The BGP Attribute Filter feature provides two ways to achieve an increased measure of security:
-
The feature allows you to treat-as-withdraw an Update coming from a specified neighbor if the Update contains a specified
attribute type. When an Update is treat-as-withdraw, the prefixes in the Update are removed from the BGP routing table (if
they existed in the routing table).
-
The feature also allows you to drop specified path attributes from an Update, and then the system processes the rest of the
Update as usual.
The BGP Enhanced Attribute Error Handling feature prevents peer sessions from flapping due to a malformed Update. The malformed
Update is treat-as-withdraw and does not cause the BGP session to be reset. This feature is enabled by default, but can be
disabled.
The features are implemented in the following order:
-
Received Updates that contain user-specified path attributes are treat-as-withdraw (as long as the NLRI can be parsed successfully).
If there is an existing prefix in the BGP routing table, it will be removed. The
neighbor path-attribute treat-as-withdraw command configures this feature.
-
User-specified path attributes are discarded from received Updates, and the rest of the Update is processed normally. The
neighbor path-attribute discard command configures this feature.
-
Received Updates that are malformed are treat-as-withdraw. This feature is enabled by default; it can be disabled by configuring
the
no bgp enhanced-error command.
Details About Specifying Attributes as Treat-as-Withdraw
Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute treat-as-withdraw.
Attribute type 5 (localpref), type 9 (Originator,) and type 10 (Cluster-id) can be configured for treat-as-withdraw for eBGP
neighbors only.
Configuring path attributes to be treated as withdrawn will trigger an inbound Route Refresh to ensure that the routing table
is up to date.
Details About Specifying Attributes as Discard
Attribute types 1, 2, 3, 4, 8, 14, 15, and 16 cannot be configured for path attribute discard.
Attribute type 5 (localpref), type 9 (Originator), and type 10 (Cluster-id) can be configured for discard for eBGP neighbors
only.
Configuring path attributes to be discarded will trigger an inbound Route Refresh to ensure that the routing table is up to
date.
Details About Enhanced Attribute Error Handling
If a malformed Update is received, it is treat-as-withdraw to prevent peer sessions from flapping due to the processing of
BGP path attributes. This feature applies to eBGP and iBGP peers. This feature is enabled by default; it can be disabled.
If the BGP Enhanced Attribute Error Handling feature is enabled or disabled, BGP places the MP_REACH attribute (attribute
14) at the beginning of an attribute list while formatting an update. Enhanced attribute error handling functions more easily
when the MP_REACH attribute is at the beginning of the attribute list.