各系列BGP路由配置实例

Cisco router traditional bogons

This page aggregates all of the examples referenced on the Bogon Route Server Project (Bogons via BGP) page.Please see that page for full details of the Bogon Route Server Project,system requirements, caveats, etc.


 router bgp <your asn>
 neighbor x.x.x.x remote-as 65333
 neighbor x.x.x.x ebgp-multihop 255
 neighbor x.x.x.x description <your description>
 neighbor x.x.x.x prefix-list cymru-out out
 neighbor x.x.x.x route-map CYMRUBOGONS in
 neighbor x.x.x.x password <your password>
 neighbor x.x.x.x maximum-prefix 100 threshold 90
! You'll need to increase the maximum to at least 50000 with an
! appropriate thresholds if you're receiving one or both fullbogons
! feeds.
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
! Set a bogon next-hop on all routers that receive the bogons.
ip route 192.0.2.1 255.255.255.255 null0
!
! Configure a community list to accept the bogon prefixes into the
! route-map.
ip community-list 10 permit 65333:888
!
! Configure the route-map.  Remember to apply it to the proper
! peering sessions.
route-map CYMRUBOGONS permit 10
 description Filter bogons learned from cymru.com bogon route-servers
 match community 10
 set ip next-hop 192.0.2.1
!
ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32

Cisco peer-groups traditional bogons

With the advent of multiple bogon route-servers, the use of BGP peer-groups on Cisco routers is very convenient. Thanks to John Brown for the original example.

router bgp <your asn>
 neighbor cymru-bogon peer-group
 neighbor cymru-bogon ebgp-multihop 255
 neighbor cymru-bogon description <general description>
 neighbor cymru-bogon prefix-list cymru-out out
 neighbor cymru-bogon route-map CYMRUBOGONS in
 neighbor cymru-bogon maximum-prefix 100 threshold 90
! You'll need to increase the maximum to at least 50000 with an
! appropriate thresholds if you're receiving one or both fullbogons
! feeds.
!
 neighbor x.x.x.x remote-as 65333
 neighbor x.x.x.x peer-group cymru-bogon
 neighbor x.x.x.x description <specific description>
 neighbor x.x.x.x password <your password>

Juniper router traditional bogons

routing-options {
static {
route 192.0.2.1/32 {
discard;
no-readvertise;
retain;
}
}

/* If you have declared 192.0.2.0/24 as a bogon add this entry. */
martians {
192.0.2.1/32 exact allow;
}

autonomous-system <your AS here>;
}

protocols {
 
  bgp {
group CYMRU {
type external;
description "peering to receive bogons from CYMRU";
import CYMRU-bogons-in;  
  authentication-key "secretkey"; # SECRET-DATA  
  export deny-all;  
  peer-as 65333;  
  /* Below may also be expressed as "multihop 255;" depending on your version */  
 multihop {  
  ttl 255;  
  }  
  neighbor <bogon rs IP>;
local-address <your IP we are peering with>;
family inet {
unicast {
/* You'll need to increase the prefix limit below to
  at least 50000 if you're receiving one or both of
  the fullbogons feeds
  */
  prefix-limit {
maximum 100;
teardown 100;
}
}  
}
}
}
}
policy-options {
policy-statement CYMRU-bogons-in {
term 1 {
from {
protocol bgp;
as-path CYMRU-private-asn;
community CYMRU-bogon-community;
}
then {
 /* backup in case no-export is cleared internally */
community add dont-announce;
next-hop 192.0.2.1;
accept;
}
}
then reject;    #  default action
}

policy-statement deny-all {
then reject;
}

community dont-announce members <your as here>:<some community that supresses anouncements outside your as>;

community CYMRU-bogon-community members [ no-export 65333:888 ];

as-path CYMRU-private-asn 65333;
}

Force10 router traditional bogons

router bgp <your asn>
 neighbor IPV4_BOGONS peer-group
 neighbor IPV4_BOGONS route-map CYMRUBOGONS in
 neighbor IPV4_BOGONS distribute-list CYMRU-OUT out
 neighbor IPV4_BOGONS maximum-prefix 100 90
 neighbor IPV4_BOGONS soft-reconfiguration inbound
 neighbor IPV4_BOGONS no shutdown
 neighbor x.x.x.x remote-as 65333
 neighbor x.x.x.x peer-group IPV4_BOGONS
 neighbor x.x.x.x description <your description>
 neighbor x.x.x.x ebgp-multihop 255
 neighbor x.x.x.x password <your password>
 neighbor x.x.x.x no shutdown
! Set a bogon next-hop on all routers that receive the bogons.
ip route 192.0.2.1 255.255.255.255 null0
!
! Configure a community list to accept the bogon prefixes into the
! route-map.
ip community-list CYMRU_COMMUNITY
permit 65333:888
!
! Configure the route-map.  Remember to apply it to the proper
! peering sessions.
route-map CYMRU_BOGONS permit 10
 description Filter bogons learned from cymru.com bogon route-servers
 match community CYMRU_COMMUNITY
 set next-hop 192.0.2.1
!
ip prefix-list CYMRU_OUT
 seq 5 deny any

OpenBSD's bgpd project can also be used to peer with the bogon route-servers. Our thanks to Pete Vickers for this example.

