The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS Border Gateway Protocol (BGP) commands that begin with I.
To configure an access-list filter for Border Gateway Protocol (BGP) autonomous system (AS) numbers, use the ip as-path access-list command. To remove the filter, use the no form of this command.
ip as-path access-list name { deny | permit } regexp
no ip as-path access-list name { deny | permit } regexp
AS path access list name. The name can be any alphanumeric string up to 63 characters. |
|
Rejects packets with AS numbers that match the regexp argument. |
|
Allows packets with AS numbers that match the regexp argument. |
|
Regular expression to match BGP AS paths. See the Cisco Nexus 5500 Series NX-OS Fundamentals Configuration Guide, Release 6.0 at the following URL for details on regular expressions: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5500/sw/fundamentals/621_n1_1/Cisco_Nexus_5500_Series_NX-OS_Fundamentals_Configuration_Guide_Release_6_2_1_N1_1_chapter4.html#con_1237003 |
|
|
Use the ip as-path access-list command to configure an autonomous system path filter. You can apply autonomous system path filters to both inbound and outbound BGP paths. Each filter is defined by the regular expression. If the regular expression matches the representation of the autonomous system path of the route as an ASCII string, then the permit or deny condition applies. The autonomous system path should not contain the local autonomous system number.
This example shows how to configure an AS path filter for BGP to permit AS numbers 55:33 and 20:01 and apply it to a BGP peer for inbound filtering:
|
|
---|---|
To create a community list entry, use the ip community-list command. To remove the entry, use the no form of this command.
ip community-list standard list-name { deny | permit } { aa : nn | internet | local-AS | no-advertise | no-export }
no ip community-list standard list-name
ip community-list expanded list-name { deny | permit } regexp
no ip community-list expanded list-name
Autonomous system number and network number entered in the 4-byte new community format. This value is configured with two 2-byte numbers separated by a colon. A number from 1 to 65535 can be entered each 2-byte number. A single community can be entered or multiple communities can be entered, each separated by a space. You can pick more than one of these optional community keywords. |
|
Specifies the Internet community. Routes with this community are advertised to all peers (internal and external). You can pick more than one of these optional community keywords. |
|
Specifies the no-export community. Routes with this community are advertised to only peers in the same autonomous system or to only other subautonomous systems within a confederation. These routes are not advertised to external peers. You can pick more than one of these optional community keywords. |
|
Specifies the local-as community. Routes with community are advertised to only peers that are part of the local autonomous system or to only peers within a subautonomous system of a confederation. These routes are not advertised external peers or to other subautonomous systems within a confederation. You can pick more than one of these optional community keywords. |
|
Specifies the no-advertise community. Routes with this community are not advertised to any peer (internal or external). You can pick more than one of these optional community keywords. |
|
Regular expression that is used to specify a pattern to match against an input string. See the Cisco Nexus 5500 Series NX-OS Fundamentals Configuration Guide, Release 6.0 at the following URL for details on regular expressions: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/fundamentals/421_n1_1/Cisco_Nexus_5000_Series_NX-OS_Fundamentals_Configuration_Guide_Release_4_2_1_N1_1_chapter4.html#con_1237003 Note Regular expressions can be used with expanded community lists only. |
|
|
The ip community-list command is used to configure BGP community filtering. BGP community values are configured as a 4-byte number. The first two bytes represent the autonomous system number, and the last two bytes represent a user-defined network number. BGP community attribute exchange between BGP peers is enabled when the send-community command is configured for the specified neighbor. The BGP community attribute is defined in RFC 1997 and RFC 1998.
BGP community exchange is not enabled by default. Use the send-community command in BGP neighbor fix-family configuration mode to enable a BGP community attribute exchange between BGP peers.
The Internet community is applied to all routes or prefixes by default until any other community value is configured with this command or the set community command.
Once you configure a permit value to match a given set of communities, the community list defaults to an implicit deny for all other community values. Use the internet community to apply an implicit permit to the community list.
