*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> bgpd.conf (5)              



NAME    [Toc]    [Back]

     bgpd.conf - Border  Gateway  Protocol  daemon  configuration

DESCRIPTION    [Toc]    [Back]

     The  bgpd(8)  daemon  implements the Border Gateway Protocol
version 4 as
     described in RFC 1771.

SECTIONS    [Toc]    [Back]

     The bgpd.conf config file is divided  into  four  main  sections.

     Macros    [Toc]    [Back]
           User-defined  variables may be defined and used later,
           the configuration file.

     Global Configuration    [Toc]    [Back]
           Global settings for bgpd(8).

     Neighbors and Groups    [Toc]    [Back]
           bgpd(8)  establishes  sessions  with  neighbors.   The
neighbor definition
  and  properties are set in this section, as well
as grouping
           neighbors for the ease of configuration.

     Filter    [Toc]    [Back]
           Filter rules for incoming and outgoing UPDATES.

     With the exception of macros, the sections should be grouped
and appear
     in bgpd.conf in the order shown above.

MACROS    [Toc]    [Back]

     Much  like  cpp(1) or m4(1), macros can be defined that will
later be expanded
 in context.  Macro names must start  with  a  letter,
and may contain
     letters, digits and underscores.  Macro names may not be reserved words
     (for example, AS, neighbor, or group).  Macros are  not  expanded inside

     For example,

           neighbor $peer1 {
                   remote-as 65001


     There  are quite a few settings that affect the operation of
the bgpd(8)
     daemon globally.

     AS as-number
             Set the local autonomous system number to as-number.
The AS numbers
 are assigned by local RIRs, such as

             RIPE   for Europe,
             ARIN   for America, and
             APNIC  for the Asian-Pacific region.

             For example,

                   AS 65001

             sets the local AS to 65001.

     dump (table|table-mp) file [timeout]
     dump (all|updates) (in|out) file [timeout]
             Dump  the  RIB, a.k.a. the routing information base,
and all BGP
             messages in  Multi-threaded  Routing  Toolkit  (MRT)
format.  Dumping
             the  RIB  is normally an expensive operation, but it
should not influence
 the session handling.  Excessive dumping may
result in
             delayed update processing.

             For  example,  the  following  will  dump the entire
table to the
             strftime(3)-expanded filename.  The table-mp  format
is multi-protocol
  capable  but often not supported by 3rd-party
tools.  The
             timeout is optional:

                   dump table "/tmp/rib-dump-%H%M" 300

             Similar to the table dump, but  this  time  all  BGP
messages and
             state  transitions  will  be dumped to the specified

                   dump all in "/tmp/all-in-%H%M" 300

             As before, but only  the  UPDATE  messages  will  be
dumped to the

                   dump updates in "/tmp/updates-in-%H%M" 300

             It is also possible to dump outgoing messages:

                   dump all out "/tmp/all-out-%H%M" 300
                   # or
                   dump updates out "/tmp/updates-out-%H%M" 300

     fib-update (yes|no)
             If  set to no, do not update the Forward Information
Base, a.k.a.
             the kernel routing table.  The default is yes.

     holdtime seconds
             Set the holdtime in seconds.  The holdtime is  reset
to its initial
  value  every  time  either  a  KEEPALIVE or an
UPDATE message is
             received from the neighbor.  If the holdtime expires
the session
             is dropped.  The default is 90 seconds.  Neighboring
systems negotiate
 the holdtime used when the connection is established in
             the OPEN messages.  Each neighbor announces its configured holdtime;
 the smaller one is then agreed upon.

     holdtime min seconds
             The minimal accepted holdtime in seconds.  This value must be
             greater than or equal to 3.

     listen on address
             Specify  the  local IP address bgpd(8) should listen

                   listen on

     log updates
             Log received and sent updates.

     network address/prefix [set ...]
             Announce the specified network as belonging  to  our


             It is possible to set default AS path attributes per

                   network set localpref 220

             See also the ATTRIBUTE SET section.

     route-collector (yes|no)
             If set to yes, the route selection process is turned
off.  The
             default is no.

     router-id address
             Set  the  router  ID  to the given IP address, which
must be local to
             the machine.


