Strict-Capability-Match

This scenario demonstrates how to configure the strict-capability-match option for a BGP neighbor. When enabled, BGP session will only establish if capabilities match exactly between peers. If capabilities do not match (e.g., one has IPv6 enabled, the other does not), the session fails.

Test iBGP - Neighbor strict-capability-match with matching capabilities

Description

Test to verify that BGP session establishes when strict-capability-match is enabled and both peers have matching capabilities (both IPv4 only in this case). DUT1 advertises route 1.1.1.0/24 and DUT0 should receive it.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.10.0.100/24
set protocols bgp 20 neighbor peer remote-address 10.10.0.200
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 neighbor peer strict-capability-match
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 1.1.1.1/24
set interfaces ethernet eth0 address 10.10.0.200/24
set protocols bgp 20 neighbor peer remote-address 10.10.0.100
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 redistribute connected
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify iBGP session establishes when capabilities match.

Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

10.10.0.200.*Established

Show output

IPv4 Unicast Summary:
BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0
BGP table version 2
RIB entries 3, using 384 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.10.0.200     10.10.0.100     4         20         5         4        2    0    0 00:00:01  Established        2        0 FRRouting/10.4.1

Total number of neighbors 1

Attention

Verify that DUT0 receives route 1.1.1.0/24 from DUT1.

Step 4: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:

1.1.1.0/24

Show output

BGP table version is 2, local router ID is 10.10.0.100, vrf id 0
Default local pref 100, local AS 20
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *ui 1.1.1.0/24       10.10.0.200              0    100      0 ?
 *ui 10.10.0.0/24     10.10.0.200              0    100      0 ?

Displayed 2 routes and 2 total paths

---

Test iBGP - Neighbor strict-capability-match rejects mismatched capabilities

Description

Test to verify that BGP session fails to establish when strict-capability-match is enabled and there is a capability mismatch. DUT0 has IPv6 address-family enabled while DUT1 does not. With strict-capability-match, DUT0 rejects the session due to capability mismatch. DUT0 should NOT receive route 1.1.1.0/24 because session cannot establish.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.10.0.100/24
set protocols bgp 20 neighbor peer address-family ipv6-unicast activate
set protocols bgp 20 neighbor peer remote-address 10.10.0.200
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 neighbor peer strict-capability-match
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 1.1.1.1/24
set interfaces ethernet eth0 address 10.10.0.200/24
set protocols bgp 20 neighbor peer remote-address 10.10.0.100
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 redistribute connected
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify iBGP session does NOT establish due to capability mismatch.

Step 3: Run command protocols bgp show ip summary at DUT0 and check if output does not match the following regular expressions:

10.10.0.200.*Established

Show output

IPv4 Unicast Summary:
BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0
BGP table version 0
RIB entries 0, using 0 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.10.0.200     10.10.0.100     4         20         4         9        0    0    0    never         Idle        0        0 FRRouting/10.4.1

Total number of neighbors 1

Attention

Verify that DUT0 does NOT have route 1.1.1.0/24 because session is not established.

Step 4: Run command protocols bgp show ip at DUT0 and check if output does not match the following regular expressions:

1.1.1.0/24

Show output

No BGP prefixes displayed, 0 exist

---