diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2018-06-13 09:44:58 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2018-06-13 09:44:58 +0000 |
| commit | fad8a363d206fec5c3e0b87daea5bdac960bfd1c (patch) | |
| tree | 4576f2693ef25d7d48ed2cd44eb5f70585a7b552 /etc/examples/bgpd.conf | |
| parent | e1ff6368b8015752cc0608d221069642a162bcfb (diff) | |
Adjust example after the announce (all|self|...) change.
Adjust filters and comment them to explain the basic operation.
Use large-community and a prefix-set to ensure no bad prefixes are
leaked to eBGP speakers.
With and OK job@
Diffstat (limited to 'etc/examples/bgpd.conf')
| -rw-r--r-- | etc/examples/bgpd.conf | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/etc/examples/bgpd.conf b/etc/examples/bgpd.conf index 57cba1874b3..a5fa7234a3c 100644 --- a/etc/examples/bgpd.conf +++ b/etc/examples/bgpd.conf @@ -1,13 +1,14 @@ -# $OpenBSD: bgpd.conf,v 1.8 2017/09/29 11:00:39 phessler Exp $ +# $OpenBSD: bgpd.conf,v 1.9 2018/06/13 09:44:57 claudio Exp $ # sample bgpd configuration file # see bgpd.conf(5) #macros +ASN="65001" peer1="10.1.0.2" peer2="10.1.0.3" # global configuration -AS 65001 +AS $ASN router-id 10.0.0.1 # holdtime 180 # holdtime min 3 @@ -16,7 +17,13 @@ router-id 10.0.0.1 # fib-update no # route-collector no # log updates -# network 10.0.1.0/24 + +# prefix set of networks that may be announced +prefix-set mynetworks { 192.0.2.0/24 } + +# Announce networks, tag them with a large community to ease filtering +# network 192.0.2.0/24 set large-community $ASN:1:1 +# network static set large-community $ASN:1:2 # restricted socket for bgplg(8) # socket "/var/www/run/bgpd.rsock" restricted @@ -26,12 +33,10 @@ group "peering AS65002" { remote-as 65002 neighbor $peer1 { descr "AS 65001 peer 1" - announce self tcp md5sig password mekmitasdigoat } neighbor $peer2 { descr "AS 65001 peer 2" - announce all local-address 10.0.0.8 ipsec esp ike } @@ -54,7 +59,7 @@ neighbor 10.0.1.0 { passive holdtime 180 holdtime min 3 - announce none + export none tcp md5sig key deadbeef } @@ -79,14 +84,12 @@ neighbor 10.2.1.1 { aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b } -# do not send or use routes from EBGP neighbors without -# further explicit configuration -deny from ebgp -deny to ebgp +## +## inbound rules: default is deny +## -# allow updates to and from IBGP neighbors +# IBGP: allow all updates from our neighbors allow from ibgp -allow to ibgp # filter out prefixes longer than 24 or shorter than 8 bits for IPv4 # and longer than 48 or shorter than 16 bits for IPv6. @@ -140,7 +143,19 @@ deny from any AS 23456 # AS_TRANS deny from any AS 64496 - 64511 # Reserved for use in docs and code RFC5398 deny from any AS 64512 - 65534 # Reserved for Private Use RFC6996 deny from any AS 65535 # Reserved RFC7300 -deny from any AS 65536 - 65551 # Reserved for use in docs and code RFC5398 +deny from any AS 65536 - 65551 # Reserved for use in docs and code RFC5398 deny from any AS 65552 - 131071 # Reserved deny from any AS 4200000000 - 4294967294 # Reserved for Private Use RFC6996 deny from any AS 4294967295 # Reserved RFC7300 + +## +## outbound rules: default is deny +## + +# IBGP: allow all updates to our neighbors +allow to ibgp + +# EBGP: only allow self originated networks to ebgp peers +# Don't leak any routes from upstream or peering sessions. This is done +# by checking for routes that are tagged with the large-community $ASN:1:1 +allow to ebgp prefix-set mynetworks large-community $ASN:1:1 |