1BGPQ3(8)                  BSD System Manager's Manual                 BGPQ3(8)
2

NAME

4     bgpq3 — bgp filtering automation for cisco and juniper routers
5

SYNOPSIS

7     bgpq3 [-h host[:port]] [-S sources] [-EPz] [-f asn | -F fmt | -G asn -t]
8           [-2346ABbDdJjNnsXU] [-a asn] [-r len] [-R len] [-m max] [-W len]
9           OBJECTS [...] [EXCEPT OBJECTS]
10

DESCRIPTION

12     The bgpq3 utility used to generate Cisco and Juniper prefix-lists, ex‐
13     tended access-lists, policy-statement terms and as-path lists based on
14     RADB data.
15
16     The options are as follows:
17
18     -2      accept routes registered for as23456 (transition-as) (default:
19             false)
20
21     -3      assume that your device is asn32-safe.
22
23     -4      generate IPv4 prefix/access-lists (default).
24
25     -6      generate IPv6 prefix/access-lists (IPv4 by default).
26
27     -A      try to aggregate prefix-lists as much as possible (not all output
28             formats supported).
29
30     -a asn  specify what asn shall be denied in case of empty prefix-list
31             (OpenBGPD)
32
33     -B      generate output in OpenBGPD format (default: Cisco)
34
35     -b      generate output in BIRD format (default: Cisco).
36
37     -d      enable some debugging output.
38
39     -D      use asdot notation for Cisco as-path access-lists.
40
41     -E      generate extended access-list (Cisco), policy-statement term us‐
42             ing route-filters (Juniper), [ip|ipv6]-prefix-list (Nokia) or
43             prefix-sets (OpenBGPd).
44
45     -f number
46             generate input as-path access-list.
47
48     -F fmt  generate output in user-defined format.
49
50     -G number
51             generate output as-path access-list.
52
53     -h host[:port]
54             host running IRRD database (default: whois.radb.net).
55
56     -J      generate config for Juniper (default: Cisco).
57
58     -j      generate output in JSON format (default: Cisco).
59
60     -l name
61             name of generated entry.
62
63     -L limit
64             limit recursion depth when expanding as-sets.
65
66     -m len  maximum prefix-length of accepted prefixes (default: 32 for IPv4
67             and 128 for IPv6).
68
69     -M match
70             extra match conditions for Juniper route-filters.
71
72     -n      generate config for Nokia SR OS MD-CLI (Cisco IOS by default)
73
74     -N      generate config for Nokia SR OS classic CLI (Cisco IOS by de‐
75             fault).
76
77     -p      accept routes registered for private ASNs (default: disabled)
78
79     -P      generate prefix-list (default, backward compatibility).
80
81     -r len  allow more specific routes starting with specified masklen too.
82
83     -R len  allow more specific routes up to specified masklen too.
84
85     -s      generate sequence numbers in IOS-style prefix-lists.
86
87     -S sources
88             use specified sources only (recommended: RADB,RIPE,APNIC).
89
90     -t      generate as-sets for OpenBGPD (OpenBSD 6.4+), BIRD and JSON for‐
91             mats.
92
93     -T      disable pipelining.
94
95     -W len  generate as-path strings of no more than len items (use 0 for in‐
96             ifinity).
97
98     -U      generate config for Huawei devices (Cisco IOS by default)
99
100     -X      generate config for Cisco IOS XR devices (plain IOS by default).
101
102     -z      generate route-filter-lists (JunOS 16.2+).
103
104     OBJECTS
105             means networks (in prefix format), autonomous systems, as-sets
106             and route-sets.
107
108     EXCEPT OBJECTS
109             those objects will be excluded from expansion.
110

