BGP Attribute Filter and Enhanced Attribute Error Handling

The BGP Attribute Filter feature allows you to “treat-as-withdraw” updates that contain specific path attributes. The prefixes contained in the update are removed from the routing table. The feature also allows you to remove specific path attributes from incoming updates. Both behaviors provide an increased measure of security. The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to errors from any malformed update, thereby saving resources.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About BGP Attribute Filtering

BGP Attribute Filter and Enhanced Attribute Error Handling

The BGP Attribute Filter feature provides two ways to achieve an increased measure of security:

  • The feature allows you to treat-as-withdraw an Update coming from a specified neighbor if the Update contains a specified attribute type. When an Update is treat-as-withdraw, the prefixes in the Update are removed from the BGP routing table (if they existed in the routing table).

  • The feature also allows you to drop specified path attributes from an Update, and then the system processes the rest of the Update as usual.

The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to a malformed Update. The malformed Update is treat-as-withdraw and does not cause the BGP session to be reset. This feature is enabled by default, but can be disabled.

The features are implemented in the following order:

  1. Received Updates that contain user-specified path attributes are treat-as-withdraw (as long as the NLRI can be parsed successfully). If there is an existing prefix in the BGP routing table, it will be removed. The neighbor path-attribute treat-as-withdraw command configures this feature.

  2. User-specified path attributes are discarded from received Updates, and the rest of the Update is processed normally. The neighbor path-attribute discard command configures this feature.

  3. Received Updates that are malformed are treat-as-withdraw. This feature is enabled by default; it can be disabled by configuring the no bgp enhanced-error command.

Details About Specifying Attributes as Treat-as-Withdraw

Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute treat-as-withdraw.

Attribute type 5 (localpref), type 9 (Originator,) and type 10 (Cluster-id) can be configured for treat-as-withdraw for eBGP neighbors only.

Configuring path attributes to be treated as withdrawn will trigger an inbound Route Refresh to ensure that the routing table is up to date.

Details About Specifying Attributes as Discard

Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute discard.

Attribute type 5 (localpref), type 9 (Originator), and type 10 (Cluster-id) can be configured for discard for eBGP neighbors only.

Configuring path attributes to be discarded will trigger an inbound Route Refresh to ensure that the routing table is up to date.

Details About Enhanced Attribute Error Handling

If a malformed Update is received, it is treat-as-withdraw to prevent peer sessions from flapping due to the processing of BGP path attributes. This feature applies to eBGP and iBGP peers. This feature is enabled by default; it can be disabled.

If the BGP Enhanced Attribute Error Handling feature is enabled or disabled, BGP places the MP_REACH attribute (attribute 14) at the beginning of an attribute list while formatting an update. Enhanced attribute error handling functions more easily when the MP_REACH attribute is at the beginning of the attribute list.

How to Filter BGP Path Attributes

Treat-as-Withdraw BGP Updates Containing a Specified Path Attribute


Note

Performing this task will trigger an inbound Route Refresh to ensure that the routing table is up to date.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. router bgp as-number
  4. neighbor {ip-address | ipv6-address} path-attribute treat-as-withdraw {attribute-value | range start-value end-value } in
  5. Repeat Step 4 to configure other attributes not in a range or to configure a different neighbor.
  6. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

router bgp as-number

Example:


Device(config)# router bgp 65000

Configures a BGP routing process and enters router configuration mode.

Step 4

neighbor {ip-address | ipv6-address} path-attribute treat-as-withdraw {attribute-value | range start-value end-value } in

Example:


Device(config-router)# neighbor 2001:DB8:1::1 path-attribute treat-as-withdraw 100 in

Treat-as-withdraw any incoming Update messages that contain the specified path attribute or range of path attributes.

  • Any prefixes in an Update that is treat-as-withdraw are removed from the BGP routing table.

  • The specific attribute value and the range of attribute values are independent of each other.

Step 5

Repeat Step 4 to configure other attributes not in a range or to configure a different neighbor.

Step 6

end

Example:


Device(config-router)# end

Exits to privileged EXEC mode.

Discarding Specific Path Attributes from an Update Message


Note

Performing this task will trigger an inbound Route Refresh to ensure that the routing table is up to date.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. router bgp as-number
  4. neighbor {ip-address | ipv6-address} path-attribute discard {attribute-value | range start-value end-value } in
  5. Repeat Step 4 to configure other attributes not in a range or to configure a different neighbor.
  6. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

router bgp as-number

Example:


Device(config)# router bgp 6500

Configures a BGP routing process and enters router configuration mode.

