Configuring peering

This section provides configuration examples for peering features. Not all features are required to set up a basic peering connection.

Route policies

Routing policies control the size and content of the routing tables, the routes that are advertised, and the best route to take to reach a destination.

The following examples configure AS path and community lists that can be referenced by multiple policies.

Regular expression strings can be used to specify match criteria for the AS path and communities. For more information about using regular expressions, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide.

Configuring AS path and community lists

Regular expression strings are used to specify match criteria for the AS path and communities in the following example.

configure policy-options as-path "PEERING" { expression "64503" }
configure policy-options as-path-group "BOGON" { entry 10 expression ".* 0 .*" }
configure policy-options as-path-group "BOGON" { entry 20 expression ".* [64496-64511] .*" }
configure policy-options as-path-group "BOGON" { entry 30 expression ".* 65535 .*" }

configure policy-options community "LARGE-PEER" { member "65100:100" }
configure policy-options community "SMALL-PEERS" { member "65200:200" }
configure policy-options community "SMALL-PEERS" { member "65400:.*$" }
configure policy-options community "SMALL-PEERS" { member "65500:.*" }

Configuring prefix lists

configure policy-options prefix-list "AS65xx-prefixes" { prefix 10.100.100.0/24 type longer }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 10.200.0.0/16 type through through-length 24 }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 192.168.10.0/24 type through through-length 24 }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 10.10.1.1/32 type exact }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 172.16.0.0/16 type range start-length 16 }
configure policy-options prefix-list "AS65xx-prefixes" { prefix 172.16.0.0/16 type range end-length 19 }
configure policy-options prefix-list "IPv6-list" { prefix 2001:fd00:84::/46 type longer }
configure policy-options prefix-list "SMALLER_THAN_/48" { prefix ::/0 type range start-length 49 }
configure policy-options prefix-list "SMALLER_THAN_/48" { prefix ::/0 type range end-length 128 }

Configuring policy statements

The following example displays a policy statement configuration. Entries can be either numbered or named.

configure policy-options policy-statement "EXT-AS-IMPORT" entry-type named
configure policy-options policy-statement "EXT-AS-IMPORT" named-entry "Routes-AS64503" { from as-path name "PEERING" }
configure policy-options policy-statement "EXT-AS-IMPORT" named-entry "Routes-AS64503" { action action-type accept }

The policy can be applied as import or export under the BGP router, group, or neighbor context.

Importing policy under BGP root

configure router "Base" bgp group "eBGP-Peering" import { policy ["EXT-AS-IMPORT"] }

Test and evaluate route policies

Route policies can be tested and evaluated before they are applied to BGP as shown in the following example.

For more information about Route Policy Testing commands, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Clear, Monitor, Show, and Tools Command Reference Guide.

Use the following command to test and evaluate route policies.
show router bgp policy-test plcy-or-long-expr "EXT-AS-IMPORT" family ipv4 prefix 0.0.0.0/0 longer neighbor 192.168.0.3

Testing and evaluating route policies output

===============================================================================
 BGP Router ID:10.0.0.1         AS:64501       Local AS:64501
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP IPv4 Routes
===============================================================================
      Network                                            LocalPref   MED
      Nexthop                                            Path-Id     Label
      As-Path
-------------------------------------------------------------------------------
Accepted by Policy EXT-AS-IMPORT Entry Routes-AS64503
      10.10.1.24/29                                      None        None
      192.168.0.3                                        None        n/a
      64503                                                          -
Accepted by Policy EXT-AS-IMPORT Entry Routes-AS64503
      10.10.20.103/32                                    None        None
      192.168.0.3                                        None        n/a
      64503                                                          -
Accepted by Policy EXT-AS-IMPORT Entry Routes-AS64503
      192.168.0.0/24                                     None        None
      192.168.0.3                                        None        n/a
      64503                                                          -
-------------------------------------------------------------------------------
Routes : 3
===============================================================================

Cflowd

Cflowd is a tool used to obtain samples of IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. For more information about cflowd, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.

Configuring cflowd

configure cflowd overflow 10
configure cflowd active-flow-timeout 30
configure cflowd inactive-flow-timeout 10
configure cflowd sample-profile 1 { }
configure cflowd sample-profile 1 { sample-rate 100 }

configure cflowd collector 10.10.10.2 port 5000 { description "Neighbor collector" }
configure cflowd collector 10.10.10.2 port 5000 { autonomous-system-type peer }
configure cflowd collector 10.10.10.2 port 5000 { version 8 }
configure cflowd collector 10.10.10.2 port 5000 { aggregation protocol-port true }
configure cflowd collector 10.10.10.2 port 5000 { aggregation source-destination-prefix true }

configure cflowd collector 10.10.10.9 port 2000 { description "v9collector" }
configure cflowd collector 10.10.10.9 port 2000 { template-set mpls-ip }
configure cflowd collector 10.10.10.9 port 2000 { version 9 }
configure router "Base" interface "To-Peering-LAN" cflowd-parameters { sampling unicast type interface }
Use the following command to display the basic information about the administrative and operational status of cflowd.
show cflowd status

