Hi all,
any configuration example useful to connect to route servers at IXP?
Many thanks!
I think this depends very much on the IXP in use. But here is something we use. Please read very carefully and mind any copy/paste errors from my side. Kittens might be killed while implementing this.
Some names might be a bit wrong since the policy could be reused on other places as well and I was too lazy to correct them.
Basic BGP config
set protocols bgp neighbor x.x.x.x peer-group 'v4-IXP'
set protocols bgp peer-group v4-IXP address-family ipv4-unicast maximum-prefix '400000'
set protocols bgp peer-group v4-IXP address-family ipv4-unicast nexthop-self
set protocols bgp peer-group v4-IXP address-family ipv4-unicast route-map export 'v4-export-ixp'
set protocols bgp peer-group v4-IXP address-family ipv4-unicast route-map import 'v4-import-ixp'
set protocols bgp peer-group v4-IXP address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group v4-IXP remote-as 'XXXX'
Export Policy:
set policy route-map v4-export-ixp rule 10 action 'permit'
set policy route-map v4-export-ixp rule 10 description 'Only advertise our own address space'
set policy route-map v4-export-ixp rule 10 match ip address prefix-list 'v4-announce-asXXXXXXXX'
set policy route-map v4-export-ixp rule 1000 action 'deny'
Import Policy:
set policy route-map v4-import-ixp rule 10 action 'permit'
set policy route-map v4-import-ixp rule 10 call 'v4-import-deny-defaults'
set policy route-map v4-import-ixp rule 10 on-match next
set policy route-map v4-import-ixp rule 20 action 'permit'
set policy route-map v4-import-ixp rule 20 call 'v4-import-deny-small-prefixes'
set policy route-map v4-import-ixp rule 20 on-match next
set policy route-map v4-import-ixp rule 30 action 'permit'
set policy route-map v4-import-ixp rule 30 call 'v4-import-deny-bogons'
set policy route-map v4-import-ixp rule 30 on-match next
set policy route-map v4-import-ixp rule 40 action 'permit'
set policy route-map v4-import-ixp rule 40 call 'rpki'
set policy route-map v4-import-ixp rule 40 on-match next
set policy route-map v4-import-ixp rule 900 action 'permit'
set policy route-map v4-import-ixp rule 900 description 'Set local preference to 200'
set policy route-map v4-import-ixp rule 900 match local-preference '100'
set policy route-map v4-import-ixp rule 900 set local-preference '200'
set policy route-map v4-import-ixp rule 1000 action 'permit'
set policy route-map v4-import-ixp rule 1000 description 'Permit everything else'
Various route-maps used in above config:
set policy route-map v4-import-deny-defaults rule 10 action 'deny'
set policy route-map v4-import-deny-defaults rule 10 description 'Deny 0.0.0.0/0'
set policy route-map v4-import-deny-defaults rule 10 match ip address prefix-list 'v4-accept-default'
set policy route-map v4-import-deny-defaults rule 20 action 'deny'
set policy route-map v4-import-deny-defaults rule 20 description 'Deny our own address space'
set policy route-map v4-import-deny-defaults rule 20 match ip address prefix-list 'v4-announce-asXXXXXXXX'
set policy route-map v4-import-deny-defaults rule 40 action 'permit'
set policy route-map v4-import-deny-small-prefixes rule 10 action 'deny'
set policy route-map v4-import-deny-small-prefixes rule 10 description 'Deny small subnets'
set policy route-map v4-import-deny-small-prefixes rule 10 match ip address prefix-list 'v4-subnet24ge'
set policy route-map v4-import-deny-small-prefixes rule 20 action 'permit'