Step 4

neighbor {ip-address | ipv6-address} path-attribute discard {attribute-value | range start-value end-value } in

Example:


Device(config-router)# neighbor 2001:DB8:1::1 path-attribute discard 128 in

Drops specified path attributes from Update messages from the specified neighbor.

Step 5

Repeat Step 4 to configure other attributes not in a range or to configure a different neighbor.

Example:

Step 6

end

Example:


Device(config-router)# end

Exits to privileged EXEC mode.

Displaying Withdrawn or Discarded Path Attributes

Perform any of these steps in any order to display information about treat-as-withdraw, discarded, or unknown path attributes. You can use the show ip bgp command with any address family that BGP supports, such as show ip bgp ipv4 multicast , show ip bgp ipv6 unicast , etc.

SUMMARY STEPS

  1. enable
  2. show ip bgp neighbor [ip-address | ipv6-address ]
  3. show ip bgp path-attribute unknown
  4. show ip bgp path-attribute discard
  5. show ip bgp vpnv4 all prefix
  6. show ip bgp neighbors prefix

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

show ip bgp neighbor [ip-address | ipv6-address ]

Example:


Device# show ip bgp neighbor 2001:DB8:1::1

(Optional) Displays the configured discard and treat-as-withdraw attribute values for the neighbor, counts of Updates with such attributes discarded or treat-as-withdraw, and the count of malformed treat-as-withdraw Updates.

Step 3

show ip bgp path-attribute unknown

Example:


Device# show ip bgp path-attribute unknown

(Optional) Displays all prefixes that have an unknown attribute.

Step 4

show ip bgp path-attribute discard

Example:


Device# show ip bgp path-attribute discard

(Optional) Displays all prefixes for which an attribute has been discarded.

Step 5

show ip bgp vpnv4 all prefix

Example:

Device# show ip bgp vpnv4 all 192.168.1.0

(Optional) Displays the unknown attributes and discarded attributes associated with a prefix.

Step 6

show ip bgp neighbors prefix

Example:

Device# show ip bgp neighbors 192.168.1.0

(Optional) Displays the configured discard and treat-as-withdraw attributes associated with a prefix.

Configuration Examples for BGP Attribute Filter

Examples: Withdraw Updates Based on Path Attribute

The following example shows how to configure the device to treat-as-withdraw any Update messages from the specified neighbor that contain the unwanted path attribute 100 or 128:


router bgp 65600
 neighbor 2001:DB8:1::2 path-attribute treat-as-withdraw 100 in
 neighbor 2001:DB8:1::2 path-attribute treat-as-withdraw 128 in
      

The following example shows how to configure the device to treat-as-withdraw any Update messages from the specified neighbor that contain the unwanted path attributes in the range from 21 to 255:


router bgp 65600
 neighbor 2001:DB8:1::2 path-attribute treat-as-withdraw 21 255 in
 
      

Examples: Discard Path Attributes from Updates

The following example shows how to configure the device to discard path attributes 100 and 128 from incoming Update messages from the specified neighbor. The rest of the Update message will be processed as usual.


 router bgp 65600
  neighbor 2001:DB8:1::1 path-attribute discard 100 in
  neighbor 2001:DB8:1::1 path-attribute discard 128 in 
      

The following example shows how to configure the device to discard path attributes in the range from 17 to 255 from incoming Update messages from the specified neighbor. The rest of the Update message will be processed as usual.


 router bgp 65600
  neighbor 2001:DB8:1::1 path-attribute discard 17 255 in

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

BGP commands

Cisco IOS IP Routing: BGP Command Reference

Standards and RFCs

Standard/RFC

Title

draft-ietf-idr-error-handling

Revised Error Handling for BGP Updates from External Neighbors

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for BGP Attribute Filter and Enhanced Attribute Error Handling

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for BGP Attribute Filter and Enhanced Attribute Error Handling

Feature Name

Releases

Feature Information

BGP Attribute Filter and Enhanced Attribute Error Handling

The BGP Attribute Filter allows you to “treat-as-withdraw” updates that contain specific path attributes. The prefixes contained in the update are removed from the routing table. The feature also allows you to remove specific path attributes from incoming updates. Both behaviors provide an increased measure of security. The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to errors from any malformed update, thereby saving resources.

The following commands were introduced: bgp enhanced-error , neighbor path-attribute discard , neighbor path-attribute treat-as-withdraw , show ip bgp path-attribute discard , and show ip bgp path-attribute unknown .

The following commands were modified: show ip bgp , show ip bgp neighbor , and show ip bgp vpnv4 all .