Cflowd status output

===============================================================================
Cflowd Status
===============================================================================
Cflowd Admin Status  : Enabled
Cflowd Oper Status   : Enabled
Cflowd Export Mode   : Automatic
Active Flow Timeout  : 30 seconds
---snip---

Active Flows         : 0
Dropped Flows        : 0
Total Pkts Rcvd      : 0
Total Pkts Dropped   : 0
Overflow Events      : 0
                                         Raw Flow Counts  Aggregate Flow Counts
Flows Created                                          0                      0
Flows Matched                                          0                      0
Flows Flushed                                          0                      0

==============================================================================
Sample Profile Info
==============================================================================
Profile Id     Sample Rate
------------------------------------------------------------------------------
    1                  100

===============================================================================
Version Info
===============================================================================
Version Status                   Sent                 Open               Errors
-------------------------------------------------------------------------------
    5   Disabled                    0                    0                    0
    8   Enabled                     0                    0                    0
    9   Enabled                     0                    0                    0
   10   Disabled                    0                    0                    0
===============================================================================

RPKI for prefix origin validation

7750 SR supports Resource Public Key Infrastructure (RPKI) for BGP prefix origin validation.

For more information about BGP prefix origin validation, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide.

BGP prefix origin validation in a RPKI session

configure router "Base" origin-validation rpki-session 172.31.1.2 admin-state enable
configure router "Base" origin-validation rpki-session 172.31.1.2 local-address 10.10.1.4
configure router "Base" origin-validation rpki-session 172.31.1.2 port 8282

configure router "Base" bgp group "eBGP-Peering" origin-validation { ipv4 true }
configure router "Base" bgp group "eBGP-Peering" origin-validation { ipv6 true }

configure router "Base" bgp best-path-selection { origin-invalid-unusable true }
Use the following command to display RPKI session information.
show router origin-validation rpki-session detail

RPKI session status detail output

===============================================================================
RPKI Session Information
===============================================================================
IP Address         : 172.31.1.2
Description        : (Not Specified)
-------------------------------------------------------------------------------
Port               : 8282               Oper State         : connect
Uptime             : 0d 00:00:00        Flaps              : 0
Active IPv4 Records: 0                  Active IPv6 Records: 0
Admin State        : Up                 Local Address      : 10.10.1.4
Hold Time          : 600                Refresh Time       : 300
Stale Route Time   : 3600               Connect Retry      : 120
Serial ID          : 0                  Session ID         : 0
===============================================================================
No. of Sessions    : 1
===============================================================================

BGP FlowSpec

FlowSpec is a standardized method for using BGP to distribute traffic flow specifications (flow routes) throughout a network. FlowSpec is supported for both IPv4 and IPv6.

For more information about FlowSpec, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide.

FlowSpec configuration

configure router "Base" bgp neighbor "192.168.0.3" family ipv4 ipv6 flow-ipv4 flow-ipv6 true

configure filter ip-filter "FSPEC-filter" default-action accept
configure filter ip-filter "FSPEC-filter" filter-id 99
configure filter ip-filter "FSPEC-filter" embed { flowspec offset 1000 }
configure filter ip-filter "FSPEC-filter" embed { flowspec offset 1000 router-instance "Base" }

configure router "Base" interface "To-Peering-LAN" ingress { filter ip "FSPEC-filter" }
Use the following command to display BGP flow IPv4 routes.
show router bgp routes flow-ipv4
Use the following command to display IPv4 filter information.
show filter ip "FSPEC-filter”

IP FPSEC filter output

===============================================================================
IP Filter
===============================================================================
Filter Id           : 99                           Applied        : Yes
Scope               : Template                     Def. Action    : Forward
Type                : Normal
Shared Policer      : Off
System filter       : Unchained
Radius Ins Pt       : n/a
CrCtl. Ins Pt       : n/a
RadSh. Ins Pt       : n/a
PccRl. Ins Pt       : n/a
Entries             : 0
Description         : (Not Specified)
Filter Name         : FSPEC-filter
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
No Match Criteria Found
===============================================================================

uRPF

Unicast reverse path forwarding check (uRPF) helps to mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. The uRPF feature is supported for both IPv4 and IPv6 on network and access.

For more information about uRPF, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.

uRPF configuration

configure router "Base" interface "To-Peering-LAN" ipv4 { urpf-check mode loose }
configure router "Base" interface "To-Peering-LAN" ipv6 { urpf-check mode loose }