bgpq

BGPQ(8)                     System Manager's Manual                    BGPQ(8)

NAME
     bgpq — generate access-lists for cisco routers and GateD

SYNOPSIS
     bgpq [-l name] [-h host] [-p port] [-d] [-P | -i | -o | -s | -g | -e | -f
          number | -F format | -G number] [-a | -q] [-S src] objects [...]
          [EXCEPT objects]
     bgpq -r filename

DESCRIPTION
     The bgpq utiliy used to generate cisco access-lists and GateD network
     filters based on RADB data.

     The options are as follows:

     -A      try to aggregate routes

     -a      print all routes uncommented

     -c      include commandline in output

     -d      increase debugging level

     -e      generate standard access-list

     -F format
             generate user-formatted output. See section Formatted Output for
             details.

     -f number
             generate as-path access-list using number as 'starting as' (see
             examples for explanation)

     -G number
             generate output as-path access-list using number as 'starting as'
             (see examples for explanation)

     -g      generate GateD network filter

     -H      do not print headers to access-list.

     -h host
             host with irrd (can be set with IRRD_HOST also)

     -i      generate input packet filter

     -l name
             name of generated access/prefixlist

     -o      generate output packet filter

     -P      generate prefixlist (access-list extended by default)

     -p port
             irrd port (43 by default)

     -q      print only aggreagated routes

     -R masklen
             allow more specific routes up to masklen

     -r filename
             used to 'recompute' file.

     -s      print statistics about

     -S source
             use only specified source (RIPE or RADB, for example).  There can
             be more than one source, separated with commas (And not by
             spaces, please, that makes getopt(3) crazy).  Sources can also be
             set with IRRD_SOURCE enviroinment variable.
     "objects" means for networks (in prefix aka a.a.a.a/b format), autonomous
     systems (in ASnnn format) and as-macros (AS-xxxx format).  Since 1.0.2
     version you can also use networks in RPSL format.

EXAMPLES
     Generating prefix-list for AS3319 using host sivka as a radb mirror.
     bgpq -h sivka AS3319
     !generated with bgpq
     no ip access-list extended UNKNOWN
     ip access-list extended UNKNOWN
      permit ip host 194.44.31.0 host 255.255.255.0
      permit ip host 194.44.158.0 host 255.255.255.0
      permit ip host 194.44.162.0 host 255.255.255.0
      permit ip host 194.44.164.0 host 255.255.255.0
      permit ip host 194.44.170.0 host 255.255.255.0
      permit ip host 194.44.192.0 host 255.255.255.0
      permit ip host 194.44.193.0 host 255.255.255.0
      permit ip host 194.44.194.0 host 255.255.255.0
      permit ip host 194.44.195.0 host 255.255.255.0
      permit ip host 194.44.196.0 host 255.255.255.0
      permit ip host 194.44.197.0 host 255.255.255.0
      permit ip host 194.44.216.0 host 255.255.255.0
      permit ip host 195.178.128.0 host 255.255.224.0
     ! overlayed by 195.178.128.0/19 in the same AS3319
     ! -  permit ip host 195.178.136.0 host 255.255.254.0
     ! overlayed by 195.178.128.0/19 in the same AS3319
     ! -  permit ip host 195.178.150.0 host 255.255.255.0
     ! overlayed by 195.178.128.0/19 in the same AS3319
     ! -  permit ip host 195.178.128.0 host 255.255.255.0
     ! overlayed by 195.178.128.0/19 in the same AS3319
     ! -  permit ip host 195.178.130.0 host 255.255.254.0
     ! overlayed by 195.178.128.0/19 in the same AS3319
     ! -  permit ip host 195.178.132.0 host 255.255.255.0
      deny ip any any

     As you can see, this access-list includes all unique non-overlapped
     networks, and those overlapped - commented out. You can use -a to print
     overlapped routes uncommented or -q to do not print them.

         Note, that some routes (194.44.192.0/24 and 194.44.193.0/24) can be
     agregated into one record - and you can do this using -A option:
     bgpq -h sivka -qA AS3319
     !generated with bgpq
     no ip access-list extended UNKNOWN
     ip access-list extended UNKNOWN
      permit ip host 194.44.31.0 host 255.255.255.0
      permit ip host 194.44.158.0 host 255.255.255.0
      permit ip host 194.44.162.0 host 255.255.255.0
      permit ip host 194.44.164.0 host 255.255.255.0
      permit ip host 194.44.170.0 host 255.255.255.0
      permit ip 194.44.192.0 0.0.3.0 host 255.255.255.0
      permit ip 194.44.196.0 0.0.1.0 host 255.255.255.0
      permit ip host 194.44.216.0 host 255.255.255.0
      permit ip host 195.178.128.0 host 255.255.224.0
      deny ip any any
     using quiet and aggregate mode we got more compact access list.

