Routing Policy Enforcement
External BGP (eBGP) neighbors must have an inbound and outbound policy configured. If no policy is
configured, no routes are accepted from the neighbor, nor are any routes advertised to it. This added security
measure ensures that routes cannot accidentally be accepted or advertised in the case of a configuration
omission error.
This enforcement affects only eBGP neighbors (neighbors in a different autonomous system than this
router). For internal BGP (iBGP) neighbors (neighbors in the same autonomous system), all routes are
accepted or advertised if there is no policy.
Note
In the following example, for an eBGP neighbor, if all routes should be accepted and advertised with no
modifications, a simple pass-all policy is configured:
RP/0/RSP0/CPU0:router(config)# route-policy pass-all
RP/0/RSP0/CPU0:router(config-rpl)# pass
RP/0/RSP0/CPU0:router(config-rpl)# end-policy
RP/0/RSP0/CPU0:router(config)# commit
Use the route-policy (BGP) command in the neighbor address-family configuration mode to apply the pass-all
policy to a neighbor. The following example shows how to allow all IPv4 unicast routes to be received from
neighbor 192.168.40.42 and advertise all IPv4 unicast routes back to it:
RP/0/RSP0/CPU0:router(config)# router bgp 1
RP/0/RSP0/CPU0:router(config-bgp)# neighbor 192.168.40.24
RP/0/RSP0/CPU0:router(config-bgp-nbr)# remote-as 21
RP/0/RSP0/CPU0:router(config-bgp-nbr)# address-family ipv4 unicast
RP/0/RSP0/CPU0:router(config-bgp-nbr-af)# route-policy pass-all in
RP/0/RSP0/CPU0:router(config-bgp-nbr-af)# route-policy pass-all out
RP/0/RSP0/CPU0:router(config-bgp-nbr-af)# commit
Use the show bgp summary command to display eBGP neighbors that do not have both an inbound and
outbound policy for every active address family. In the following example, such eBGP neighbors are indicated
in the output with an exclamation (!) mark:
RP/0/RSP0/CPU0:router# show bgp all all summary
Address Family: IPv4 Unicast
============================
BGP router identifier 10.0.0.1, local AS number 1
BGP generic scan interval 60 secs
BGP main routing table version 41
BGP scan interval 60 secs
BGP is operating in STANDALONE mode.
Process RecvTblVer bRIB/RIB SendTblVer
Speaker 41 41 41
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
10.0.101.1 0 1 919 925 41 0 0 15:15:08 10
10.0.101.2 0 2 0 0 0 0 0 00:00:00 Idle
Address Family: IPv4 Multicast
==============================
BGP router identifier 10.0.0.1, local AS number 1
BGP generic scan interval 60 secs
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
30
Implementing BGP
Routing Policy Enforcement
To Next Page
Loading...
Need help?
General
