	and 12:

		   prefixlen 8-12

	     Or, to match all prefix lengths < 8 or > 12, and hence the	CIDR
	     netmasks 0-7 and 13-32:

		   prefixlen 8><12

	     This will match all prefixes in the 10.0.0.0/8 netblock with net-
	     masks longer than 16:

		   prefix 10.0.0.0/8 prefixlen > 16

	     or-longer is a shorthand for:

		   prefix address/len prefixlen	>= len

	     maxlen mlen is a shorthand	for:

		   prefix address/len prefixlen	<= mlen

     prefix-set	name [or-longer]
	     This rule applies only to UPDATES that match the given prefix-set
	     name.  With or-longer, the	UPDATES	will match any prefix in the
	     prefix-set	where

		   address/len prefixlen >= len

     quick   If	an UPDATE matches a rule which has the quick option set, this
	     rule is considered	the last matching rule,	and evaluation of sub-
	     sequent rules is skipped.

     rib name
	     Apply rule	only to	the specified RIB.  This only applies for re-
	     ceived updates, so	not for	rules using the	to peer	parameter.

     set attribute ...
	     All matching rules	can set	the AS path attributes to some de-
	     fault.  The set of	every matching rule is applied,	not only the
	     last matching one.	 See also the following	section.

ATTRIBUTE SET
     AS	path attributes	can be modified	with set.

     set can be	used on	network	statements, in neighbor	or group blocks, and
     on	filter rules.  Attribute sets can be expressed as lists.

     The following attributes can be modified:

     community [delete]	as-number:local
     community [delete]	name
	     Set or delete the COMMUNITIES AS path attribute.  Communities are
	     specified as as-number:local, where as-number is an AS number and
	     local is a	locally	significant number between zero	and 65535.
	     Alternately, well-known communities may be	specified by name:
	     GRACEFUL_SHUTDOWN,	NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED,
	     or	NO_PEER.  For delete, both as-number and local may be set to
	     `*' to do wildcard	matching.

     large-community [delete] as-number:local:local
     large-community [delete] name
	     Set or delete the Large Communities path attribute.  Communities
	     are specified as as-number:local:local, where as-number is	an AS
	     number and	local is a locally significant number between zero and
	     4294967295.  For delete, both as-number and local may be set to
	     `*' to do wildcard	matching.

     ext-community [delete] subtype as-number:local
     ext-community [delete] subtype IP:local
     ext-community [delete] subtype numvalue
     ext-community [delete] ovs	(valid | not-found | invalid)
	     Set or delete the Extended	Community AS path attribute.  Extended
	     Communities are specified by a subtype and	normally two values, a
	     globally unique part (e.g.	the AS number) and a local part.  The
	     type is selected depending	on the encoding	of the global part.
	     Two-octet AS Specific Extended Communities	and Four-octet AS Spe-
	     cific Extended Communities	are encoded as as-number:local.	 Four-
	     octet encoding is used if the as-number is	bigger than 65535 or
	     if	the AS_DOT encoding is used.  IPv4 Address Specific Extended
	     Communities are encoded as	IP:local.  Opaque Extended Communities
	     are encoded with a	single numeric value.  The ovs subtype can
	     only be set to valid, not-found, or invalid.  Currently the fol-
	     lowing subtypes are supported:

		   bdc	    BGP	Data Collection
		   defgw    Default Gateway
		   esi-lab  ESI	Label
		   esi-rt   ES-Import Route Target
		   l2vid    L2VPN Identifier
		   mac-mob  MAC	Mobility
		   odi	    OSPF Domain	Identifier
		   ort	    OSPF Route Type
		   ori	    OSPF Router	ID
		   ovs	    BGP	Origin Validation State
		   rt	    Route Target
		   soo	    Route Origin / Source of Origin
		   srcas    Source AS
		   vrfri    VRF	Route Import

	     Not all type and subtype value pairs are allowed by IANA and the
	     parser will ensure	that no	invalid	combination is created.

	     For delete, subtype, numvalue, or local, may be set to `*'	to do
	     wildcard matching.	 If wildcard matching is used on the subtype
	     then numvalue also	needs to be set	to `*'.

     localpref number
	     Set the LOCAL_PREF	AS path	attribute.  If number starts with a
	     plus or minus sign, LOCAL_PREF will be adjusted by	adding or sub-
	     tracting number; otherwise	it will	be set to number.  The default
	     is	100.

     med number
     metric number
	     Set the MULTI_EXIT_DISC AS	path attribute.	 If number starts with
	     a plus or minus sign, MULTI_EXIT_DISC will	be adjusted by adding
	     or	subtracting number; otherwise it will be set to	number.

     origin (igp|egp|incomplete)
	     Set the ORIGIN AS path attribute to mark the source of this route
	     as	being injected from an igp protocol, an	egp protocol or	being
	     an	aggregated route.

     nexthop (address|blackhole|reject|self|no-modify)
	     Set the NEXTHOP AS	path attribute to a different nexthop address
	     or	use blackhole or reject	routes.	 blackhole and reject only af-
	     fect the FIB and will not alter the nexthop address.  self	forces
	     the nexthop to be set to the local	interface address.  If set to
	     no-modify,	the nexthop attribute is not modified for EBGP multi-
	     hop sessions.  By default EBGP multihop sessions use the local
	     interface address.	 On other IBGP and directly connected EBGP
	     sessions no-modify	is ignored.  The set address is	used on	IBGP
	     session and on directly connected EBGP session if the address is
	     part of the connected network.  On	EBGP multihop session
	     no-modify has to be set to	force the nexthop to address.

		   set nexthop 192.168.0.1
		   set nexthop blackhole
		   set nexthop reject
		   set nexthop no-modify
		   set nexthop self

     pftable table
	     Add the prefix in the update to the specified pf(4) table,	re-
	     gardless of whether or not	the path was selected for routing.
	     This option may be	useful in building realtime blacklists.

     prepend-neighbor number
	     Prepend the neighbor's AS number times to the AS path.

     prepend-self number
	     Prepend the local AS number times to the AS path.

     rtlabel label
	     Add the prefix to the kernel routing table	with the specified
	     label.

     weight number
	     The weight	is used	to tip prefixes	with equally long AS paths in
	     one or the	other direction.  A prefix is weighed at a very	late
	     stage in the decision process.  If	number starts with a plus or
	     minus sign, the weight will be adjusted by	adding or subtracting
	     number; otherwise it will be set to number.  Weight is a local
	     non-transitive attribute, and is a	bgpd(8)-specific extension.
	     For prefixes with equally long paths, the prefix with the larger
	     weight is selected.

FILES
     /etc/bgpd.conf  bgpd(8) configuration file

SEE ALSO
     strftime(3), ipsec(4), pf(4), rdomain(4), tcp(4), bgpctl(8), bgpd(8),
     ipsecctl(8), isakmpd(8), rc.conf.local(8)

HISTORY
     The bgpd.conf file	format first appeared in OpenBSD 3.5.

FreeBSD	13.0			October	4, 2019			  FreeBSD 13.0

NAME | DESCRIPTION | MACROS | GLOBAL CONFIGURATION | SET CONFIGURATION | NETWORK ANNOUNCEMENTS | MPLS VPN CONFIGURATION | NEIGHBORS AND GROUPS | FILTER | PARAMETERS | ATTRIBUTE SET | FILES | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=bgpd.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help