The BGP Attribute Filter feature provides two ways to achieve an increased measure of security:
- The feature allows you to treat-as-withdraw an Update coming from a specified neighbor if the Update contains a specified attribute type. When an Update is treat-as-withdraw, the prefixes in the Update are removed from the BGP routing table (if they existed in the routing table).
- The feature also allows you to drop specified path attributes from an Update, and then the system processes the rest of the Update as usual.
The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to a malformed Update. The malformed Update is treat-as-withdraw and does not cause the BGP session to be reset. This feature is enabled by default, but can be disabled.
The features are implemented in the following order:
- Received Updates that contain user-specified path attributes are treat-as-withdraw (as long as the NLRI can be parsed successfully). If there is an existing prefix in the BGP routing table, it will be removed. The
neighbor path-attribute treat-as-withdraw command configures this feature.
- User-specified path attributes are discarded from received Updates, and the rest of the Update is processed normally. The
neighbor path-attribute discard command configures this feature.
- Received Updates that are malformed are treat-as-withdraw. This feature is enabled by default; it can be disabled by configuring the
no bgp enhanced-error command.
Details About Specifying Attributes as Treat-as-Withdraw
Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute treat-as-withdraw.
Attribute type 5 (localpref), type 9 (Originator,) and type 10 (Cluster-id) can be configured for treat-as-withdraw for eBGP neighbors only.
Configuring path attributes to be treated as withdrawn will trigger an inbound Route Refresh to ensure that the routing table is up to date.
Details About Specifying Attributes as Discard
Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute discard.
Attribute type 5 (localpref), type 9 (Originator), and type 10 (Cluster-id) can be configured for discard for eBGP neighbors only.
Configuring path attributes to be discarded will trigger an inbound Route Refresh to ensure that the routing table is up to date.
Details About Enhanced Attribute Error Handling
If a malformed Update is received, it is treat-as-withdraw to prevent peer sessions from flapping due to the processing of BGP path attributes. This feature applies to eBGP and iBGP peers. This feature is enabled by default; it can be disabled.
This feature causes BGP to format the MP_REACH attribute (attribute 14) in front of other attributes. This is necessary because if any of the attribute lengths are malformed, there is no way to reach the MP_REACH attribute if it is put at the end, and therefore no way to withdraw the prefixes. If this feature is disabled, the MP_REACH attribute is formatted at the end of the Update.