Provided by: bgpq3_0.1.33-1_amd64 
NAME
bgpq3 — bgp filtering automation for cisco and juniper routers
SYNOPSIS
bgpq3 [-h host[:port]] [-S sources] [-EP] [-f asn | -G asn] [-346ABbDdJjsX] [-r len] [-R len] [-m max]
[-W len] OBJECTS [...]
DESCRIPTION
The bgpq3 utility used to generate Cisco and Juniper prefix-lists, extended access-lists, policy-
statement terms and as-path lists based on RADB data.
The options are as follows:
-3 assume that your device is asn32-safe.
-4 generate IPv4 prefix/access-lists (default).
-6 generate IPv6 prefix/access-lists (IPv4 by default).
-A try to aggregate prefix-lists as much as possible (not all output formats supported).
-B generate output in OpenBGPD format (default: Cisco)
-b generate output in BIRD format (default: Cisco).
-d enable some debugging output.
-D use asdot notation for Cisco as-path access-lists.
-E generate extended access-list (Cisco) or policy-statement term using route-filters (Juniper).
-f number
generate input as-path access-list.
-G number
generate output as-path access-list.
-h host[:port]
host running IRRD database (default: whois.radb.net).
-J generate config for Juniper (default: Cisco).
-j generate output in JSON format (default: Cisco).
-m len maximum prefix-length of accepted prefixes (default: 32 for IPv4 and 128 for IPv6).
-M match
extra match conditions for Juniper route-filters.
-l name
name of generated entry.
-P generate prefix-list (default, backward compatibility).
-r len allow more specific routes starting with specified masklen too.
-R len allow more specific routes up to specified masklen too.
-s generate sequence numbers in IOS-style prefix-lists.
-S sources
use specified sources only (recommended: RADB,RIPE,APNIC).
-T disable pipelining.
-W len generate as-path strings of no more than len items (use 0 for inifinity).
-X generate config for Cisco IOS XR devices (plain IOS by default).
OBJECTS
means networks (in prefix format), autonomous systems, as-sets and route-sets.
EXAMPLES
Generating named juniper prefix-filter for AS20597:
~>bgpq3 -Jl eltel AS20597
policy-options {
replace:
prefix-list eltel {
81.9.0.0/20;
81.9.32.0/20;
81.9.96.0/20;
81.222.128.0/20;
81.222.192.0/18;
85.249.8.0/21;
85.249.224.0/19;
89.112.0.0/19;
89.112.4.0/22;
89.112.32.0/19;
89.112.64.0/19;
217.170.64.0/20;
217.170.80.0/20;
}
}
For Cisco we can use aggregation (-A) flag to make this prefix-filter more compact:
~>bgpq3 -Al eltel AS20597
no ip prefix-list eltel
ip prefix-list eltel permit 81.9.0.0/20
ip prefix-list eltel permit 81.9.32.0/20
ip prefix-list eltel permit 81.9.96.0/20
ip prefix-list eltel permit 81.222.128.0/20
ip prefix-list eltel permit 81.222.192.0/18
ip prefix-list eltel permit 85.249.8.0/21
ip prefix-list eltel permit 85.249.224.0/19
ip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19
ip prefix-list eltel permit 89.112.4.0/22
ip prefix-list eltel permit 89.112.64.0/19
ip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20
- you see, prefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated into single entry 89.112.0.0/18 ge 19
le 19.
Well, for Juniper we can generate even more interesting policy-options, using -M <extra match
conditions>, -R <len> and hierarchical names:
~>bgpq3 -AJEl eltel/specifics -r 29 -R 32 -M "community blackhole" AS20597
policy-options {
policy-statement eltel {
term specifics {
replace:
from {
community blackhole;
route-filter 81.9.0.0/20 prefix-length-range /29-/32;
route-filter 81.9.32.0/20 prefix-length-range /29-/32;
route-filter 81.9.96.0/20 prefix-length-range /29-/32;
route-filter 81.222.128.0/20 prefix-length-range /29-/32;
route-filter 81.222.192.0/18 prefix-length-range /29-/32;
route-filter 85.249.8.0/21 prefix-length-range /29-/32;
route-filter 85.249.224.0/19 prefix-length-range /29-/32;
route-filter 89.112.0.0/17 prefix-length-range /29-/32;
route-filter 217.170.64.0/19 prefix-length-range /29-/32;
}
}
}
}
generated policy-option term now allows all specifics with prefix-length between /29 and /32 for eltel
networks if they match with special community ´blackhole' (defined elsewhere in configuration).
Of course, this version supports IPv6 (-6):
~>bgpq3 -6l as-retn-6 AS-RETN6
no ipv6 prefix-list as-retn-6
ipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48
ipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48
[....]
and support for ASN 32 is also here
~>bgpq3 -J3f 112 AS-SPACENET
policy-options {
replace:
as-path-group NN {
as-path a0 "^112(112)*$";
as-path a1 "^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$";
as-path a2 "^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$";
as-path a3 "^112(.)*(35052|41720|43628|44450|196611)$";
}
}
see AS196611 in the end of the list ? That's AS3.3 in 'asplain' notation.
For non-ASN32 capable routers you should not use switch -3, and the result will be next:
~>bgpq3 -f 112 AS-SPACENET
no ip as-path access-list NN
ip as-path access-list NN permit ^112(_112)*$
ip as-path access-list NN permit ^112(_[0-9]+)*_(1898|5539|8495|8763)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(8878|12136|12931|15909)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(21358|23456|23600|24151)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(25152|31529|34127|34906)$
ip as-path access-list NN permit ^112(_[0-9]+)*_(35052|41720|43628|44450)$
AS196611 is no more in the list, however, AS23456 (transition AS) would be added to list if it were not
present.
DIAGNOSTICS
When everything is OK, bgpq3 generates access-list to standard output and exits with status == 0. In
case of errors they are printed to stderr and program exits with non-zero status.
SEE ALSO
http://www.radb.net/ Routing Arbiter project
http://tools.ietf.org/html/draft-michaelson-4byte-as-representation-05 for information on 'asdot' and
'asplain' notations.
http://www.cisco.com/en/US/docs/ios/12_0s/release/ntes/120SNEWF.html#wp3521658 for information on Cisco
implementation of ASN32.
AUTHOR
Alexandre Snarskii <snar@snar.spb.ru>
Debian Oct 27, 2008 BGPQ3(8)