             If not given,  the  BGP  ID  is  determined  as  the
biggest IP address
             assigned to the local machine.


     bgpd(8)  establishes  TCP  connections to other BGP speakers
     neighbors.  Each neighbor is specified by  a  neighbor  section, which allows
 properties to be set specifially for that neighbor:

           neighbor {
                   remote-as 65002
                   descr "a neighbor"

     Multiple  neighbors  can be grouped together by a group section.  Each
     neighbor section within the group section inherits all properties from
     its group:

           group "peering AS65002" {
                   remote-as 65002
                   neighbor {
                           descr "AS65002-p1"
                   neighbor {
                           descr "AS65002-p2"

     Instead  of  the  neighbor's  IP address, an address/netmask
pair may be given:


     In this case, the neighbor specification becomes a template,
and if a
     neighbor  connects  from an IP address within the given network, the template
 is cloned, inheriting everything from the template but
the remote
     address,  which is replaced by the connecting neighbor's address.  With a
     template specification it is valid to  omit  remote-as;  bgpd(8) will then
     accept any AS the neighbor presents in the OPEN message.

     There are several neighbor properties:

     announce (all|none|self|default-route)
             If  set  to none, no UPDATE messages will be sent to
the neighbor.
             If set to default-route, only the default route will
be announced
             to  the  neighbor.   If  set  to  all, all generated
UPDATE messages
             will be sent to the neighbor.  This is usually  used
for transit
             AS's  and  IBGP  peers.   The default value for EBGP
peers is self,
             which limits the sent UPDATE messages  to  announcements of the local
 AS.  The default for IBGP peers is all.

     descr description
             Add  a  description.   The  description is used when
logging neighbor
             events and in status reports, etc., and has no  further meaning to

     dump (all|updates) (in|out) file [timeout]
             Do  a  peer  specific MRT dump.  Peer specific dumps
are limited to
             all and updates.   See  also  the  dump  section  in

     enforce neighbor-as (yes|no)
             If  set  to  yes,  AS paths whose leftmost AS is not
equal to the
             remote  AS  of  the  neighbor  are  rejected  and  a
             back.  The default value for IBGP peers is no otherwise the default
 is yes.

     holdtime seconds
             Set the holdtime in  seconds.   Inherited  from  the
global configuration
 if not given.

     holdtime min seconds
             Set the minimal acceptable holdtime.  Inherited from
the global
             configuration if not given.

     ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]
             Enable IPsec with static keying.  There must  be  at
least two
             ipsec  statements  per  peer with manual keying, one
per direction.
             authspec specifies the authentication algorithm  and
key.  It can

                   sha1 <key>
                   md5 <key>

             encspec  specifies the encryption algorithm and key.
ah does not
             support encryption.  With esp, encryption is optional.  encspec
             can be

                   3des <key>
                   3des-cbc <key>
                   aes <key>
                   aes-128-cbc <key>

             Keys must be given in hexadecimal format.

     ipsec (ah|esp) ike
             Enable IPsec with dynamic keying.  In this mode, bgpd(8) sets up
             the flows, and  a  key  management  daemon  such  as
isakmpd(8) is responsible
  for  managing  the  session  keys.   With
isakmpd(8), it is
             sufficient to copy the peer's public key, found in
             /etc/isakmpd/private/local.pub,  to  the  local  machine.  It must be
             stored  in  a file named after the peer's IP address
and must be
             stored  in  /etc/isakmpd/pubkeys/ipv4/.   The  local
public key must
             be  copied  to the peer in the same way.  As bgpd(8)
manages the
             flows on its  own,  it  is  sufficient  to  restrict
isakmpd(8) to only
             take  care  of  keying  by specifying the flags -Ka.
This can be
             done in rc.conf.local(8).  After starting the isakmpd(8) and
             bgpd(8) daemons on both sides, the session should be

     local-address address
             When bgpd(8) initiates the  TCP  connection  to  the
neighbor system,
             it  normally does not bind to a specific IP address.
If a local-
             address is given,  bgpd(8)  binds  to  this  address

     max-prefix number
             Limit the amount of prefixes received.  No such limit is imposed
             by default.

