Peer and accept ANY and NOT default

rosato · May 11, 2024, 10:26am

Hi,

what is the best configuration useful to peer with an AS, accept any of its routes but not the default? Something like:

from ASxxxx action pref=100; accept ANY AND NOT {0.0.0.0/0}

Thanks!

roedie · May 11, 2024, 1:19pm

I would say, look at the previous post when you asked BGP questions. It is very extensive and with some modifications suitable for any BGP session.

Moreover, the answer to this question is in there as well.

Apachez · May 11, 2024, 3:38pm

Begin by reading through the manual on this topic:

https://docs.vyos.io/en/latest/configuration/policy/prefix-list.html
https://docs.vyos.io/en/latest/configuration/policy/route-map.html

Dealing with prefix-lists and route-maps are a bit, odd…

But you can probably start with something like this (please correct me if I got this wrong):

set policy prefix-list defaultroute rule 10 description 'Default IPv4-route'
set policy prefix-list defaultroute rule 10 action 'permit'
set policy prefix-list defaultroute rule 10 prefix '0.0.0.0/0'

set policy prefix-list anyroute_24 rule 10 description 'Route smaller or equal to /24'
set policy prefix-list anyroute_24 rule 10 action 'permit'
set policy prefix-list anyroute_24 rule 10 le 24

set policy prefix-list denyall rule 10 description 'Deny all routes'
set policy prefix-list denyall rule 10 action 'permit'
set policy prefix-list denyall rule 10 ge 0

set policy route-map EXAMPLE rule 10 action 'deny'
set policy route-map EXAMPLE rule 10 match ip address prefix-list 'defaultroute'
set policy route-map EXAMPLE rule 20 action 'permit'
set policy route-map EXAMPLE rule 20 match ip address prefix-list 'anyroute_24'
set policy route-map EXAMPLE rule 30 action 'deny'
set policy route-map EXAMPLE rule 30 match ip address prefix-list 'denyall'

set protocols bgp neighbor 192.0.2.1 address-family ipv4-unicast route-map import 'EXAMPLE'
set protocols bgp neighbor 192.0.2.1 remote-as '65001'

So to wrap it up… you start by creating your objects (prefix-lists) “defaultroute”, “anyroute_24” and “denyall”. The action permit in these are so they will be true if matched.

Then you construct your route-map which will first match for object “defaultroute” and if thats true it will deny the BGP entry (row) from your neighbor (that is ignoring routes sent your way for “0.0.0.0/0”). Then if no match it will check for “anyroute_24” and accept if the route is /0 - /24. And if no match you end up with a default “denyall” to catch anything that went this far in the route-map.

There is also a more modern approach by dealing with communities but that is more to “tag” various routes - the above should fit your needs of dropping 0.0.0.0/0 during import but allow any other route that is /24 or smaller (that is allow /0 to /24, but if a /25 to /32 shows up that will be dropped).