Standard community lists are used to configure well-known communities and specific community numbers. You can pick more than one of the optional community keywords. A maximum of 32 communities can be configured in a standard community list. If you attempt to configure, the trailing communities that exceed the limit are not processed or saved to the running configuration file. The route-map can also match up to 32 community lists in one sequence.
Expanded community lists are used to filter communities using a regular expression. Regular expressions are used to configure patterns to match community attributes. The order for matching using the * or + character is the longest construct is first. Nested constructs are matched from the outside in. Concatenated constructs are matched beginning at the left side. If a regular expression can match two different parts of an input string, it matches the earliest part first.
When multiple values are configured in the same community list statement, a logical AND condition is created. All community values must match to satisfy an AND condition. When multiple values are configured in separate community list statements, a logical OR condition is created. The first list that matches a condition is processed.
This example shows how to configure a standard community list where the routes with this community are advertised to all peers (internal and external):
This example shows how to configure a logical AND condition; all community values must match in order for the list to be processed:
In the above example, a standard community list is configured that permits routes from the following:
This example shows how to configure a standard community list that denies routes that carry communities from network 40 in autonomous system 65534 and from network 60 in autonomous system 65412. This example shows a logical AND condition; all community values must match in order for the list to be processed.
This example shows how to configure a named standard community list that permits all routes within the local autonomous system or permits routes from network 20 in autonomous system 40000. This example shows a logical OR condition; the first match is processed.
This example shows how to configure an expanded community list that denies routes that carry communities from any private autonomous system:
This example shows how to configure a named expanded community list that denies routes from network 1 through 99 in autonomous system 50000:
|
|
---|---|
Configures BGP to propagate community attributes to BGP peers. |
|
To enable the translation of a directed broadcast to physical broadcasts, use the ip directed-broadcast command. To disable this function, use the no form of this command.
ip directed-broadcast [acl-name]
ip directed-broadcast [acl-name]
Access control list (ACL) name. An ACL name can be any case-sensitive, alphanumeric string up to 63 characters. |
|
|
---|---|
An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.
A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is exploded as a broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.
If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts on that subnet.
If the no ip directed-broadcast command has been configured for an interface, directed broadcasts destined for the subnet to which that interface is attached will be dropped, rather than being broadcast.
Note Because directed broadcasts, and particularly Internet Control Message Protocol (ICMP) directed broadcasts, have been abused by malicious persons, we recommend that security-conscious users disable the ip directed-broadcast command on any interface where directed broadcasts are not needed and that they use access lists to limit the number of exploded packets.
This example shows how to enable forwarding of IP directed broadcasts on Ethernet interface 2/1:
To create an extended community list entry, use the ip extcommunity-list command. To remove the entry, use the no form of this command.
ip extcommunity-list standard list-name { deny | permit } generic { transitive | nontransitive } aa4 : nn
no ip extcommunity-list standard generic { transitive | nontransitive } list-name
ip extcommunity-list expanded list-name { deny | permit } generic { transitive | nontransitive } regexp
no ip extcommunity-list expanded generic { transitive | nontransitive } list-name
Configures BGP to propagate the extended community attributes to other autonomous systems. |
|
Configures BGP to propagate the extended community attributes to other autonomous systems. |
|
Autonomous system number and network number. This value is configured with a 4-byte AS number and a 2-byte network number separated by a colon. The 4-byte AS number range is from 1 to 4294967295 in plaintext notation, or from 1.0 to 56636.65535 in AS.dot notation. You can enter a single community or multiple communities, each separated by a space. |
|
Regular expression that is used to specify a pattern to match against an input string. See the Cisco Nexus 5500 Series NX-OS Fundamentals Configuration Guide, Release 6.0 at the following URL for details on regular expressions: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5500/sw/fundamentals/621_n1_1/Cisco_Nexus_5500_Series_NX-OS_Fundamentals_Configuration_Guide_Release_6_2_1_N1_1_chapter4.html#con_1237003 Note Regular expressions can be used with expanded extended community lists only. |
|
|
Use the ip extcommunity-list command to configure extended community filtering for BGP. Extended community values are configured as a 6-byte number. The first four bytes represent the autonomous system number, and the last two bytes represent a user-defined network number. The BGP generic specific community attribute is defined in draft-ietf-idr-as4octet-extcomm-generic-subtype-00.txt.