     multihop hops
             Neighbors not in the same AS as  the  local  bgpd(8)
normally have
             to  be  directly connected to the local machine.  If
this is not
             the case, the multihop statement defines the maximum
hops the
             neighbor may be away.

             Do  not attempt to actively open a TCP connection to
the neighbor

     remote-as as-number
             Set the AS number of the remote system.

     route-reflector [address]
             Act as an RFC 2796 route-reflector for  this  neighbor.  An optional
 cluster ID can be specified; otherwise the BGP ID
will be

     set attribute ...
             Set the AS  path  attributes  to  some  default  per
neighbor or group

                   set localpref 300

             See also the ATTRIBUTE SET section.

     tcp md5sig password secret
     tcp md5sig key secret
             Enable  TCP MD5 signatures per RFC 2385.  The shared
secret can
             either be given as a password or hexadecimal key.

                   tcp md5sig password mekmidasdigoat
                   tcp md5sig key deadbeef

FILTER    [Toc]    [Back]

     bgpd(8) has the ability to allow and deny UPDATES  based  on
prefix or AS
     path  attributes.  In addition, UPDATES may also be modified
by filter

     For each UPDATE processed by the filter,  the  filter  rules
are evaluated
     in  sequential order, from first to last.  The last matching
allow or deny
     rule decides what action is taken.

     The following actions can be used in the filter:

     allow     The UPDATE is passed.

     deny      The UPDATE is blocked.

     match     Apply the filter attribute set without influencing
the filter

PARAMETERS    [Toc]    [Back]

     The  rule parameters specify the UPDATES to which a rule applies.  An
     UPDATE always comes from, or goes to,  one  neighbor.   Most
parameters are
     optional,  but  each can appear at most once per rule.  If a
parameter is
     specified, the rule only applies to  packets  with  matching

     as-type as-number
             This  rule applies only to UPDATES where the AS path
matches.  The
             as-number is matched against a part of the  AS  path
specified by
             the as-type.  as-type is one of the following operators:

             AS           (any part)
             source-as    (rightmost AS number)
             transit-as   (all but the rightmost AS number)

             Multiple as-number  entries  for  a  given  type  or
as-type as-number
             entries  may  also be specified, separated by commas
or whitespace,
             if enclosed in curly brackets:

                   deny from any AS { 1, 2, 3 }
                   deny from any { AS 1, source-as 2,  transit-as
3 }
                   deny  from  any { AS { 1, 2, 3 }, source-as 4,
transit-as 5 }

     community as-number:local
     community name
             This  rule  applies  only  to  UPDATES   where   the
community path attribute
  is  present  and  matches.  Communities are
specified as as-
             number:local, where as-number is an  AS  number  and
local is a locally
  significant  number  between zero and 0xffff.
Both as-number
             and local may be set to `*' to do wildcard matching.
  well-known communities may be given by name
instead and
             include      NO_EXPORT,      NO_ADVERTISE,       and

     (from|to) peer
             This  rule  applies  only to UPDATES coming from, or
going to, this
             particular neighbor.  This parameter must be  specified.  peer is
             one of the following:

             any          Any neighbor will be matched.
             address       Neighbors  with  this  address will be
             group  descr   Neighbors  in  this  group  will   be

             Multiple  peer  entries may also be specified, separated by commas
             or whitespace, if enclosed in curly brackets:

                   deny from {,,  group
hojo }

     prefix address/len
             This  rule applies only to UPDATES for the specified

