etc/examples/bgpd.conf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

# $OpenBSD: bgpd.conf,v 1.8 2017/09/29 11:00:39 phessler Exp $
# sample bgpd configuration file
# see bgpd.conf(5)

#macros
peer1="10.1.0.2"
peer2="10.1.0.3"

# global configuration
AS 65001
router-id 10.0.0.1
# holdtime 180
# holdtime min 3
# listen on 127.0.0.1
# listen on ::1
# fib-update no
# route-collector no
# log updates
# network 10.0.1.0/24

# restricted socket for bgplg(8)
# socket "/var/www/run/bgpd.rsock" restricted

# neighbors and peers
group "peering AS65002" {
	remote-as 65002
	neighbor $peer1 {
		descr	"AS 65001 peer 1"
		announce self
		tcp md5sig password mekmitasdigoat
	}
	neighbor $peer2 {
		descr "AS 65001 peer 2"
		announce all
		local-address 10.0.0.8
		ipsec esp ike
	}
}

group "peering AS65042" {
	descr "peering AS 65042"
	remote-as 65042
	local-address 10.0.0.8
	ipsec ah ike
	neighbor 10.2.0.1
	neighbor 10.2.0.2
}

neighbor 10.0.1.0 {
	remote-as	65003
	descr		upstream
	multihop	2
	local-address	10.0.0.8
	passive
	holdtime	180
	holdtime min	3
	announce	none
	tcp md5sig key	deadbeef
}

neighbor 10.0.2.0 {
	remote-as	65004
	descr		upstream2
	local-address	10.0.0.8
	ipsec ah ike
}

neighbor 10.0.0.0/24 {
	descr		"template for local peers"
	enforce neighbor-as no
}

neighbor 10.2.1.1 {
	remote-as 65023
	local-address 10.0.0.8
	ipsec esp in  spi 1010 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
	    aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
	ipsec esp out spi 1012 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
	    aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
}

# do not send or use routes from EBGP neighbors without
# further explicit configuration
deny from ebgp
deny to ebgp

# allow updates to and from IBGP neighbors
allow from ibgp
allow to ibgp

# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48

# accept a default route (since the previous rule blocks this)
#allow from any prefix 0.0.0.0/0
#allow from any prefix ::/0

# Honor requests to gracefully shutdown BGP sessions
# https://tools.ietf.org/html/draft-ietf-grow-bgp-gshut
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }

# https://www.arin.net/announcements/2014/20140130.html
# This block will be subject to a minimum size allocation of /28 and a
# maximum size allocation of /24. ARIN should use sparse allocation when
# possible within that /10 block.
allow from any prefix 23.128.0.0/10 prefixlen 24 - 28	# ARIN IPv6 transition

# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8		# 'this' network [RFC1122]
deny from any prefix 10.0.0.0/8 prefixlen >= 8		# private space [RFC1918]
deny from any prefix 100.64.0.0/10 prefixlen >= 10	# CGN Shared [RFC6598]
deny from any prefix 127.0.0.0/8 prefixlen >= 8 	# localhost [RFC1122]
deny from any prefix 169.254.0.0/16 prefixlen >= 16	# link local [RFC3927]
deny from any prefix 172.16.0.0/12 prefixlen >= 12	# private space [RFC1918]
deny from any prefix 192.0.2.0/24 prefixlen >= 24	# TEST-NET-1 [RFC5737]
deny from any prefix 192.168.0.0/16 prefixlen >= 16	# private space [RFC1918]
deny from any prefix 198.18.0.0/15 prefixlen >= 15	# benchmarking [RFC2544]
deny from any prefix 198.51.100.0/24 prefixlen >= 24	# TEST-NET-2 [RFC5737]
deny from any prefix 203.0.113.0/24 prefixlen >= 24	# TEST-NET-3 [RFC5737]
deny from any prefix 224.0.0.0/4 prefixlen >= 4 	# multicast
deny from any prefix 240.0.0.0/4 prefixlen >= 4 	# reserved

# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 0100::/64 prefixlen >= 64		# Discard-Only [RFC6666]
deny from any prefix 2001:2::/48 prefixlen >= 48	# BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28	# ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32	# docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16		# old 6bone
deny from any prefix fc00::/7 prefixlen >= 7		# unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10		# link local unicast
deny from any prefix fec0::/10 prefixlen >= 10		# old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8		# multicast

# filter bogon AS numbers
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
deny from any AS 23456				# AS_TRANS
deny from any AS 64496 - 64511			# Reserved for use in docs and code RFC5398
deny from any AS 64512 - 65534			# Reserved for Private Use RFC6996
deny from any AS 65535				# Reserved RFC7300
deny from any AS 65536 - 65551			# Reserved for use in docs and code RFC5398 
deny from any AS 65552 - 131071			# Reserved
deny from any AS 4200000000 - 4294967294	# Reserved for Private Use RFC6996
deny from any AS 4294967295			# Reserved RFC7300