mirror of
https://github.com/denog/routing-bcp.git
synced 2024-05-11 05:54:58 +00:00
add example route filter with README
This commit is contained in:
Axel Fischer
@@ -0,0 +1,52 @@
|
||||
basic route filters
|
||||
===================
|
||||
|
||||
Use these route filters as first element in a chain of route policies to drop the bad stuff.
|
||||
|
||||
|
||||
Usage
|
||||
-----
|
||||
Clone the repo::
|
||||
|
||||
git clone https://github.com/denog/routing-bcp.git
|
||||
cd routing-bcp/personal-filters/fischa
|
||||
|
||||
Replace the ASN variable with your real ASN:
|
||||
|
||||
* search for "$YOUR_ASN" in reject-bad-routes-v4 and reject-bad-routes-v6
|
||||
* replace with your real ASN (e.g. 65000)
|
||||
|
||||
Replace the prefix variable with your real prefix (read RIPE allocation):
|
||||
|
||||
* search for "$YOUR_PREFIX in reject-bad-routes-v4 and reject-bad-routes-v6
|
||||
* replace with your real prefix (e.g. 192.0.2.0/24 or 2001:db8::/32)
|
||||
* check if you're connected to more than DE-CIX and adapt the prefix-list accordingly
|
||||
|
||||
Upload the files to your router::
|
||||
|
||||
scp reject-bad-routes-v4 user@router:
|
||||
scp reject-bad-routes-v6 user@router:
|
||||
|
||||
Login to router and load config::
|
||||
|
||||
ssh user@router
|
||||
configure
|
||||
load merge reject-bad-routes-v4
|
||||
load merge reject-bad-routes-v6
|
||||
|
||||
Verify config and apply::
|
||||
|
||||
show | compare
|
||||
commit check
|
||||
commit and-quit
|
||||
|
||||
Now you can use the filter at the beginning of your policy chain either below the peergroup or neighbor::
|
||||
|
||||
configure
|
||||
edit protocols bgp group $some_peergroup neighbor $some_neighbor
|
||||
set import [ reject-bad-routes-v4 $some_policy $some_other_policy ]
|
||||
|
||||
edit protocols bgp group $some_peergroup
|
||||
set import [ reject-bad-routes-v4 $some_policy $some_other_policy ]
|
||||
|
||||
NOTE: Remember to check if you got the right policy for IPv4 or IPv6 applied. Otherwise it won't work.
|
||||
@@ -0,0 +1,113 @@
|
||||
policy-options {
|
||||
prefix-list default-route-v4 {
|
||||
0.0.0.0/0;
|
||||
}
|
||||
prefix-list private-v4 {
|
||||
/* RFC1918 */
|
||||
10.0.0.0/8;
|
||||
/* RFC1918 */
|
||||
172.16.0.0/12;
|
||||
/* RFC1918 */
|
||||
192.168.0.0/16;
|
||||
}
|
||||
prefix-list multicast-v4 {
|
||||
224.0.0.0/4;
|
||||
}
|
||||
prefix-list not-routed-v4 {
|
||||
/* reserved for self-identification (RFC1122) */
|
||||
0.0.0.0/8;
|
||||
/* reserved for Shared Address Space (RFC6598) */
|
||||
100.64.0.0/10;
|
||||
/* reserved for Loopback (RFC1122) */
|
||||
127.0.0.0/8;
|
||||
/* reserved for Link Lokal (RFC3927) */
|
||||
169.254.0.0/16;
|
||||
/* reserved for IANA IPv4 Special Purpose Address Registry (RFC5736) */
|
||||
192.0.0.0/24;
|
||||
/* reserved for TEST-NET-1 (RFC5737) */
|
||||
192.0.2.0/24;
|
||||
/* reserved for Network Interconnect Device Benchmark Testing (RFC2544) */
|
||||
198.18.0.0/15;
|
||||
/* reserved for TEST-NET-2 (RFC5737) */
|
||||
198.51.100.0/24;
|
||||
/* reserved for TEST-NET-3 (RFC5737) */
|
||||
203.0.113.0/24;
|
||||
/* Reserved for future use (formerly "Class E") (RFC1112) */
|
||||
240.0.0.0/4;
|
||||
}
|
||||
/* TODO: replace $YOUR_ASN with your ASN, replace $YOUR_PREFIX with your actual prefix or if multiple use multiple lines */
|
||||
prefix-list as$YOUR_ASN-supernets-v4 {
|
||||
$YOUR_PREFIX;
|
||||
}
|
||||
/* TODO: add the IXP LANs your connected to here; this example shows the DE-CIX LAN */
|
||||
prefix-list ixp-lans-v4 {
|
||||
80.81.192.0/22;
|
||||
}
|
||||
policy-statement reject-bad-routes-v4 {
|
||||
term reject-default-route {
|
||||
from {
|
||||
prefix-list default-route-v4;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-private {
