http://www.cymru.com/Documents/secure-bgp-template.html
! Our ASN is 111
router bgp 111
!
! Don't wait for the IGP to catch up.
no synchronization
!
! Be a little more forgiving of an occasional missed keepalive.
no bgp fast-external-fallover
!
! Track and punt, via syslog, all interesting observations about our
! neighbors.
bgp log-neighbor-changes
!
! Announce our netblock(s) in a manner that does not increase CPU
! utilization. Redistributing from an IGP is dangerous as it increases
! the likelihood of flapping and instability. Redistributing static is
! more stable, but requires the CPU to peruse the routing table at a set
! interval to capture any changes. The network statement, combined with
! a null route, is the least expensive (in terms of CPU utilization) and
! most reliable (in terms of stability) option.
network 1.88.0.0 mask 255.255.224.0
!
! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of 333.
neighbor 10.10.5.1 remote-as 333
!
! Set for soft reconfiguration, thus preventing a complete withdrawal
! of all announced prefixes when clear ip bgp x.x.x.x is typed.
neighbor 10.10.5.1 soft-reconfiguration inbound
!
! Type in a description for future reference. Not everyone memorizes
! ASNs. :-)
neighbor 10.10.5.1 description eBGP with ISP333
!
! Set up a password for authentication.
neighbor 10.10.5.1 password bgpwith333
!
! Hard-set for version 4. Disabled BGP version negotiation, thus
! bringing the peering session on-line more quickly.
neighbor 10.10.5.1 version 4
!
! Block any inbound announcments that include bogon networks. A prefix
! list is used because it is:
! 1) Easier on the CPU than ACLs, and
! 2) Easier to modify.
! See the actual bogons prefix-list below.
neighbor 10.10.5.1 prefix-list bogons in
!
! Announce only those networks we specifically list. This also prevents
! the network from becoming a transit provider. An added bit of protection
! and good netizenship. See the announce prefix-list below.
neighbor 10.10.5.1 prefix-list announce out
!
! Prevent a mistake or mishap by our peer (or someone with whom our peer
! has a peering agreement) from causing router meltdown by filling the
! routing and BGP tables. This is a hard limit. At 75% of this limit,
! the IOS will issue log messages warning that the neighbor is approaching
! the limit. All log messages should be sent to a remote syslog host.
! The warning water mark can be modified by placing a value after the
! maximum prefix value, e.g. maximum-prefix 250000 50. This will set the
! IOS to issue warning messages when the neighbor reaches 50% of the limit.
! Note that this number may need to be adjusted upward in the future to
! account for growth in the Internet routing table.
neighbor 10.10.5.1 maximum-prefix 250000
!
! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of 222.
neighbor 10.10.10.1 remote-as 222
neighbor 10.10.10.1 soft-reconfiguration inbound
neighbor 10.10.10.1 description eBGP with ISP222
neighbor 10.10.10.1 password bgpwith222
neighbor 10.10.10.1 version 4
neighbor 10.10.10.1 prefix-list bogons in
neighbor 10.10.10.1 prefix-list announce out
neighbor 10.10.10.1 maximum-prefix 250000
!
! This is our iBGP peer, 172.17.70.2.
neighbor 172.17.70.2 remote-as 111
!
neighbor 172.17.70.2 soft-reconfiguration inbound
!
! Again, a handy description.
neighbor 172.17.70.2 description iBGP with our other router
!
neighbor 172.17.70.2 password bgpwith111
! Use the loopback interface for iBGP announcements. This increases the
! stability of iBGP.
neighbor 172.17.70.2 update-source Loopback0
neighbor 172.17.70.2 version 4
neighbor 172.17.70.2 next-hop-self
neighbor 172.17.70.2 prefix-list bogons in
neighbor 172.17.70.2 maximum-prefix 250000
!
! Do not automatically summarize our announcements.
no auto-summary
! If we have multiple links on the same router to the same AS, we like to
! put them to good use. Load balance, per destination, with maximum-paths.
! The limit is six. For our example, we will assume two equal size pipes
! to the same AS.
maximum-paths 2
!
! Now add our null route and the loopback/iBGP route. Remember to add
! more specific non-null routes so that the packets travel to their
! intended destination!
ip route 1.88.0.0 255.255.224.0 Null0
ip route 1.88.50.0 255.255.255.0 192.168.50.5
ip route 1.88.55.0 255.255.255.0 192.168.50.8
ip route 1.88.75.128 255.255.255.128 192.168.50.10
ip route 172.17.70.2 255.255.255.255 192.168.50.2
!
! We protect TCP port 179 (BGP port) from miscreants by limiting
! access. Allow our peers to connect and log all other attempts.
! Remember to apply this ACL to the interfaces of the router or
! add it to existing ACLs.
