bgpq3(8) bgp filtering automation for cisco and juniper routers

SYNOPSIS

[-h host ] [-S sources ] [-EP ] [-f asn -G asn ] [-346AbDdJjX ] [-r len ] [-R len ] [-m max ] [-W len ] OBJECTS [...]

DESCRIPTION

The utility used to generate Cisco and Juniper prefix-lists, extended access-lists, policy-statement terms and as-path lists based on RADB data.

The options are as follows:

-3
assume that your device is asn32-safe.
-4
generate IPv4 prefix/access-lists (default).
-6
generate IPv6 prefix/access-lists (IPv4 by default).
-A
try to aggregate prefix-lists as much as possible (not all output formats supported).
-b
generate output in BIRD format (default: Cisco).
-d
enable some debugging output.
-D
use asdot notation for Cisco as-path access-lists.
-E
generate extended access-list (Cisco) or policy-statement term using route-filters (Juniper).
-f number
generate input as-path access-list.
-G number
generate output as-path access-list.
-h host
host running IRRD database (default: whois.radb.net).
-J
generate config for Juniper (default: Cisco).
-j
generate output in JSON format (default: Cisco).
-m len
maximum prefix-length of accepted prefixes (default: 32 for IPv4 and 128 for IPv6).
-M match
extra match conditions for Juniper route-filters.
-l name
name of generated entry.
-P
generate prefix-list (default, backward compatibility).
-r len
allow more specific routes starting with specified masklen too.
-R len
allow more specific routes up to specified masklen too.
-S sources
use specified sources only (default: RADB,RIPE,APNIC).
-T
disable pipelining.
-W len
generate as-path strings of no more than len items (use 0 for inifinity).
-X
generate config for Cisco IOS XR devices (plain IOS by default).
OBJECTS
means networks (in prefix format), autonomous systems, as-sets and route-sets.

EXAMPLES

Generating named juniper prefix-filter for AS20597: 
~>bgpq3 -Jl eltel AS20597
policy-options {
replace:
 prefix-list eltel {
    81.9.0.0/20;
    81.9.32.0/20;
    81.9.96.0/20;
    81.222.128.0/20;
    81.222.192.0/18;
    85.249.8.0/21;
    85.249.224.0/19;
    89.112.0.0/19;
    89.112.4.0/22;
    89.112.32.0/19;
    89.112.64.0/19;
    217.170.64.0/20;
    217.170.80.0/20;
 }
}






For Cisco we can use aggregation (-A) flag to make this prefix-filter
more compact: 

~>bgpq3 -Al eltel AS20597
no ip prefix-list eltel
ip prefix-list eltel permit 81.9.0.0/20
ip prefix-list eltel permit 81.9.32.0/20
ip prefix-list eltel permit 81.9.96.0/20
ip prefix-list eltel permit 81.222.128.0/20
ip prefix-list eltel permit 81.222.192.0/18
ip prefix-list eltel permit 85.249.8.0/21
ip prefix-list eltel permit 85.249.224.0/19
ip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19
ip prefix-list eltel permit 89.112.4.0/22
ip prefix-list eltel permit 89.112.64.0/19
ip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20


- you see, prefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated
into single entry 89.112.0.0/18 ge 19 le 19. 


Well, for Juniper we can generate even more interesting policy-options,
using -M <extra match conditions>, -R <len> and hierarchical names: 

~>bgpq3 -AJEl eltel/specifics -r 29 -R 32 -M "community blackhole" AS20597
policy-options {
 policy-statement eltel {
  term specifics {
replace:
   from {
    community blackhole;
    route-filter 81.9.0.0/20 prefix-length-range /29-/32;
    route-filter 81.9.32.0/20 prefix-length-range /29-/32;
    route-filter 81.9.96.0/20 prefix-length-range /29-/32;
    route-filter 81.222.128.0/20 prefix-length-range /29-/32;
    route-filter 81.222.192.0/18 prefix-length-range /29-/32;
    route-filter 85.249.8.0/21 prefix-length-range /29-/32;
    route-filter 85.249.224.0/19 prefix-length-range /29-/32;
    route-filter 89.112.0.0/17 prefix-length-range /29-/32;
    route-filter 217.170.64.0/19 prefix-length-range /29-/32;
   }
  }
 }
}


generated policy-option term now allows all specifics with prefix-length
between /29 and /32 for eltel networks if they match with special community 
'blackhole' (defined elsewhere in configuration).


Of course, this version supports IPv6 (-6): 

~>bgpq3 -6l as-retn-6 AS-RETN6
no ipv6 prefix-list as-retn-6
ipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48
ipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48
[....]


and support for ASN 32 is also here

~>bgpq3 -J3f 112 AS-SPACENET
policy-options {
replace:
 as-path-group NN {
  as-path a0 "^112(112)*$";
  as-path a1 "^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$";
  as-path a2 "^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$";
  as-path a3 "^112(.)*(35052|41720|43628|44450|196611)$";
 }
}


see AS196611 in the end of the list ? That's AS3.3 in 'asplain' notation. 


For non-ASN32 capable routers you should not use switch -3, 
and the result will be next: 

~>bgpq3 -f 112 AS-SPACENET
no ip as-path access-list NN
ip as-path access-list NN permit ^112(_112)*$
ip as-path access-list NN permit ^112(_[0-9]+)*_(1898|5539|8495|8763)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(8878|12136|12931|15909)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(21358|23456|23600|24151)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(25152|31529|34127|34906)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(35052|41720|43628|44450)$






AS196611 is no more in the list, however, AS23456 (transition AS)
would be added to list if it were not present. 





DIAGNOSTICS

When everything is OK, 

generates access-list to standard output and exits with status == 0. 
In case of errors they are printed to stderr and program exits with 
non-zero status. 





AUTHOR

An Alexandre Snarskii Aq [email protected]






      

    



  









  

  



        

          
LAST SEARCHED