BGP extended community exchange is not enabled by default. Use the send-extcommunity command in BGP neighbor fix-family configuration mode to enable extended community attribute exchange between BGP peers.
Once you configure a permit value to match a given set of extended communities, the extended community list defaults to an implicit deny for all other extended community values.
Standard Extended Community Lists
Use standard extended community lists to configure specific extended community numbers. You can configure a maximum of 16 extended communities in a standard extended community list.
Expanded Extended Community Lists
Use expanded extended community lists to filter communities using a regular expression. Use regular expressions to configure patterns to match community attributes. The order for matching using the * or + character is the longest construct is first. Nested constructs are matched from the outside in. Concatenated constructs are matched beginning at the left side. If a regular expression can match two different parts of an input string, it matches the earliest part first.
When you configure multiple values in the same extended community list statement, a logical AND condition is created. All extended community values must match to satisfy the AND condition. When you configure multiple values in separate community list statements, a logical OR condition is created. The first list that matches a condition is processed.
This example shows how to configure a standard generic specific extended community list that permits routes from network 40 in autonomous system 1.65534 and from network 60 in autonomous system 1.65412:
|
|
---|---|
Configures BGP to propagate community attributes to BGP peers. |
|
To create a prefix list to match IP packets or routes against, use the ip prefix-list command. To remove the prefix-list, use the no form of this command.
ip prefix-list name [ seq number ] { permit | deny } prefix [ eq length | [ ge length ] [ le length ]]
no ip prefix-list name [ seq number ] { permit | deny } prefix [ eq length | [ ge length ] [ le length ]]
|
|
Use the ip prefix-list command to configure IP prefix filtering. Configure prefix lists with permit or deny keywords to either permit or deny the prefix based on the matching condition. A prefix list consists of an IP address and a bit mask. The bit mask is entered as a number from 1 to 32. An implicit deny is applied to traffic that does not match any prefix-list entry.
You can configure prefix lists to match an exact prefix length or a prefix range. Use the ge and le keywords to specify a range of the prefix lengths to match, which provides a more flexible configuration. If you do not configure a sequence number, Cisco NX-OS applies a default sequence number of 5 to the prefix list and subsequent prefix list entries are incremented by 5 (for example, 5, 10, 15, and so on). If you configure a sequence number for the first prefix list entry but not subsequent entries, then Cisco NX-OS increments the subsequent entries by 5 (for example, if the first configured sequence number is 3, then subsequent entries will be 8, 13, 18, and so on). You can suppress default sequence numbers by entering the no form of this command with the seq keyword.
Cisco NX-OS evaluates prefix lists that start with the lowest sequence number and continue down the list until a match is made. Once a match is made, the permit or deny statement is applied to that network and the rest of the list is not evaluated.
Tip For the best performance of your network, you should configure the most frequently processed prefix list statements with the lowest sequence numbers. The seq number keyword and argument can be used for resequencing.
The prefix list is applied to inbound or outbound updates for specific peer by entering the prefix-list command in neighbor address-family mode. Prefix list information and counters are displayed in the output of the show ip prefix-list command. Prefix-list counters can be reset by entering the clear ip prefix-list command.
This example shows how to configure a prefix list and apply it to a Border Gateway Protocol (BGP) peer:
|
|
---|---|
To configure a description string for an IP prefix list, use the ip prefix-list description command. To revert to default, use the no form of this command.
ip prefix-list name description string
no ip prefix-list name description
Name of the prefix list. The name can be any alphanumeric string up to 63 characters. |
|
Descriptive string for the prefix list. The string can be any alphanumeric string up to 90 characters. |
|
|
This example shows how to configure a description for an IP prefix list:
|
|
---|---|