BGPQ3(8) BSD System Manager's Manual BGPQ3(8)NAMEbgpq3 — bgp filtering automation for cisco and juniper routers
SYNOPSISbgpq3 [-h host] [-S sources] [-EP] [-f asn | -G asn] [-346AbDdJjX]
[-r len] [-R len] [-m max] [-W len] OBJECTS [...]
DESCRIPTION
The bgpq3 utility used to generate Cisco and Juniper prefix-lists,
extended access-lists, policy-statement terms and as-path lists based on
RADB data.
The options are as follows:
-3 assume that your device is asn32-safe.
-4 generate IPv4 prefix/access-lists (default).
-6 generate IPv6 prefix/access-lists (IPv4 by default).
-A try to aggregate prefix-lists as much as possible (not all output
formats supported).
-b generate output in BIRD format (default: Cisco).
-d enable some debugging output.
-D use asdot notation for Cisco as-path access-lists.
-E generate extended access-list (Cisco) or policy-statement term
using route-filters (Juniper).
-f number
generate input as-path access-list.
-G number
generate output as-path access-list.
-h host
host running IRRD database (default: whois.radb.net).
-J generate config for Juniper (default: Cisco).
-j generate output in JSON format (default: Cisco).
-m len maximum prefix-length of accepted prefixes (default: 32 for IPv4
and 128 for IPv6).
-M match
extra match conditions for Juniper route-filters.
-l name
name of generated entry.
-P generate prefix-list (default, backward compatibility).
-r len allow more specific routes starting with specified masklen too.
-R len allow more specific routes up to specified masklen too.
-S sources
use specified sources only (default: RADB,RIPE,APNIC).
-T disable pipelining.
-W len generate as-path strings of no more than len items (use 0 for
inifinity).
-X generate config for Cisco IOS XR devices (plain IOS by default).
OBJECTS
means networks (in prefix format), autonomous systems, as-sets
and route-sets.
EXAMPLES
Generating named juniper prefix-filter for AS20597:
~>bgpq3 -Jl eltel AS20597
policy-options {
replace:
prefix-list eltel {
81.9.0.0/20;
81.9.32.0/20;
81.9.96.0/20;
81.222.128.0/20;
81.222.192.0/18;
85.249.8.0/21;
85.249.224.0/19;
89.112.0.0/19;
89.112.4.0/22;
89.112.32.0/19;
89.112.64.0/19;
217.170.64.0/20;
217.170.80.0/20;
}
}
For Cisco we can use aggregation (-A) flag to make this prefix-filter
more compact:
~>bgpq3 -Al eltel AS20597
no ip prefix-list eltel
ip prefix-list eltel permit 81.9.0.0/20
ip prefix-list eltel permit 81.9.32.0/20
ip prefix-list eltel permit 81.9.96.0/20
ip prefix-list eltel permit 81.222.128.0/20
ip prefix-list eltel permit 81.222.192.0/18
ip prefix-list eltel permit 85.249.8.0/21
ip prefix-list eltel permit 85.249.224.0/19
ip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19
ip prefix-list eltel permit 89.112.4.0/22
ip prefix-list eltel permit 89.112.64.0/19
ip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20
- you see, prefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated into
single entry 89.112.0.0/18 ge 19 le 19.
Well, for Juniper we can generate even more interesting policy-options,
using -M <extra match conditions>, -R <len> and hierarchical names:
policy-options {
policy-statement eltel {
term specifics {
replace:
from {
community blackhole;
route-filter 81.9.0.0/20 prefix-length-range /29-/32;
route-filter 81.9.32.0/20 prefix-length-range /29-/32;
route-filter 81.9.96.0/20 prefix-length-range /29-/32;
route-filter 81.222.128.0/20 prefix-length-range /29-/32;
route-filter 81.222.192.0/18 prefix-length-range /29-/32;
route-filter 85.249.8.0/21 prefix-length-range /29-/32;
route-filter 85.249.224.0/19 prefix-length-range /29-/32;
route-filter 89.112.0.0/17 prefix-length-range /29-/32;
route-filter 217.170.64.0/19 prefix-length-range /29-/32;
}
}
}
}
generated policy-option term now allows all specifics with prefix-length
between /29 and /32 for eltel networks if they match with special commu‐
nity
Of course, this version supports IPv6 (-6):
~>bgpq3 -6l as-retn-6 AS-RETN6
no ipv6 prefix-list as-retn-6
ipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48
ipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48
[....]
and support for ASN 32 is also here
~>bgpq3 -J3f 112 AS-SPACENET
policy-options {
replace:
as-path-group NN {
as-path a0 "^112(112)*$";
as-path a1 "^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$";
as-path a2 "^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$";
as-path a3 "^112(.)*(35052|41720|43628|44450|196611)$";
}
}
see AS196611 in the end of the list ? That's AS3.3 in 'asplain' notation.
For non-ASN32 capable routers you should not use switch -3, and the
result will be next:
~>bgpq3 -f 112 AS-SPACENET
no ip as-path access-list NN
ip as-path access-list NN permit ^112(_112)*$
ip as-path access-list NN permit ^112(_[0-9]+)*_(1898|5539|8495|8763)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(8878|12136|12931|15909)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(21358|23456|23600|24151)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(25152|31529|34127|34906)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(35052|41720|43628|44450)$
AS196611 is no more in the list, however, AS23456 (transition AS) would
be added to list if it were not present.
DIAGNOSTICS
When everything is OK, bgpq3 generates access-list to standard output and
exits with status == 0. In case of errors they are printed to stderr and
program exits with non-zero status.
SEE ALSO
http://www.radb.net/ Routing Arbiter project
http://tools.ietf.org/html/draft-michaelson-4byte-as-representation-05
for information on 'asdot' and 'asplain' notations.
http://www.cisco.com/en/US/docs/ios/12_0s/release/ntes/120SNEWF.html#wp3521658
for information on Cisco implementation of ASN32.
AUTHOR
Alexandre Snarskii ⟨snar@snar.spb.ru⟩
BSD Oct 27, 2008 BSD