EXAMPLES

112     Generating named juniper prefix-filter for AS20597:
113     ~>bgpq3 -Jl eltel AS20597
114     policy-options {
115     replace:
116      prefix-list eltel {
117         81.9.0.0/20;
118         81.9.32.0/20;
119         81.9.96.0/20;
120         81.222.128.0/20;
121         81.222.192.0/18;
122         85.249.8.0/21;
123         85.249.224.0/19;
124         89.112.0.0/19;
125         89.112.4.0/22;
126         89.112.32.0/19;
127         89.112.64.0/19;
128         217.170.64.0/20;
129         217.170.80.0/20;
130      }
131     }
132
133     For Cisco we can use aggregation (-A) flag to make this prefix-filter
134     more compact:
135     ~>bgpq3 -Al eltel AS20597
136     no ip prefix-list eltel
137     ip prefix-list eltel permit 81.9.0.0/20
138     ip prefix-list eltel permit 81.9.32.0/20
139     ip prefix-list eltel permit 81.9.96.0/20
140     ip prefix-list eltel permit 81.222.128.0/20
141     ip prefix-list eltel permit 81.222.192.0/18
142     ip prefix-list eltel permit 85.249.8.0/21
143     ip prefix-list eltel permit 85.249.224.0/19
144     ip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19
145     ip prefix-list eltel permit 89.112.4.0/22
146     ip prefix-list eltel permit 89.112.64.0/19
147     ip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20
148     - you see, prefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated into
149     single entry 89.112.0.0/18 ge 19 le 19.
150
151     Well, for Juniper we can generate even more interesting policy-options,
152     using -M <extra match conditions>, -R <len> and hierarchical names:
153     ~>bgpq3 -AJEl eltel/specifics -r 29 -R 32 -M "community blackhole" AS20597
154     policy-options {
155      policy-statement eltel {
156       term specifics {
157     replace:
158        from {
159         community blackhole;
160         route-filter 81.9.0.0/20 prefix-length-range /29-/32;
161         route-filter 81.9.32.0/20 prefix-length-range /29-/32;
162         route-filter 81.9.96.0/20 prefix-length-range /29-/32;
163         route-filter 81.222.128.0/20 prefix-length-range /29-/32;
164         route-filter 81.222.192.0/18 prefix-length-range /29-/32;
165         route-filter 85.249.8.0/21 prefix-length-range /29-/32;
166         route-filter 85.249.224.0/19 prefix-length-range /29-/32;
167         route-filter 89.112.0.0/17 prefix-length-range /29-/32;
168         route-filter 217.170.64.0/19 prefix-length-range /29-/32;
169        }
170       }
171      }
172     }
173     generated policy-option term now allows all specifics with prefix-length
174     between /29 and /32 for eltel networks if they match with special commu‐
175     nity blackhole (defined elsewhere in configuration).
176
177     Of course, this version supports IPv6 (-6):
178     ~>bgpq3 -6l as-retn-6 AS-RETN6
179     no ipv6 prefix-list as-retn-6
180     ipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48
181     ipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48
182     [....]
183     and support for ASN 32 is also here
184     ~>bgpq3 -J3f 112 AS-SPACENET
185     policy-options {
186     replace:
187      as-path-group NN {
188       as-path a0 "^112(112)*$";
189       as-path a1 "^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$";
190       as-path a2 "^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$";
191       as-path a3 "^112(.)*(35052|41720|43628|44450|196611)$";
192      }
193     }
194     see AS196611 in the end of the list ? That's AS3.3 in 'asplain' notation.
195
196     For non-ASN32 capable routers you should not use switch -3, and the re‐
197     sult will be next:
198     ~>bgpq3 -f 112 AS-SPACENET
199     no ip as-path access-list NN
200     ip as-path access-list NN permit ^112(_112)*$
201     ip as-path access-list NN permit ^112(_[0-9]+)*_(1898|5539|8495|8763)$
202     ip as-path access-list NN permit ^112(_[0-9]+)*_(8878|12136|12931|15909)$
203     ip as-path access-list NN permit ^112(_[0-9]+)*_(21358|23456|23600|24151)$
204     ip as-path access-list NN permit ^112(_[0-9]+)*_(25152|31529|34127|34906)$
205     ip as-path access-list NN permit ^112(_[0-9]+)*_(35052|41720|43628|44450)$
206
207     AS196611 is no more in the list, however, AS23456 (transition AS) would
208     be added to list if it were not present.
209

USER-DEFINED FORMAT

211     If you want to generate configuration not for routers, but for some other
212     programs/systems, you may use user-defined formatting, like in example
213     below:
214     user@host:~>bgpq3 -F "ipfw add pass all from %n/%l to any\n" as3254
215     ipfw add pass all from 62.244.0.0/18 to any
216     ipfw add pass all from 91.219.29.0/24 to any
217     ipfw add pass all from 91.219.30.0/24 to any
218     ipfw add pass all from 193.193.192.0/19 to any
219
220     Recognized format characters: %n - network, %l - mask length, %N - object
221     name, %m - object mask and %i - inversed mask.  Recognized escape charac‐
222     ters: \n - new line, \t - tabulation.  Please note that no new lines in‐
223     serted automatically after each sentence, you have to add them into for‐
224     mat string manually, elsewhere output will be in one line (sometimes it
225     makes sense):
226     user@host:~>bgpq3 -6F "%n/%l; " as-eltel
227     2001:1b00::/32; 2620:4f:8000::/48; 2a04:bac0::/29; 2a05:3a80::/48;
228

DIAGNOSTICS

230     When everything is OK, bgpq3 generates access-list to standard output and
231     exits with status == 0.  In case of errors they are printed to stderr and
232     program exits with non-zero status.
233

SEE ALSO

235     http://www.radb.net/ Routing Arbiter project
236     http://tools.ietf.org/html/draft-michaelson-4byte-as-representation-05
237     for information on 'asdot' and 'asplain' notations.
238     http://www.cisco.com/en/US/docs/ios/12_0s/release/ntes/120SNEWF.html#wp3521658
239     for information on Cisco implementation of ASN32.
240

AUTHOR

242     Alexandre Snarskii <snar@snar.spb.ru>
243
244BSD                              Oct 27, 2008                              BSD
Impressum