Configure BGP ASN Sets

Objective

This document provides instructions on how to create BGP Autonomous System Number (ASN) sets and apply them to service policies to control application traffic originating or reaching the ASes identified by the ASNs. To know more about service policies, see Service Policy.

Using the instructions provided in this guide, you can create BGP ASN sets and configure a service policy to allow traffic for one ASN and drop for another ASN.


Prerequisites

The following prerequisites apply:


Configuration

Configuration Sequence

Configuring BGP ASN sets and applying them in service policy requires performing the following sequence of actions:

Phase Description
Create BGP ASN Sets Create BGP ASN sets from the security options in the Volterra console.
Create Service Policy Rules Create a policy rule to permit traffic from one BGP ASN and drop traffic from another BGP ASN set.
Create a Service Policy Create a policy with the configured rules.

Create BGP ASN Sets

Step 1: Log into the Volterra Console and select Security from the configuration menu and BGP ASN Sets from the options. Click Add BGP ASN set.

Note: You can also change to your namespace and create the ASN set.

Step 2: Enter a name. Optionally, set labels as per your choice and add a description.

Step 3: Click add as number in the AS Numbers field and enter the numbers of ASes from which you want to allow traffic.

bgpASNset1
Figure: BGP ASN Set Creation

Step 4: Click Add BGP ASN set to complete creating the ASN set.

Step 5: Repeat Step 1 to Step 4 to create another BGP ASN set with the numbers of ASes from which you want to block the traffic.


Create Service Policy Rules

Service policy rules are used in controlling the traffic based on various conditions. This example shows how to allow or reject traffic coming from specific ASes. For more information on service policies and rules, see Create Service Policy Rule.

Step 1: Select the namespace where you want to create your Service Policy. Select Security from the configuration menu and Network Security from the options pane. Select Service Policy Rules and click Add service policy rule. The policy rule creation form gets loaded.

Step 2: Enter a name and select Allow for the Action field.

Step 3: Click AS Matcher to open the form to apply BGP ASN set. Click Select asn set and select the set you created in the Create BGP ASN Sets chapter.

AsMatcher
Figure: Service Policy Rule AS Matcher

Step 4: Click Select asn set and Apply to apply the ASN set to the service policy rule.

Step 5: Click Add service policy rule to complete creating service policy rule.

Step 6: Repeat Step 1 to Step 5 for creating a rule to block traffic from the second ASN set created in the Create BGP ASN Sets chapter. Ensure that you set the Action as Deny.

Create a Service Policy

Service policies apply rules in the order as per the specified configuration. For more information on service policies, see Configure Service Policy.

Step 1: Select the same namespace where you created your service policy rule. Select Security from the configuration menu and Network Security from the options pane. Select Service Policies and click Add service policy. The policy creation form gets loaded.

Step 2: Enter a name for the policy and set First Rule Match for the Rule Combining Algorithm field.

Step 3: Click Select rule and add the rules created in the Create Service Policy Rules chapter. Click Select rule.

Note: It is recommended to first add the rule that allows traffic from ASes and then add the rule that drops traffic from the other set of ASes.

Step 4: Click Add service policy to complete service policy creation.

Note: You can use other fields of service policy creation such as Server Name Matcher for granular control. For more information, see Configure Service Policy.

You can use this policy in a service policy set and apply the BGP ASN sets to control your application traffic. For more information on service policy set configuration, see Configure Service Policy Set.


Concepts


API References