- Read Me First
- Cisco BGP Overview
- BGP 4
- Configuring a Basic BGP Network
- BGP 4 Soft Configuration
- BGP Support for 4-byte ASN
- IPv6 Routing: Multiprotocol BGP Extensions for IPv6
- IPv6 Routing: Multiprotocol BGP Link-Local Address Peering
- IPv6 Multicast Address Family Support for Multiprotocol BGP
- Configuring Multiprotocol BGP (MP-BGP) Support for CLNS
- BGP IPv6 Admin Distance
- Connecting to a Service Provider Using External BGP
- BGP Route-Map Continue
- BGP Route-Map Continue Support for Outbound Policy
- Removing Private AS Numbers from the AS Path in BGP
- Configuring BGP Neighbor Session Options
- BGP Neighbor Policy
- BGP Dynamic Neighbors
- BGP Support for Next-Hop Address Tracking
- BGP Restart Neighbor Session After Max-Prefix Limit Reached
- BGP Support for Dual AS Configuration for Network AS Migrations
- Configuring Internal BGP Features
- BGP VPLS Auto Discovery Support on Route Reflector
- BGP FlowSpec Route-reflector Support
- BGP Flow Specification Client
- BGP NSF Awareness
- BGP Graceful Restart per Neighbor
- BGP Support for BFD
- IPv6 NSF and Graceful Restart for MP-BGP IPv6 Address Family
- BGP Persistence
- BGP Link Bandwidth
- Border Gateway Protocol Link-State
- iBGP Multipath Load Sharing
- BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN
- Loadsharing IP Packets over More Than Six Parallel Paths
- BGP Policy Accounting
- BGP Policy Accounting Output Interface Accounting
- BGP Cost Community
- BGP Support for IP Prefix Import from Global Table into a VRF Table
- BGP Support for IP Prefix Export from a VRF Table into the Global Table
- BGP per Neighbor SoO Configuration
- Per-VRF Assignment of BGP Router ID
- BGP Next Hop Unchanged
- BGP Support for the L2VPN Address Family
- BGP Event-Based VPN Import
- BGP Best External
- BGP PIC Edge for IP and MPLS-VPN
- Detecting and Mitigating a BGP Slow Peer
- Configuring BGP: RT Constrained Route Distribution
- Configuring a BGP Route Server
- BGP Diverse Path Using a Diverse-Path Route Reflector
- BGP Enhanced Route Refresh
- Configuring BGP Consistency Checker
- BGP—Origin AS Validation
- BGP MIB Support
- BGP 4 MIB Support for Per-Peer Received Routes
- BGP Support for Nonstop Routing (NSR) with Stateful Switchover (SSO) Using L2VPN VPLS
- BGP Support for Nonstop Routing (NSR) with Stateful Switchover (SSO) Using L2VPN VPLS
- BGP NSR Auto Sense
- BGP NSR Support for iBGP Peers
- BGP Graceful Shutdown
- BGP — mVPN BGP sAFI 129 - IPv4
- BGP-MVPN SAFI 129 IPv6
- BFD—BGP Multihop Client Support, cBit (IPv4 and IPv6), and Strict Mode
- BGP Attribute Filter and Enhanced Attribute Error Handling
- BGP Additional Paths
- BGP-Multiple Cluster IDs
- BGP-VPN Distinguisher Attribute
- BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard
- VPLS BGP Signaling
- Multicast VPN BGP Dampening
- BGP—IPv6 NSR
- BGP-VRF-Aware Conditional Advertisement
- BGP—Selective Route Download
- BGP—Support for iBGP Local-AS
- eiBGP Multipath for Non-VRF Interfaces (IPv4/IPv6)
- L3VPN iBGP PE-CE
- BGP NSR Support for MPLS VPNv4 and VPNv6 Inter-AS Option B
- BGP-RTC for Legacy PE
- BGP PBB EVPN Route Reflector Support
- BGP Monitoring Protocol
- VRF Aware BGP Translate-Update
- BGP Support for MTR
- BGP Accumulated IGP
- BGP MVPN Source-AS Extended Community Filtering
- BGP AS-Override Split-Horizon
- BGP Support for Multiple Sourced Paths Per Redistributed Route
- Maintenance Function: BGP Routing Protocol
BGP Attribute Filter and Enhanced Attribute Error Handling
The BGP Attribute Filter feature allows you to “treat-as-withdraw” updates that contain specific path attributes. The prefixes contained in the update are removed from the routing table. The feature also allows you to remove specific path attributes from incoming updates. Both behaviors provide an increased measure of security. The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to errors from any malformed update, thereby saving resources.
- Finding Feature Information
- Information About BGP Attribute Filtering
- How to Filter BGP Path Attributes
- Configuration Examples for BGP Attribute Filter
- Additional References
- Feature Information for BGP Attribute Filter and Enhanced Attribute Error Handling
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About BGP Attribute Filtering
BGP Attribute Filter and Enhanced Attribute Error Handling
The BGP Attribute Filter feature provides two ways to achieve an increased measure of security:
The feature allows you to treat-as-withdraw an Update coming from a specified neighbor if the Update contains a specified attribute type. When an Update is treat-as-withdraw, the prefixes in the Update are removed from the BGP routing table (if they existed in the routing table).
The feature also allows you to drop specified path attributes from an Update, and then the system processes the rest of the Update as usual.
The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to a malformed Update. The malformed Update is treat-as-withdraw and does not cause the BGP session to be reset. This feature is enabled by default, but can be disabled.
