Controlling the Acceptance of BGP Routing Information

Procedure

• Configure BGP to receive routes from all its peers or peer groups.

  You can configure a BGP device to filter routes to be received.

  1. Run system-view

     The system view is displayed.

  2. Run bgp as-number

     The BGP view is displayed.

  3. Run ipv4-family unicast

     The IPv4 unicast address family view is displayed.

  4. Perform either of the following operations to configure the BGP device to filter the routes received from all its peers or peer groups:
     • To filter routes based on a basic ACL, perform the following steps:
       1. Run filter-policy { acl-number | acl-name acl-name } import

          The received routes are filtered based on an ACL.

       2. Run quit

          Return to the BGP view.

       3. Run quit

          Return to the system view.

       4. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

          The basic ACL view is displayed.

       5. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name ] ^*

          A rule is configured for the basic ACL.

          When the rule command is run to configure rules for a named ACL, only the source address range specified by source and the time period specified by time-range are valid as the rules.

          When the rule command is run to configure rules for a named ACL, only the source address range specified by source and the time period specified by time-range are valid as the rules.

          When a filtering policy of a routing protocol is used to filter routes:

          • If the action specified in an ACL rule is permit, a route that matches the rule will be received or advertised by the system.

          • If the action specified in an ACL rule is deny, a route that matches the rule will not be received or advertised by the system.

          • If a route has not matched any ACL rules, the route will not be received or advertised by the system.

          • If an ACL does not contain any rules, all routes matching the route-policy that references the ACL will not be received or advertised by the system.

          • In the configuration order, the system first matches a route with a rule that has a smaller number and then matches the route with a rule with a larger number. Routes can be filtered using a blacklist or a whitelist:

            Route filtering using a blacklist: Configure a rule with a smaller number and specify the action deny in this rule to filter out the unwanted routes. Then, configure another rule with a larger number in the same ACL and specify the action permit in this rule to receive or advertise the other routes.

            Route filtering using a whitelist: Configure a rule with a smaller number and specify the action permit in this rule to permit the routes to be received or advertised by the system. Then, configure another rule with a larger number in the same ACL and specify the action deny in this rule to filter out unwanted routes.

     • To filter routes based on an IP prefix list, run the filter-policy ip-prefix ip-prefix-name import command.

     

     If an ACL has been referenced in the filter-policy command but no VPN instance is specified in the ACL rule, BGP will filter routes including public and private network routes in all address families. If a VPN instance is specified in the ACL rule, only the data traffic from the VPN instance will be filtered, and no route of this VPN instance will be filtered.

  5. Run commit

     The configuration is committed.

• Configure a BGP device to receive routes from a specific peer or peer group.
  1. Run system-view

     The system view is displayed.

  2. Run bgp { as-number-plain | as-number-dot }

     The BGP view is displayed.

  3. Run ipv4-family unicast

     The IPv4 unicast address family view is displayed.

  4. Perform any of the following configurations to configure the BGP device to filter the routes received from a specific peer or peer group:
     • To filter routes based on a basic ACL, perform the following steps:

       1. Run peer { ipv4-address | group-name } filter-policy { acl-number | acl-name acl-name } import

          The routes to be advertised to the specified peer of peer group are filtered based on an ACL.

       2. Run quit

          Return to the BGP view.

       3. Run quit

          Return to the system view.

       4. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

          The ACL view is displayed.

       5. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name ] ^*

          A rule is configured for the ACL.

          When the rule command is run to configure rules for a named ACL, only the source address range specified by source and the time period specified by time-range are valid as the rules.

          When a filtering policy of a routing protocol is used to filter routes:

          • If the action specified in an ACL rule is permit, a route that matches the rule will be received or advertised by the system.

          • If the action specified in an ACL rule is deny, a route that matches the rule will not be received or advertised by the system.

          • If a route has not matched any ACL rules, the route will not be received or advertised by the system.

          • If an ACL does not contain any rules, all routes matching the route-policy that references the ACL will not be received or advertised by the system.

          • In the configuration order, the system first matches a route with a rule that has a smaller number and then matches the route with a rule with a larger number. Routes can be filtered using a blacklist or a whitelist:

            Route filtering using a blacklist: Configure a rule with a smaller number and specify the action deny in this rule to filter out the unwanted routes. Then, configure another rule with a larger number in the same ACL and specify the action permit in this rule to receive or advertise the other routes.

            Route filtering using a whitelist: Configure a rule with a smaller number and specify the action permit in this rule to permit the routes to be received or advertised by the system. Then, configure another rule with a larger number in the same ACL and specify the action deny in this rule to filter out unwanted routes.

     • To filter routes based on an IP prefix list, run the peer { ipv4-address | group-name } ip-prefix ip-prefix-name import command.

     • To filter routes based on an AS_Path filter, run the peer { ipv4-address | group-name } as-path-filter { number | name } import command.

     • To filter routes based on a route-policy, run the peer { ipv4-address | group-name } route-policy route-policy-name import command.

     

     A route-policy specified in the peer route-policy import command does not support the use of an interface as a matching condition, meaning the if-match interface command cannot be run in the route-policy view.

     A peer group member can use an import routing policy different from that used by the peer group. Specifically, each member in the peer group can use a different policy when accepting routes.

  5. Run commit

     The configuration is committed.

• Limit the number of the routes received from a peer.

  When the router running BGP is attacked or network configuration errors occur, the router receives a large number of routes from its peers. As a result, a large number of resources are consumed. Therefore, the administrator must limit resource consumption based on network planning and the capacity of the router. BGP provides peer-based route control to limit the number of routes accepted from a peer.

  1. Run system-view

     The system view is displayed.

  2. Run bgp as-number

     The BGP view is displayed.

  3. Run ipv4-family unicast

     The IPv4 unicast address family view is displayed.

  4. Run peer { group-name | ipv4-address } route-limit limit [ percentage ] [ alert-only | idle-forever | idle-timeout minutes ]

     The maximum number of routes that the device is allowed to accept from the specified peer or peer group is set.

     The command provides the limit on the number of received routes based on peers. You can configure specific parameters as required to control BGP after the number of the routes received from a peer exceeds the threshold.

     • alert-only: The peer relationship is kept. No route is received after the number of received routes exceeds the threshold, and an alarm is generated and recorded in the log.

     • idle-forever: The peer relationship is interrupted. The router does not retry setting up a connection. An alarm is generated and recorded in the log. In this case, run the display bgp peer [ verbose ] command, and you can find that the status of the peer is Idle. To restore the BGP connection, run the reset bgp command.

     • idle-timeout: The peer relationship is interrupted. The router retries setting up a connection after the timer expires. An alarm is generated and recorded in the log. In this case, run the display bgp peer [ verbose ] command, and you can find that the status of the peer is Idle. To restore the BGP connection before the timer expires, run the reset bgp command.

     • If none of the preceding parameters is set, the peer relationship is disconnected. The router retries setting up a connection after 30 seconds. An alarm is generated and recorded in the log.

     

     If the number of routes received by the local router exceeds the upper limit and the peer route-limit command is used for the first time, the local router and its peer reestablish the peer relationship, regardless of whether alert-only is set.

  5. Run commit

     The configuration is committed.