         Now, let try to use some RPSL filters - for example to allow any /24
     specific from 194.44.0.0/16 block to pass our generated prefix-list:
     bgpq -h sivka -APql AS3319-IN AS3319 194.44.0.0/16^24
     !generated with bgpq
     no ip prefix-list AS3319-IN
     ip prefix-list AS3319-IN permit 194.44.0.0/16 ge 24 le 24
     ip prefix-list AS3319-IN permit 195.178.128.0/19
     You can see, that the PPSL filter refined all specifics into one string.

         Another, however not so useful feature of bgpq is a possibility to
     generate as-path access-list s. For generation you need to specify
     'starting AS' number, because it's not possible to determine it based on
     RADB data. In next example we will build as-path access-list 88 to filter
     AS-LUCKY from AS3254 :
     bgpq -h sivka -f 3254 -l 88 AS-LUCKY
     !generated with bgpq
     no ip as-path access-list 88
     ip as-path access-list 88 permit ^3254(_3254)*$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(3319|6876|8192|8258)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(8464|8601|8813|12593)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(12984|13027|13032|13103)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(13107|15458|15461|15595)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(15615|15682|15820|16002)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(16165|16223|16329|20586)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(20754|20790|20839|20949)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(20971|21011|21131|21219)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(21256|21257|21310|21354)$
     ip as-path access-list 88 permit ^3254(_[0-9]+)*_(21432|24621|24664|24682)$
     I think, this feature is not really useful because this type of filtering
     is much less strict then extended access-list or prefix-list filtering.
     For example, in the case of wrongly configured peer router you can get
     fullview with all routes 'originated' from peer AS.

RPSL Syntax
     The below is just a cite from RFC2622

         ^- is the exclusive more specifics operator; it stands for the more
     specifics of the address prefix excluding the address prefix itself.  For
     example, 128.9.0.0/16^- contains all the more specifics of 128.9.0.0/16
     excluding 128.9.0.0/16.

         ^+ is the inclusive more specifics operator; it stands for the more
     specifics of the address prefix including the address prefix itself.  For
     example, 5.0.0.0/8^+ contains all the more specifics of 5.0.0.0/8
     including 5.0.0.0/8.

         ^n where n is an integer, stands for all the length n specifics of
     the address prefix.  For example, 30.0.0.0/8^16 contains all the more
     specifics of 30.0.0.0/8 which are of length 16 such as 30.9.0.0/16.

         ^n-m where n and m are integers, stands for all the length n to
     length m specifics of the address prefix.  For example, 30.0.0.0/8^24-32
     contains all the more specifics of 30.0.0.0/8 which are of length 24 to
     32 such as 30.9.9.96/28.

Formatted Output.
         In some cases you need to generate some non-cisco and non-GateD
     configs. It can be done easely using -F format option. Format string
     defined as: %r and %n is substituted with generated route, %m - with mask
     and %l - with masklen (chars selected as abbreviations from 'route',
     'network', 'mask' and 'len' accordingly).  All other chars ar just
     printed as is. Example:
     bgpq -h sivka -F "ipfw add pass any from %r:%m to any in via xl1\n" AS3254
     !generated with bgpq
     ipfw add pass any from 62.244.0.0:255.255.192.0 to any in via xl1
     ipfw add pass any from 193.124.50.0:255.255.255.0 to any in via xl1
     ipfw add pass any from 193.193.192.0:255.255.224.0 to any in via xl1
     Note, that strings are not terminated with "\n" by default - you need to
     set it manually.

Renewing access-lists whith files
     You can 'renew' access-list in case of changed AS-macro and so, if they
     were created with -c (include commandline in output) option, and stored
     in some file.  To renew access-list just use bgpq -r filename , where
     filename is the location of stored access-list.

SEE ALSO
     http://www.radb.net/ for information about Routing Arbiter project,
     http://www.ripe.net/ for information about RIPE NCC,
     http://www.cisco.com/ for information about Cisco Systems,
     http://www.gated.org/ for information about GateD Consortium, RFC2622
     defines RPSL.

DIAGNOSTICS
     When everything is ok, bgpq generates access-list to standard output and
     exits with status==0.  In case of errors they are printed to stderr and
     program exists with non-zero status.

BUGS
     No one known in code (yet ? :) ), many in documentation (English is not
     my native :( )

AUTHOR
     Alexandre Snarskii, <snar@paranoia.ru>

                               January 23, 2002