             Multiple address/len entries may be specified, separated by commas
 or whitespace, if enclosed in curly brackets:

                   deny   from   any   prefix  {, }

             Multiple lists can also be specified, which is  useful for macro

                   good="{,, }"
                   bad="{, }"
                   ugly="{, }"

                   deny from any prefix { $good $bad $ugly }

     prefixlen range
             This rule applies only to UPDATES for prefixes where
the prefixlen
  matches.  Prefix length ranges are specified
by using
             these operators:

                   =       (equal)
                   !=      (unequal)
                   <       (less than)
                   <=      (less than or equal)
                   >       (greater than)
                   >=      (greater than or equal)
                   -       (range including boundaries)
                   ><      (except range)

             >< and - are binary operators (they take  two  arguments).  For instance,
  to match all prefix lengths >= 8 and <= 12,
and hence the
             CIDR netmasks 8, 9, 10, 11 and 12:

                   prefixlen 8-12

             Or, to match all prefix lengths < 8  or  >  12,  and
hence the CIDR
             netmasks 0-7 and 13-32:

                   prefixlen 8><12

             prefixlen can be used together with prefix.

             This  will match all prefixes in the netblock with netmasks
 longer than 16:

                   prefix prefixlen > 16

     quick   If an UPDATE matches a rule which has the quick  option set, this
             rule is considered the last matching rule, and evaluation of subsequent
 rules is skipped.

     set attribute ...
             All matching rules can set the AS path attributes to
some default.
   The  set of every matching rule is applied,
not only the
             last matching one.  See also the following  section.

ATTRIBUTE SET    [Toc]    [Back]

     AS path attributes can be modified with set.

     set  can be used on network statements, in neighbor or group
blocks, and
     on filter rules.  Attribute sets can be expressed as  lists.

     The following attributes can be modified:

     community as-number:local
     community name
             Set  the COMMUNITIES AS path attribute.  Communities
are specified
             as as-number:local, where as-number is an AS  number
and local is
             a   locally-significant   number  between  zero  and
0xffff.  Alternately,
 well-known communities may be specified by name:

     localpref number
             Set the LOCAL_PREF AS path attribute.

     med number
             Set the MULTI_EXIT_DISC AS path attribute.

     nexthop (address|blackhole|reject)
             Set  the  NEXTHOP  AS  path attribute to a different
nexthop address,
             or use blackhole or reject routes.

                   set nexthop
                   set nexthop blackhole
                   set nexthop reject

     pftable table
             Add the prefix in the update to the specified  pf(4)
radix table,
             regardless  of  whether or not the path was selected
for routing.
             This option  may  be  useful  in  building  realtime

     prepend-self number
             Prepend the local AS number times to the AS path.

FILES    [Toc]    [Back]

     /etc/bgpd.conf  bgpd(8) configuration file

SEE ALSO    [Toc]    [Back]

     strftime(3),  ipsec(4),  pf(4),  tcp(4), bgpctl(8), bgpd(8),
     isakmpd(8), rc.conf.local(8)

HISTORY    [Toc]    [Back]

     The bgpd.conf file format first appeared in OpenBSD 3.5.

OpenBSD     3.6                          March      10,      2004
[ Back ]
 Similar pages
Name OS Title
bgpd OpenBSD Border Gateway Protocol daemon
bgpctl OpenBSD control the Border Gateway Protocol daemon
gated.proto Tru64 Gate daemon configuration file (protocol statements)
ntp.conf FreeBSD Network Time Protocol (NTP) daemon configuration file
ntpd.conf OpenBSD Network Time Protocol daemon configuration file
dhcpv6d HP-UX Dynamic Host Configuration Protocol Server daemon for IPv6
gated Tru64 gateway routing daemon
gated HP-UX gateway routing daemon
gated IRIX gateway routing daemon
ogated Tru64 The gateway routing daemon
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service