# config snippet for /etc/bgpd.conf
#
# Based on config by Pete Vickers 05/2004.
#
# Modified slightly to intermingle with pf, and
#   also to apply policy to cymru-sourced routes
#   received from IBGP peers.
#
# Configure sessions with cymru reprobates
#
group "peering bogon" {
 remote-as 65333
 local-address <MY-ROUTER-IP>
 multihop 64
 announce none
 max-prefix 1000
 # You'll need to increase the max-prefix number above to at least
 # 50000 if you're receiving either or both of the fullbogons feeds
 tcp md5sig password <PASSWORD>
 neighbor <BOGON-ROUTE-SERVER-1-IP>
 neighbor <BOGON-ROUTE-SERVER-2-IP>
 # ... etc
}
#
#
# What to do with updates (can be used with updates from
# cymru peers, and also from IBGP peers if other routers
# in this AS also take a bogon feed). The "nexthop
# blackhole" is a little extraneous given the pf config,
# worth keeping in case the packet filter is disabled
# at any point.
#
allow from any community 65333:888 set pftable "bogons"
allow from any community 65333:888 set nexthop blackhole


# config snippet for /etc/pf.conf
#
table <bogons> persist
#
# no bogon sources or destinations
block quick from <bogons> to any
block quick from any to  <bogons>

Mikrotik RouterOS traditional bogons

# Config by Ariel S. Weher, based on Team Cymru's Cisco Template.
# Working in the 3.X version of Mikrotik RouterOS.
# 2009-02-06 Modified by Sam Norris, Fine Tuned.  Removed static routes
#              and used "set-type=blackhole".

/routing bgp instance
set default as=<YOUR_ASN_NUMBER> router-id=<Your router wan ip address>

/ip firewall address-list
add address=<SESSION#1.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #1" \
disabled=no list=BGP-NEIGHBORS
add address=<SESSION#2.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #2" \
disabled=no list=BGP-NEIGHBORS

/ip firewall filter
add action=accept chain=input comment="BGP Neighbors" disabled=no dst-port=179 \
protocol=tcp src-address-list=BGP-NEIGHBORS

# You'll need to increase the max-prefix-limit values in the lines below to
# at least 50000 if you're receiving either or both of the fullbogons feeds
/routing bgp peer
add comment="TEAM-CYMRU BOGON Server #1" hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 nexthop-choice=default \
out-filter=BGP-DROP remote-address=<SESSION#1.Team-Cymru's.IP.Address> \
remote-as=65333 route-reflect=no tcp-md5-key=<Password_Received_From_Cymru> ttl=255

add comment="TEAM-CYMRU BOGON Server #2" hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 nexthop-choice=default \
out-filter=BGP-DROP remote-address=<SESSION#2.Team-Cymru's.IP.Address> \
remote-as=65333 route-reflect=no tcp-md5-key=<Password_Received_From_Cymru> ttl=255

/routing filter
add action=accept bgp-communities=65333:888 chain=BOGON-SERVER-IN comment="" \
disabled=no invert-match=no set-type=blackhole
add action=discard chain=BOGON-SERVER-IN comment="" disabled=no invert-match=no
add action=discard chain=BGP-DROP comment="" disabled=no invert-match=no

Cisco fullbogons IPv4 and IPv6 (IPv4 transport)

router bgp <your asn>
! Session 1
neighbor A.B.C.D remote-as 65332
neighbor A.B.C.D description <your description>
neighbor A.B.C.D ebgp-multihop 255
neighbor A.B.C.D password <your password>
! Session 2
neighbor E.F.G.H remote-as 65332
neighbor E.F.G.H description <your description>
neighbor E.F.G.H ebgp-multihop 255 neighbor E.F.G.H password <your password>
!
address-family ipv4
 ! Session 1
 neighbor A.B.C.D activate
 neighbor A.B.C.D soft-reconfiguration inbound
 neighbor A.B.C.D prefix-list cymru-out-v4 out
 neighbor A.B.C.D route-map CYMRUBOGONS-V4 in
 ! Session 2
 neighbor E.F.G.H activate
 neighbor E.F.G.H soft-reconfiguration inbound
 neighbor E.F.G.H prefix-list cymru-out-v4 out
 neighbor E.F.G.H route-map CYMRUBOGONS-V4 in
!
address-family ipv6
 ! Session 1
 neighbor A.B.C.D activate
 neighbor A.B.C.D soft-reconfiguration inbound
 neighbor A.B.C.D prefix-list cymru-out-v6 out
 neighbor A.B.C.D route-map CYMRUBOGONS-V6 in
 ! Session 2
 neighbor E.F.G.H activate
 neighbor E.F.G.H soft-reconfiguration inbound
 neighbor E.F.G.H prefix-list cymru-out-v6 out
 neighbor E.F.G.H route-map CYMRUBOGONS-V6 in
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
ip community-list 100 permit 65332:888
!
ip route 192.0.2.1 255.255.255.255 Null0
!
ip prefix-list cymru-out-v4 seq 5 deny 0.0.0.0/0 le 32
!
ipv6 route 2001:DB8:0:DEAD:BEEF::1/128 Null0
!
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
!
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ip next-hop 192.0.2.1

Note: You can receive both IPv4 and IPv6 fullbogons over IPv4 transport. If you only requested one set of fullbogons, simply remove all references to the other set from the example above.

转载自:http://www.team-cymru.org/bgp-examples.html#juniper-full

添加新评论 »