1BGPQ3(8)                  BSD System Manager's Manual                 BGPQ3(8)
2

NAME

4     bgpq3 — bgp filtering automation tool
5

SYNOPSIS

7     bgpq3 [-h host[:port]] [-S sources] [-EPz] [-f asn | -F fmt | -G asn -t]
8           [-2346ABbDdJjNnsXU] [-a asn] [-r len] [-R len] [-m max] [-W len]
9           OBJECTS [...] [EXCEPT OBJECTS]
10

DESCRIPTION

12     The bgpq3 utility used to generate configurations (prefix-lists, extended
13     access-lists, policy-statement terms and as-path lists) based on RADB
14     data.
15
16     The options are as follows:
17
18     -2      accept routes registered for as23456 (transition-as) (default:
19             false)
20
21     -3      assume that your device is asn32-safe.
22
23     -4      generate IPv4 prefix/access-lists (default).
24
25     -6      generate IPv6 prefix/access-lists (IPv4 by default).
26
27     -A      try to aggregate prefix-lists as much as possible (not all output
28             formats supported).
29
30     -a asn  specify what asn shall be denied in case of empty prefix-list
31             (OpenBGPD)
32
33     -B      generate output in OpenBGPD format (default: Cisco)
34
35     -b      generate output in BIRD format (default: Cisco).
36
37     -d      enable some debugging output.
38
39     -D      use asdot notation for Cisco as-path access-lists.
40
41     -E      generate extended access-list (Cisco), policy-statement term us‐
42             ing route-filters (Juniper), [ip|ipv6]-prefix-list (Nokia) or
43             prefix-sets (OpenBGPd).
44
45     -f number
46             generate input as-path access-list (use 0 to not enforce first
47             AS)
48
49     -F fmt  generate output in user-defined format.
50
51     -G number
52             generate output as-path access-list.
53
54     -h host[:port]
55             host running IRRD database (default: whois.radb.net).
56
57     -J      generate config for Juniper (default: Cisco).
58
59     -j      generate output in JSON format (default: Cisco).
60
61     -l name
62             name of generated entry.
63
64     -L limit
65             limit recursion depth when expanding as-sets.
66
67     -m len  maximum prefix-length of accepted prefixes (default: 32 for IPv4
68             and 128 for IPv6).
69
70     -M match
71             extra match conditions for Juniper route-filters.
72
73     -n      generate config for Nokia SR OS MD-CLI (Cisco IOS by default)
74
75     -N      generate config for Nokia SR OS classic CLI (Cisco IOS by de‐
76             fault).
77
78     -p      accept routes registered for private ASNs (default: disabled)
79
80     -P      generate prefix-list (default, backward compatibility).
81
82     -r len  allow more specific routes starting with specified masklen too.
83
84     -R len  allow more specific routes up to specified masklen too.
85
86     -s      generate sequence numbers in IOS-style prefix-lists.
87
88     -S sources
89             use specified sources only (recommended: RADB,RIPE,APNIC).
90
91     -t      generate as-sets for OpenBGPD (OpenBSD 6.4+), BIRD and JSON for‐
92             mats.
93
94     -T      disable pipelining.
95
96     -W len  generate as-path strings of no more than len items (use 0 for in‐
97             ifinity).
98
99     -U      generate config for Huawei devices (Cisco IOS by default)
100
101     -X      generate config for Cisco IOS XR devices (plain IOS by default).
102
103     -z      generate route-filter-lists (JunOS 16.2+).
104
105     OBJECTS
106             means networks (in prefix format), autonomous systems, as-sets
107             and route-sets.
108
109     EXCEPT OBJECTS
110             those objects will be excluded from expansion.
111

