Configuring peering
This section provides configuration examples for peering features. Not all features are required to set up a basic peering connection.
Route policies
Routing policies control the size and content of the routing tables, the routes that are advertised, and the best route to take to reach a destination.
The following examples configure AS path and community lists that can be referenced by multiple policies.
Regular expression strings can be used to specify match criteria for the AS path and communities. For more information about using regular expressions, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide.
Configuring AS path and community lists
Regular expression strings are used to specify match criteria for the AS path and communities in the following example.
configure policy-options as-path "PEERING" { expression "64503" }
configure policy-options as-path-group "BOGON" { entry 10 expression ".* 0 .*" }
configure policy-options as-path-group "BOGON" { entry 20 expression ".* [64496-64511] .*" }
configure policy-options as-path-group "BOGON" { entry 30 expression ".* 65535 .*" }
configure policy-options community "LARGE-PEER" { member "65100:100" }
configure policy-options community "SMALL-PEERS" { member "65200:200" }
configure policy-options community "SMALL-PEERS" { member "65400:.*$" }
configure policy-options community "SMALL-PEERS" { member "65500:.*" }
Configuring prefix lists
configure policy-options prefix-list "AS65xx-prefixes" { prefix 10.100.100.0/24 type longer }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 10.200.0.0/16 type through through-length 24 }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 192.168.10.0/24 type through through-length 24 }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 10.10.1.1/32 type exact }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 172.16.0.0/16 type range start-length 16 }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 172.16.0.0/16 type range end-length 19 }
configure policy-options prefix-list "IPv6-list" { prefix 2001:fd00:84::/46 type longer }
configure policy-options prefix-list "SMALLER_THAN_/48" { prefix ::/0 type range start-length 49 }
configure policy-options prefix-list "SMALLER_THAN_/48" { prefix ::/0 type range end-length 128 }
Configuring policy statements
The following example displays a policy statement configuration. Entries can be either numbered or named.
configure policy-options policy-statement "EXT-AS-IMPORT" entry-type named
configure policy-options policy-statement "EXT-AS-IMPORT" named-entry "Routes-AS64503" { from as-path name "PEERING" }
configure policy-options policy-statement "EXT-AS-IMPORT" named-entry "Routes-AS64503" { action action-type accept }
The policy can be applied as import or export under the BGP router, group, or neighbor context.
Importing policy under BGP root
configure router "Base" bgp group "eBGP-Peering" import { policy ["EXT-AS-IMPORT"] }
Test and evaluate route policies
Route policies can be tested and evaluated before they are applied to BGP as shown in the following example.
For more information about Route Policy Testing commands, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Clear, Monitor, Show, and Tools Command Reference Guide.
show router bgp policy-test plcy-or-long-expr "EXT-AS-IMPORT" family ipv4 prefix 0.0.0.0/0 longer neighbor 192.168.0.3
Testing and evaluating route policies output
===============================================================================
BGP Router ID:10.0.0.1 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Network LocalPref MED
Nexthop Path-Id Label
As-Path
-------------------------------------------------------------------------------
Accepted by Policy EXT-AS-IMPORT Entry Routes-AS64503
10.10.1.24/29 None None
192.168.0.3 None n/a
64503 -
Accepted by Policy EXT-AS-IMPORT Entry Routes-AS64503
10.10.20.103/32 None None
192.168.0.3 None n/a
64503 -
Accepted by Policy EXT-AS-IMPORT Entry Routes-AS64503
192.168.0.0/24 None None
192.168.0.3 None n/a
64503 -
-------------------------------------------------------------------------------
Routes : 3
===============================================================================
Cflowd
Cflowd is a tool used to obtain samples of IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. For more information about cflowd, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Configuring cflowd
configure cflowd overflow 10
configure cflowd active-flow-timeout 30
configure cflowd inactive-flow-timeout 10
configure cflowd sample-profile 1 { }
configure cflowd sample-profile 1 { sample-rate 100 }
configure cflowd collector 10.10.10.2 port 5000 { description "Neighbor collector" }
configure cflowd collector 10.10.10.2 port 5000 { autonomous-system-type peer }
configure cflowd collector 10.10.10.2 port 5000 { version 8 }
configure cflowd collector 10.10.10.2 port 5000 { aggregation protocol-port true }
configure cflowd collector 10.10.10.2 port 5000 { aggregation source-destination-prefix true }
configure cflowd collector 10.10.10.9 port 2000 { description "v9collector" }