|
||||
from {
|
||||
prefix-list-filter private-v4 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-multicast {
|
||||
from {
|
||||
prefix-list-filter multicast-v4 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-not-routed {
|
||||
from {
|
||||
prefix-list-filter not-routed-v4 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
/* TODO: replace $YOUR_ASN with your ASN */
|
||||
term reject-as$YOUR_ASN {
|
||||
from {
|
||||
/* TODO: replace $YOUR_ASN with your ASN to match your prefix-list from above */
|
||||
prefix-list-filter as$YOUR_ASN-supernets-v4 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-ixp-lans {
|
||||
from {
|
||||
prefix-list-filter ixp-lans-v4 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-more-specifics {
|
||||
from {
|
||||
route-filter 0.0.0.0/0 prefix-length-range /25-/32;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,125 @@
|
||||
policy-options {
|
||||
prefix-list default-route-v6 {
|
||||
::/0;
|
||||
}
|
||||
prefix-list private-v6 {
|
||||
/* RFC4193 */
|
||||
fc00::/7;
|
||||
}
|
||||
prefix-list multicast-v6 {
|
||||
ff00::/8;
|
||||
}
|
||||
prefix-list not-routed-v6 {
|
||||
/* IPv6 Testing Address Allocation (RFC2471) and 6bone (IPv6 Testing Address Allocation) Phaseout (RFC3701) */
|
||||
3ffe::/16;
|
||||
/* reserved for multiple purposes (RFC4291) */
|
||||
0000::/8;
|
||||
/* IPv6 Address Prefix Reserved for Documentation (RFC3849) */
|
||||
2001:db8::/32;
|
||||
/* Deprecated (previously ORCHID) (RFC4843) */
|
||||
2001:10::/28;
|
||||
/* IPv6 Benchmarking Methodology for Network Interconnect Devices (RFC5180) */
|
||||
2001:2::/48;
|
||||
}
|
||||
/* Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) (RFC4380) */
|
||||
prefix-list teredo-v6 {
|
||||
2001::/32;
|
||||
}
|
||||
/* Connection of IPv6 Domains via IPv4 Clouds (RFC3056) */
|
||||
prefix-list 6to4-v6 {
|
||||
2002::/16;
|
||||
}
|
||||
/* TODO: replace $YOUR_ASN with your ASN, replace $YOUR_PREFIX with your actual prefix or if multiple use multiple lines */
|
||||
prefix-list as$YOUR_ASN-supernets-v6 {
|
||||
$YOUR_PREFIX;
|
||||
}
|
||||
/* TODO: add the IXP LANs your connected to here; this example shows the DE-CIX LAN */
|
||||
prefix-list ixp-lans-v6 {
|
||||
2001:7f8::/64;
|
||||
}
|
||||
policy-statement reject-bad-routes-v6 {
|
||||
term reject-default-route {
|
||||
from {
|
||||
prefix-list default-route-v6;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-private {
|
||||
from {
|
||||
prefix-list-filter private-v6 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-multicast {
|
||||
from {
|
||||
prefix-list-filter multicast-v6 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-teredo-more-specifics {
|
||||
from {
|
||||
prefix-list-filter teredo-v6 longer;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-6to4-more-specifics {
|
||||
from {
|
||||
prefix-list-filter 6to4-v6 longer;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-not-routed {
|
||||
from {
|
||||
prefix-list-filter not-routed-v6 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
/* TODO: replace $YOUR_ASN with your ASN */
|
||||
term reject-as$YOUR_ASN {
|
||||
from {
|
||||
/* TODO: replace $YOUR_ASN with your ASN to match your prefix-list from above */
|
||||
prefix-list-filter as$YOUR_ASN-supernets-v6 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-ixp-lans {
|
||||
from {
|
||||
prefix-list-filter ixp-lans-v6 orlonger;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
term reject-more-specifics {
|
||||
from {
|
||||
route-filter 0::/0 prefix-length-range /49-/128;
|
||||
}
|
||||
then {
|
||||
trace;
|
||||
reject;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user