Configuring the Policy for Receiving BGP Routing Information

After an import policy is configured, only the routes that match the import policy can be received.

Context

BGP can use the routing policy on and filter the globally received routes or only the routes received from a certain peer or a peer group.

The local BGP router may be prone to service attacks. That is, the local BGP router may receive a large number of routes from neighbors, and thus a lot of router resources are consumed. This is because the local router may be prone to service attacks. In the case of too many BGP routes caused by malicious attacks or incorrect configurations, the administrator must limit the resources consumed by the network and routers according to the network planning and the capacities of routers. BGP can control peers to limit the number of routes sent by peers.

Procedure

Configure BGP to filter received routes.
1. Access the system view.
  system-view
2. Access the BGP view.
  bgp { as-number-plain | as-number-dot }
3. Access the BGP IPv4 unicast address family view.
  ipv4-family unicast
4. Filter all received routes.
  filter-policy { acl-number | ip-prefix ip-prefix-name } import
  
  The routes received by BGP are filtered. Only those routes that meet matching rules are received by BGP and added to the routing table.
Apply a routing policy to the routes received by specified peers.
1. Access the system view.
  system-view
2. Access the BGP view.
  bgp { as-number-plain | as-number-dot }
3. Access the BGP IPv4 unicast address family view.
  ipv4-family unicast
4. Apply a routing policy to the received routes.
  peer { ipv4-address | group-name } route-policy route-policy-name import
Apply a filter to the routes received by specified peers.
1. Access the system view.
  system-view
2. Access the BGP view.
  bgp { as-number-plain | as-number-dot }
3. Access the BGP IPv4 unicast address family view.
  ipv4-family unicast
4. Run one of the following commands as required:
  - Configure BGP to filter routes based on the ACL.
    
    peer { ipv4-address | group-name } filter-policy acl-number import
  - Configure BGP to filter routes based on the AS-Path filter.
    
    peer { ipv4-address | group-name } as-path-filter as-path-filter-number import
  - Configure BGP to filter routes based on the IP prefix list.
    
    peer { ipv4-address | group-name } ip-prefix ip-prefix-name import
    
    The members of a peer group and the peer group can use different policies applied when routes are received to filter routes. That is, each peer group can select its policy when receiving routes.
Limit the number of routes received by a peer.
1. Access the system view.
  system-view
2. Access the BGP view.
  bgp { as-number-plain | as-number-dot }
3. Set the number of routes received by a peer or peer group.
  peer { group-name | ipv4-address } route-limit limit [ percentage ] [ alert-only | idle-forever | idle-timeout times ]
  
  The command can be used to control the peer to receive routes. You can configure specific parameters as required to control BGP after the number of the routes received from a peer exceeds the threshold.
  - alert-only: The peer relationship is not interrupted. The peer does not receive any routes that exceed the threshold, and an alarm is generated and recorded in the log.
  - idle-forever: The peer relationship is interrupted. The router does not retry setting up a connection. An alarm is generated and recorded in the log. Run the display bgp peer [ verbose ] command. You can view that the status of the peer is Idle. If you want to restore the BGP connection, run the reset bgp command.
  - idle-timeout: The peer relationship is interrupted. The router retries setting up a connection after the timer expires. An alarm is generated and recorded in the log. Run the display bgp peer [ verbose ] command. You can view that the status of the peer is Idle. If you want to restore the BGP connection before the timer expires, run the reset bgp command.
  - If the three parameters are not set, the peer relationship is disconnected. The router retries setting up a connection after 30 seconds. An alarm is generated and recorded in the log.
  If the number of routes received by the local router exceeds the upper limit and the peer route-limit command is used for the first time, the local router and its peer reestablish the peer relationship, regardless of whether alert-only is set.