! Please note that ACL 185 would block ALL traffic as written. This
! is designed to focus only on protecting BGP. You MUST modify ACL
! 185 to fit your environment and approved traffic patterns.
access-list 185 permit tcp host 10.10.5.1 host 10.10.5.2 eq 179
access-list 185 permit tcp host 10.10.5.1 eq bgp host 10.10.5.2
access-list 185 permit tcp host 10.10.10.1 host 10.10.10.2 eq 179
access-list 185 permit tcp host 10.10.10.1 eq bgp host 10.10.10.2
access-list 185 permit tcp host 172.17.70.2 host 172.17.70.1 eq 179
access-list 185 permit tcp host 172.17.70.2 eq bgp host 172.17.70.1
access-list 185 deny tcp any any eq 179 log-input
!
! The announce prefix list prevents us from announcing anything beyond
! our aggregated netblock(s).
ip prefix-list announce description Our allowed routing announcements
ip prefix-list announce seq 5 permit 1.88.0.0/19
ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32
!
! The bogons prefix list prevents the acceptance of obviously bogus
! routing updates. This can be modified to fit local requirements.
! While aggregation is possible - certainly desirable - IANA tends
! to allocate netblocks on a /8 boundary. For this reason, I have
! listed the bogons largely as /8 netblocks. This will make changes
! to the bogons prefix-list easier to accomplish and less intrusive.
! I have listed more specific netblocks when documentation, such as
! RFC1918, is more granular.
! Please see the IANA IPv4 netblock assignment document at the
! following URL:
! http://www.iana.org/assignments/ipv4-address-space
ip prefix-list bogons description Bogon networks we won't accept.
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32
ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32
ip prefix-list bogons seq 20 deny 5.0.0.0/8 le 32
ip prefix-list bogons seq 30 deny 10.0.0.0/8 le 32
ip prefix-list bogons seq 32 deny 14.0.0.0/8 le 32
ip prefix-list bogons seq 35 deny 23.0.0.0/8 le 32
ip prefix-list bogons seq 40 deny 27.0.0.0/8 le 32
ip prefix-list bogons seq 45 deny 31.0.0.0/8 le 32
ip prefix-list bogons seq 50 deny 36.0.0.0/8 le 32
ip prefix-list bogons seq 55 deny 37.0.0.0/8 le 32
ip prefix-list bogons seq 60 deny 39.0.0.0/8 le 32
ip prefix-list bogons seq 70 deny 42.0.0.0/8 le 32
ip prefix-list bogons seq 75 deny 46.0.0.0/8 le 32
ip prefix-list bogons seq 80 deny 49.0.0.0/8 le 32
ip prefix-list bogons seq 85 deny 50.0.0.0/8 le 32
ip prefix-list bogons seq 255 deny 100.0.0.0/8 le 32
ip prefix-list bogons seq 260 deny 101.0.0.0/8 le 32
ip prefix-list bogons seq 265 deny 102.0.0.0/8 le 32
ip prefix-list bogons seq 270 deny 103.0.0.0/8 le 32
ip prefix-list bogons seq 275 deny 104.0.0.0/8 le 32
ip prefix-list bogons seq 280 deny 105.0.0.0/8 le 32
ip prefix-list bogons seq 285 deny 106.0.0.0/8 le 32
ip prefix-list bogons seq 290 deny 107.0.0.0/8 le 32
ip prefix-list bogons seq 295 deny 108.0.0.0/8 le 32
ip prefix-list bogons seq 300 deny 109.0.0.0/8 le 32
ip prefix-list bogons seq 305 deny 110.0.0.0/8 le 32
ip prefix-list bogons seq 310 deny 111.0.0.0/8 le 32
ip prefix-list bogons seq 315 deny 112.0.0.0/8 le 32
ip prefix-list bogons seq 320 deny 113.0.0.0/8 le 32
ip prefix-list bogons seq 390 deny 127.0.0.0/8 le 32
ip prefix-list bogons seq 395 deny 169.254.0.0/16 le 32
ip prefix-list bogons seq 400 deny 172.16.0.0/12 le 32
ip prefix-list bogons seq 415 deny 175.0.0.0/8 le 32
ip prefix-list bogons seq 420 deny 176.0.0.0/8 le 32
ip prefix-list bogons seq 425 deny 177.0.0.0/8 le 32
ip prefix-list bogons seq 430 deny 178.0.0.0/8 le 32
ip prefix-list bogons seq 435 deny 179.0.0.0/8 le 32
ip prefix-list bogons seq 440 deny 180.0.0.0/8 le 32
ip prefix-list bogons seq 445 deny 181.0.0.0/8 le 32
ip prefix-list bogons seq 450 deny 182.0.0.0/8 le 32
ip prefix-list bogons seq 455 deny 183.0.0.0/8 le 32
ip prefix-list bogons seq 460 deny 184.0.0.0/8 le 32
ip prefix-list bogons seq 465 deny 185.0.0.0/8 le 32
ip prefix-list bogons seq 490 deny 192.0.2.0/24 le 32
ip prefix-list bogons seq 500 deny 192.168.0.0/16 le 32
ip prefix-list bogons seq 510 deny 197.0.0.0/8 le 32
ip prefix-list bogons seq 512 deny 198.18.0.0/15 le 32
ip prefix-list bogons seq 515 deny 223.0.0.0/8 le 32
ip prefix-list bogons seq 520 deny 224.0.0.0/3 le 32
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 525 permit 0.0.0.0/0 le 27
!
! END
No comments:
Post a Comment