Controlling the Receiving of BGP Routes

Context

When a BGP device is attacked or network configuration errors occur, the BGP device will receive a large number of routes from its peer. As a result, many device resources are consumed. Therefore, the administrator must limit the resources used by the device based on network planning and device capacity. BGP provides peer-based route control to limit the number of routes to be sent by a peer. This addresses the preceding problem.

Procedure

Configure the BGP device to filter the routes received from all its peers or peer groups.
1. Run system-view
  The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
  The BGP view is displayed.
3. Enter the corresponding address family view based on network type to configure BGP devices on networks.
  - Run ipv4-family { unicast | multicast }
    
    The IPv4 address family view is displayed.
  - Run ipv6-family [ unicast ]
    
    The IPv6 address family view is displayed.
4. Perform either of the following operations to configure the BGP device to filter the routes received from all its peers or peer groups:
  - To filter routes based on an ACL, run the filter-policy { acl-number | acl-name acl-name } import or the filter-policy { acl6-number | acl6-name acl6-name } import command.
  - To filter routes based on an IP prefix list, run the filter-policy ip-prefix ip-prefix-name import or the filter-policy ipv6-prefix ipv6-prefix-name import command.
  If an ACL has been referenced in the filter-policy command but no VPN instance is specified in the ACL rule, BGP will filter routes including public and private network routes in all address families. If a VPN instance is specified in the ACL rule, only the data traffic from the VPN instance will be filtered, and no route of this VPN instance will be filtered.
Configure BGP to filter the routes received from a specified peer or peer group.
1. Run system-view
  The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
  The BGP view is displayed.
3. Enter the corresponding address family view based on network type to configure BGP devices on networks.
  - Run ipv4-family { unicast | multicast }
    
    The IPv4 address family view is displayed.
  - Run ipv6-family [ unicast ]
    
    The IPv6 address family view is displayed.
4. Perform any of the following operations to configure the BGP device to filter the routes received from a specific peer or peer group:
  - To filter routes based on an ACL, run the peer { group-name | ipv4-address | ipv6-address } filter-policy { acl-number | acl-name acl-name | acl6-number | acl6-name acl6-name } import command.
  - To filter routes based on an IP prefix list, run the peer { ipv4-address | group-name } ip-prefix ip-prefix-name import or the peer { group-name | ipv4-address | ipv6-address } ipv6-prefix ipv6-prefix-name import command.
  - To filter routes based on an AS_Path filter, run the peer { ipv4-address | group-name | ipv6-address } as-path-filter { as-path-filter-number | as-path-filter-name } import command.
  - To filter routes based on a route-policy, run the peer { ipv4-address | group-name | ipv6-address } route-policy route-policy-name import command.
  The routing policy applied in the peer route-policy import command does not support a specific interface as one matching rule. That is, the routing policy does not support the if-match interface command.
  
  If the number of routes received by the local device exceeds the upper limit and the peer route-limit command is used for the first time, the local device and its peer reestablish the peer relationship, regardless of whether alert-only is set.
5. (Optional) Run peer { group-name | ipv4-address | ipv6-address } route-limit limit [ percentage ] [ alert-only | idle-forever | idle-timeout times ]
  The maximum number of routes that can be received from the peer or peer group is set.