configure cflowd collector 10.10.10.9 port 2000 { template-set mpls-ip }
configure cflowd collector 10.10.10.9 port 2000 { version 9 }
configure router "Base" interface "To-Peering-LAN" cflowd-parameters { sampling unicast type interface }
show cflowd status
Cflowd status output
===============================================================================
Cflowd Status
===============================================================================
Cflowd Admin Status : Enabled
Cflowd Oper Status : Enabled
Cflowd Export Mode : Automatic
Active Flow Timeout : 30 seconds
---snip---
Active Flows : 0
Dropped Flows : 0
Total Pkts Rcvd : 0
Total Pkts Dropped : 0
Overflow Events : 0
Raw Flow Counts Aggregate Flow Counts
Flows Created 0 0
Flows Matched 0 0
Flows Flushed 0 0
==============================================================================
Sample Profile Info
==============================================================================
Profile Id Sample Rate
------------------------------------------------------------------------------
1 100
===============================================================================
Version Info
===============================================================================
Version Status Sent Open Errors
-------------------------------------------------------------------------------
5 Disabled 0 0 0
8 Enabled 0 0 0
9 Enabled 0 0 0
10 Disabled 0 0 0
===============================================================================
RPKI for prefix origin validation
7750 SR supports Resource Public Key Infrastructure (RPKI) for BGP prefix origin validation.
For more information about BGP prefix origin validation, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide.
BGP prefix origin validation in a RPKI session
configure router "Base" origin-validation rpki-session 172.31.1.2 admin-state enable
configure router "Base" origin-validation rpki-session 172.31.1.2 local-address 10.10.1.4
configure router "Base" origin-validation rpki-session 172.31.1.2 port 8282
configure router "Base" bgp group "eBGP-Peering" origin-validation { ipv4 true }
configure router "Base" bgp group "eBGP-Peering" origin-validation { ipv6 true }
configure router "Base" bgp best-path-selection { origin-invalid-unusable true }
show router origin-validation rpki-session detail
RPKI session status detail output
===============================================================================
RPKI Session Information
===============================================================================
IP Address : 172.31.1.2
Description : (Not Specified)
-------------------------------------------------------------------------------
Port : 8282 Oper State : connect
Uptime : 0d 00:00:00 Flaps : 0
Active IPv4 Records: 0 Active IPv6 Records: 0
Admin State : Up Local Address : 10.10.1.4
Hold Time : 600 Refresh Time : 300
Stale Route Time : 3600 Connect Retry : 120
Serial ID : 0 Session ID : 0
===============================================================================
No. of Sessions : 1
===============================================================================
BGP FlowSpec
FlowSpec is a standardized method for using BGP to distribute traffic flow specifications (flow routes) throughout a network. FlowSpec is supported for both IPv4 and IPv6.
For more information about FlowSpec, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide.
FlowSpec configuration
configure router "Base" bgp neighbor "192.168.0.3" family ipv4 ipv6 flow-ipv4 flow-ipv6 true
configure filter ip-filter "FSPEC-filter" default-action accept
configure filter ip-filter "FSPEC-filter" filter-id 99
configure filter ip-filter "FSPEC-filter" embed { flowspec offset 1000 }
configure filter ip-filter "FSPEC-filter" embed { flowspec offset 1000 router-instance "Base" }
configure router "Base" interface "To-Peering-LAN" ingress { filter ip "FSPEC-filter" }
show router bgp routes flow-ipv4
show filter ip "FSPEC-filter”
IP FPSEC filter output
===============================================================================
IP Filter
===============================================================================
Filter Id : 99 Applied : Yes
Scope : Template Def. Action : Forward
Type : Normal
Shared Policer : Off
System filter : Unchained
Radius Ins Pt : n/a
CrCtl. Ins Pt : n/a
RadSh. Ins Pt : n/a
PccRl. Ins Pt : n/a
Entries : 0
Description : (Not Specified)
Filter Name : FSPEC-filter
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
No Match Criteria Found
===============================================================================
uRPF
Unicast reverse path forwarding check (uRPF) helps to mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. The uRPF feature is supported for both IPv4 and IPv6 on network and access.
For more information about uRPF, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.uRPF configuration
configure router "Base" interface "To-Peering-LAN" ipv4 { urpf-check mode loose }
configure router "Base" interface "To-Peering-LAN" ipv6 { urpf-check mode loose }