Configuring ebgp-requires-policy
- Tracy Yang (Unlicensed)
Users can use the command set protocols bgp [vrf <vrf-name>] ebgp-requires-policy <true | false> to determine whether or not EBGP will exchange routes with peers based on a policy. Choosing true requires filters (filter-list, prefix-list or route-map defined) for every eBGP session.
Consider creating appropriate route maps and using them rather than disabling the policy check. As a best practice, using policies is a more secure behavior and can prevent unintended routes from being exchanged. Function ebgp-requires-policy is introduced and enabled by default.
With this command enabled, EBGP will not exchange routes with a neighbor unless there is a route map configured on the address family neighbor entry which matches and permits the routes inbound and outbound. That is, without an incoming filter, no routes will be accepted. Similarly, without an outgoing filter, no routes will be announced.
The following commands configure a BGP route policy “rm1” and enables ebgp-requires-policy to filter the incoming routes based on this policy.
admin@Xorplus# set routing prefix-list ipv4-family plist1 permit prefix 13.13.13.0/24 admin@Xorplus# set routing route-map rm1 order 1 matching-policy permit admin@Xorplus# set routing route-map rm1 order 1 match ipv4-addr address prefix-list plist1 admin@Xorplus# set protocols bgp neighbor 192.168.170.1 ipv4-unicast in route-map rm1 admin@Xorplus# set protocols bgp ebgp-requires-policy true admin@Xorplus# commit
NOTE:
If you do not want to control the route exchange via the use of BGP policies, you need to disable this feature manually otherwise the routes will not be exchanged properly.
When ebgp-requires-policy is enabled but the incoming or outgoing filter is missing, then the incoming route would be discarded and the outgoing route would not be allowed to advertise.
Additionally, a run show bgp neighbor command output would indicate in the For address family: section that updates discarded due to missing policy as shown below:
admin@Xorplus# run show bgp neighbor ... For address family: IPv4 Unicast Update group 1, subgroup 1 Packet Queue length 0 Community attribute sent to this neighbor(all) Inbound updates discarded due to missing policy Outbound updates discarded due to missing policy 0 accepted prefixes ... For address family: IPv6 Unicast Update group 2, subgroup 2 Packet Queue length 0 Community attribute sent to this neighbor(all) Inbound updates discarded due to missing policy Outbound updates discarded due to missing policy 0 accepted prefixes
Copyright © 2024 Pica8 Inc. All Rights Reserved.