{ .val_bool = true, .match_profile = "datacenter", },
{ .val_bool = false },
);
+FRR_CFG_DEFAULT_BOOL(BGP_ENFORCE_FIRST_AS,
+ { .val_bool = false, .match_version = "< 9.1", },
+ { .val_bool = true },
+);
DEFINE_HOOK(bgp_inst_config_write,
(struct bgp *bgp, struct vty *vty),
if (DFLT_BGP_SOFT_VERSION_CAPABILITY)
SET_FLAG((*bgp)->flags,
BGP_FLAG_SOFT_VERSION_CAPABILITY);
+ if (DFLT_BGP_ENFORCE_FIRST_AS)
+ SET_FLAG((*bgp)->flags, BGP_FLAG_ENFORCE_FIRST_AS);
ret = BGP_SUCCESS;
}
return CMD_SUCCESS;
}
+DEFPY(bgp_enforce_first_as,
+ bgp_enforce_first_as_cmd,
+ "[no] bgp enforce-first-as",
+ NO_STR
+ BGP_STR
+ "Enforce the first AS for EBGP routes\n")
+{
+ VTY_DECLVAR_CONTEXT(bgp, bgp);
+
+ if (no)
+ UNSET_FLAG(bgp->flags, BGP_FLAG_ENFORCE_FIRST_AS);
+ else
+ SET_FLAG(bgp->flags, BGP_FLAG_ENFORCE_FIRST_AS);
+
+ return CMD_SUCCESS;
+}
+
DEFPY(bgp_lu_uses_explicit_null, bgp_lu_uses_explicit_null_cmd,
"[no] bgp labeled-unicast <explicit-null|ipv4-explicit-null|ipv6-explicit-null>$value",
NO_STR BGP_STR
addr);
/* enforce-first-as */
- if (peergroup_flag_check(peer, PEER_FLAG_ENFORCE_FIRST_AS))
- vty_out(vty, " neighbor %s enforce-first-as\n", addr);
+ if (CHECK_FLAG(bgp->flags, BGP_FLAG_ENFORCE_FIRST_AS)) {
+ if (!peergroup_flag_check(peer, PEER_FLAG_ENFORCE_FIRST_AS))
+ vty_out(vty, " no neighbor %s enforce-first-as\n", addr);
+ } else {
+ if (peergroup_flag_check(peer, PEER_FLAG_ENFORCE_FIRST_AS))
+ vty_out(vty, " neighbor %s enforce-first-as\n", addr);
+ }
/* update-source */
if (peergroup_flag_check(peer, PEER_FLAG_UPDATE_SOURCE)) {
? ""
: "no ");
+ /* bgp enforce-first-as */
+ if (!!CHECK_FLAG(bgp->flags, BGP_FLAG_ENFORCE_FIRST_AS) !=
+ SAVE_BGP_ENFORCE_FIRST_AS)
+ vty_out(vty, " %sbgp enforce-first-as\n",
+ CHECK_FLAG(bgp->flags,
+ BGP_FLAG_ENFORCE_FIRST_AS)
+ ? ""
+ : "no ");
+
if (!!CHECK_FLAG(bgp->flags, BGP_FLAG_LU_IPV4_EXPLICIT_NULL) &&
!!CHECK_FLAG(bgp->flags, BGP_FLAG_LU_IPV6_EXPLICIT_NULL))
vty_out(vty, " bgp labeled-unicast explicit-null\n");
install_element(BGP_NODE, &bgp_ebgp_requires_policy_cmd);
install_element(BGP_NODE, &no_bgp_ebgp_requires_policy_cmd);
+ /* bgp enforce-first-as */
+ install_element(BGP_NODE, &bgp_enforce_first_as_cmd);
+
/* bgp labeled-unicast explicit-null */
install_element(BGP_NODE, &bgp_lu_uses_explicit_null_cmd);
This command enables rejection of incoming and outgoing routes having AS_SET or AS_CONFED_SET type.
+Enforce first AS
+----------------
+
+.. clicmd:: bgp enforce-first-as
+
+ To configure a router to deny an update received from an external BGP (eBGP)
+ peer that does not list its autonomous system number at the beginning of
+ the `AS_PATH` in the incoming update, use the ``bgp enforce-first-as`` command
+ in router configuration mode.
+
+ In order to exclude an arbitrary neighbor from this enforcement, use the
+ command ``no neighbor NAME enforce-first-as``. And vice-versa if a global
+ enforcement is disabled, you can override this behavior per neighbor too.
+
+ Default: enabled.
+
+.. note::
+
+ If you have a peering to RS (Route-Server), most likely you MUST disable the
+ first AS enforcement.
+
Suppress duplicate updates
--------------------------
Discard updates received from the specified (eBGP) peer if the AS_PATH
attribute does not contain the PEER's ASN as the first AS_PATH segment.
- Default: disabled.
+ You can enable or disable this enforcement globally too using
+ ``bgp enforce-first-as`` command.
+
+ Default: enabled.
.. clicmd:: neighbor PEER extended-optional-parameters
projects / matthieu / frr.git / commitdiff