The features are implemented in the following order:
Received Updates that contain user-specified path attributes are treat-as-withdraw (as long as the NLRI can be parsed successfully). If there is an existing prefix in the BGP routing table, it will be removed. The neighbor path-attribute treat-as-withdraw command configures this feature.
User-specified path attributes are discarded from received Updates, and the rest of the Update is processed normally. The neighbor path-attribute discard command configures this feature.
Received Updates that are malformed are treat-as-withdraw. This feature is enabled by default; it can be disabled by configuring the no bgp enhanced-error command.
Details About Specifying Attributes as Treat-as-Withdraw
Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute treat-as-withdraw.
Attribute type 5 (localpref), type 9 (Originator,) and type 10 (Cluster-id) can be configured for treat-as-withdraw for eBGP neighbors only.
Configuring path attributes to be treated as withdrawn will trigger an inbound Route Refresh to ensure that the routing table is up to date.
Details About Specifying Attributes as Discard
Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute discard.
Attribute type 5 (localpref), type 9 (Originator), and type 10 (Cluster-id) can be configured for discard for eBGP neighbors only.
Configuring path attributes to be discarded will trigger an inbound Route Refresh to ensure that the routing table is up to date.
Details About Enhanced Attribute Error Handling
If a malformed Update is received, it is treat-as-withdraw to prevent peer sessions from flapping due to the processing of BGP path attributes. This feature applies to eBGP and iBGP peers. This feature is enabled by default; it can be disabled.
If the BGP Enhanced Attribute Error Handling feature is enabled or disabled, BGP places the MP_REACH attribute (attribute 14) at the beginning of an attribute list while formatting an update. Enhanced attribute error handling functions more easily when the MP_REACH attribute is at the beginning of the attribute list.
How to Filter BGP Path Attributes
Treat-as-Withdraw BGP Updates Containing a Specified Path Attribute
Note | Performing this task will trigger an inbound Route Refresh to ensure that the routing table is up to date. |
1.
enable
2.
configure
terminal
3.
router
bgp
as-number
4.
neighbor {ip-address |
ipv6-address}
path-attribute
treat-as-withdraw
{attribute-value |
range
start-value
end-value}
in
5. Repeat Step 4 to configure other attributes not in a range or to configure a different neighbor.
6.
end
DETAILED STEPS
Discarding Specific Path Attributes from an Update Message
Note | Performing this task will trigger an inbound Route Refresh to ensure that the routing table is up to date. |
1.
enable
2.
configure
terminal
3.
router
bgp
as-number
4.
neighbor {ip-address |
ipv6-address}
path-attribute
discard
{attribute-value |
range
start-value
end-value}
in
5. Repeat Step 4 to configure other attributes not in a range or to configure a different neighbor.
6.
end
DETAILED STEPS
Displaying Withdrawn or Discarded Path Attributes
Perform any of these steps in any order to display information about treat-as-withdraw, discarded, or unknown path attributes. You can use the show ip bgp command with any address family that BGP supports, such as show ip bgp ipv4 multicast, show ip bgp ipv6 unicast, etc.
1.
enable
2. show ip bgp neighbor [ip-address | ipv6-address]
3.
show ip bgp path-attribute unknown
4.
show ip bgp path-attribute discard
5.
show ip bgp vpnv4 all
prefix
6.
show ip bgp neighbors
prefix
DETAILED STEPS
Configuration Examples for BGP Attribute Filter
Examples: Withdraw Updates Based on Path Attribute
The following example shows how to configure the device to treat-as-withdraw any Update messages from the specified neighbor that contain the unwanted path attribute 100 or 128:
router bgp 65600 neighbor 2001:DB8:1::2 path-attribute treat-as-withdraw 100 in neighbor 2001:DB8:1::2 path-attribute treat-as-withdraw 128 in
The following example shows how to configure the device to treat-as-withdraw any Update messages from the specified neighbor that contain the unwanted path attributes in the range from 21 to 255:
router bgp 65600 neighbor 2001:DB8:1::2 path-attribute treat-as-withdraw 21 255 in
Examples: Discard Path Attributes from Updates
The following example shows how to configure the device to discard path attributes 100 and 128 from incoming Update messages from the specified neighbor. The rest of the Update message will be processed as usual.
router bgp 65600 neighbor 2001:DB8:1::1 path-attribute discard 100 in neighbor 2001:DB8:1::1 path-attribute discard 128 in
The following example shows how to configure the device to discard path attributes in the range from 17 to 255 from incoming Update messages from the specified neighbor. The rest of the Update message will be processed as usual.
router bgp 65600 neighbor 2001:DB8:1::1 path-attribute discard 17 255 in
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
BGP commands |
Standards and RFCs
Standard/RFC |
Title |
---|---|
draft-ietf-idr-error-handling |
Revised Error Handling for BGP Updates from External Neighbors |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for BGP Attribute Filter and Enhanced Attribute Error Handling
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
BGP Attribute Filter and Enhanced Attribute Error Handling |
The BGP Attribute Filter allows you to “treat-as-withdraw” updates that contain specific path attributes. The prefixes contained in the update are removed from the routing table. The feature also allows you to remove specific path attributes from incoming updates. Both behaviors provide an increased measure of security. The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to errors from any malformed update, thereby saving resources. The following commands were introduced: bgp enhanced-error, neighbor path-attribute discard, neighbor path-attribute treat-as-withdraw, show ip bgp path-attribute discard, and show ip bgp path-attribute unknown. The following commands were modified: show ip bgp, show ip bgp neighbor, and show ip bgp vpnv4 all. |