EXAMPLES

113     Generating named juniper prefix-filter for AS20597:
114     ~>bgpq3 -Jl eltel AS20597
115     policy-options {
116     replace:
117      prefix-list eltel {
118         81.9.0.0/20;
119         81.9.32.0/20;
120         81.9.96.0/20;
121         81.222.128.0/20;
122         81.222.192.0/18;
123         85.249.8.0/21;
124         85.249.224.0/19;
125         89.112.0.0/19;
126         89.112.4.0/22;
127         89.112.32.0/19;
128         89.112.64.0/19;
129         217.170.64.0/20;
130         217.170.80.0/20;
131      }
132     }
133
134     For Cisco we can use aggregation (-A) flag to make this prefix-filter
135     more compact:
136     ~>bgpq3 -Al eltel AS20597
137     no ip prefix-list eltel
138     ip prefix-list eltel permit 81.9.0.0/20
139     ip prefix-list eltel permit 81.9.32.0/20
140     ip prefix-list eltel permit 81.9.96.0/20
141     ip prefix-list eltel permit 81.222.128.0/20
142     ip prefix-list eltel permit 81.222.192.0/18
143     ip prefix-list eltel permit 85.249.8.0/21
144     ip prefix-list eltel permit 85.249.224.0/19
145     ip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19
146     ip prefix-list eltel permit 89.112.4.0/22
147     ip prefix-list eltel permit 89.112.64.0/19
148     ip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20
149     - you see, prefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated into
150     single entry 89.112.0.0/18 ge 19 le 19.
151
152     Well, for Juniper we can generate even more interesting policy-options,
153     using -M <extra match conditions>, -R <len> and hierarchical names:
154     ~>bgpq3 -AJEl eltel/specifics -r 29 -R 32 -M "community blackhole" AS20597
155     policy-options {
156      policy-statement eltel {
157       term specifics {
158     replace:
159        from {
160         community blackhole;
161         route-filter 81.9.0.0/20 prefix-length-range /29-/32;
162         route-filter 81.9.32.0/20 prefix-length-range /29-/32;
163         route-filter 81.9.96.0/20 prefix-length-range /29-/32;
164         route-filter 81.222.128.0/20 prefix-length-range /29-/32;
165         route-filter 81.222.192.0/18 prefix-length-range /29-/32;
166         route-filter 85.249.8.0/21 prefix-length-range /29-/32;
167         route-filter 85.249.224.0/19 prefix-length-range /29-/32;
168         route-filter 89.112.0.0/17 prefix-length-range /29-/32;
169         route-filter 217.170.64.0/19 prefix-length-range /29-/32;
170        }
171       }
172      }
173     }
174     generated policy-option term now allows all specifics with prefix-length
175     between /29 and /32 for eltel networks if they match with special commu‐
176     nity blackhole (defined elsewhere in configuration).
177
178     Of course, this version supports IPv6 (-6):
179     ~>bgpq3 -6l as-retn-6 AS-RETN6
180     no ipv6 prefix-list as-retn-6
181     ipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48
182     ipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48
183     [....]
184     and support for ASN 32 is also here
185     ~>bgpq3 -J3f 112 AS-SPACENET
186     policy-options {
187     replace:
188      as-path-group NN {
189       as-path a0 "^112(112)*$";
190       as-path a1 "^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$";
191       as-path a2 "^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$";
192       as-path a3 "^112(.)*(35052|41720|43628|44450|196611)$";
193      }
194     }
195     see AS196611 in the end of the list ? That's AS3.3 in 'asplain' notation.
196
197     For non-ASN32 capable routers you should not use switch -3, and the re‐
198     sult will be next:
199     ~>bgpq3 -f 112 AS-SPACENET
200     no ip as-path access-list NN
201     ip as-path access-list NN permit ^112(_112)*$
202     ip as-path access-list NN permit ^112(_[0-9]+)*_(1898|5539|8495|8763)$
203     ip as-path access-list NN permit ^112(_[0-9]+)*_(8878|12136|12931|15909)$
204     ip as-path access-list NN permit ^112(_[0-9]+)*_(21358|23456|23600|24151)$
205     ip as-path access-list NN permit ^112(_[0-9]+)*_(25152|31529|34127|34906)$
206     ip as-path access-list NN permit ^112(_[0-9]+)*_(35052|41720|43628|44450)$
207
208     AS196611 is no more in the list, however, AS23456 (transition AS) would
209     be added to list if it were not present.
210

USER-DEFINED FORMAT

212     If you want to generate configuration not for routers, but for some other
213     programs/systems, you may use user-defined formatting, like in example
214     below:
215     user@host:~>bgpq3 -F "ipfw add pass all from %n/%l to any\n" as3254
216     ipfw add pass all from 62.244.0.0/18 to any
217     ipfw add pass all from 91.219.29.0/24 to any
218     ipfw add pass all from 91.219.30.0/24 to any
219     ipfw add pass all from 193.193.192.0/19 to any
220
221     Recognized format characters: %n - network, %l - mask length, %N - object
222     name, %m - object mask and %i - inversed mask.  Recognized escape charac‐
223     ters: \n - new line, \t - tabulation.  Please note that no new lines in‐
224     serted automatically after each sentence, you have to add them into for‐
225     mat string manually, elsewhere output will be in one line (sometimes it
226     makes sense):
227     user@host:~>bgpq3 -6F "%n/%l; " as-eltel
228     2001:1b00::/32; 2620:4f:8000::/48; 2a04:bac0::/29; 2a05:3a80::/48;
229

DIAGNOSTICS

231     When everything is OK, bgpq3 generates access-list to standard output and
232     exits with status == 0.  In case of errors they are printed to stderr and
233     program exits with non-zero status.
234

SEE ALSO

236     http://www.radb.net/ Routing Arbiter project
237     http://tools.ietf.org/html/draft-michaelson-4byte-as-representation-05
238     for information on 'asdot' and 'asplain' notations.
239     http://www.cisco.com/en/US/docs/ios/12_0s/release/ntes/120SNEWF.html#wp3521658
240     for information on Cisco implementation of ASN32.
241

AUTHOR

243     Alexandre Snarskii <snar@snar.spb.ru>
244
245BSD                              Oct 27, 2008                              BSD
Impressum