set policy route-map v4-import-deny-bogons rule 10 action 'deny'
set policy route-map v4-import-deny-bogons rule 10 description 'Deny bogon AS numbers'
set policy route-map v4-import-deny-bogons rule 10 match as-path 'bogon-asns'
set policy route-map v4-import-deny-bogons rule 20 action 'deny'
set policy route-map v4-import-deny-bogons rule 20 description 'Deny IPv4 Bogons'
set policy route-map v4-import-deny-bogons rule 20 match ip address prefix-list 'v4-bogons'
set policy route-map v4-import-deny-bogons rule 30 action 'permit'
set policy route-map rpki rule 10 action 'permit'
set policy route-map rpki rule 10 match rpki 'valid'
set policy route-map rpki rule 20 action 'permit'
set policy route-map rpki rule 20 match rpki 'notfound'
set policy route-map rpki rule 20 set local-preference '90'
set policy route-map rpki rule 30 action 'deny'
set policy route-map rpki rule 30 match rpki 'invalid'
set policy route-map rpki rule 40 action 'permit'
Various prefix-lists used:
set policy prefix-list v4-announce-asXXXXXXXX rule 10 action 'permit'
set policy prefix-list v4-announce-asXXXXXXXX rule 10 prefix 'y.y.y.y/y'
set policy prefix-list v4-announce-asXXXXXXXX rule 20 action 'permit'
set policy prefix-list v4-announce-asXXXXXXXX rule 20 prefix 'z.z.z.z/z'
set policy prefix-list v4-accept-default rule 10 action 'permit'
set policy prefix-list v4-accept-default rule 10 prefix '0.0.0.0/0'
set policy prefix-list v4-subnet24ge rule 10 action 'permit'
set policy prefix-list v4-subnet24ge rule 10 ge '25'
set policy prefix-list v4-subnet24ge rule 10 le '32'
set policy prefix-list v4-subnet24ge rule 10 prefix '0.0.0.0/0'
set policy prefix-list v4-bogons rule 10 action 'permit'
set policy prefix-list v4-bogons rule 10 le '32'
set policy prefix-list v4-bogons rule 10 prefix '0.0.0.0/8'
set policy prefix-list v4-bogons rule 20 action 'permit'
set policy prefix-list v4-bogons rule 20 le '32'
set policy prefix-list v4-bogons rule 20 prefix '10.0.0.0/8'
set policy prefix-list v4-bogons rule 30 action 'permit'
set policy prefix-list v4-bogons rule 30 le '32'
set policy prefix-list v4-bogons rule 30 prefix '100.64.0.0/10'
set policy prefix-list v4-bogons rule 40 action 'permit'
set policy prefix-list v4-bogons rule 40 le '32'
set policy prefix-list v4-bogons rule 40 prefix '127.0.0.0/8'
set policy prefix-list v4-bogons rule 50 action 'permit'
set policy prefix-list v4-bogons rule 50 le '32'
set policy prefix-list v4-bogons rule 50 prefix '169.254.0.0/16'
set policy prefix-list v4-bogons rule 60 action 'permit'
set policy prefix-list v4-bogons rule 60 le '32'
set policy prefix-list v4-bogons rule 60 prefix '172.16.0.0/12'
set policy prefix-list v4-bogons rule 70 action 'permit'
set policy prefix-list v4-bogons rule 70 le '32'
set policy prefix-list v4-bogons rule 70 prefix '192.0.2.0/24'
set policy prefix-list v4-bogons rule 80 action 'permit'
set policy prefix-list v4-bogons rule 80 le '32'
set policy prefix-list v4-bogons rule 80 prefix '192.88.99.0/24'
set policy prefix-list v4-bogons rule 90 action 'permit'
set policy prefix-list v4-bogons rule 90 le '32'
set policy prefix-list v4-bogons rule 90 prefix '192.168.0.0/16'
set policy prefix-list v4-bogons rule 100 action 'permit'
set policy prefix-list v4-bogons rule 100 le '32'
set policy prefix-list v4-bogons rule 100 prefix '198.18.0.0/15'
set policy prefix-list v4-bogons rule 110 action 'permit'
set policy prefix-list v4-bogons rule 110 le '32'
set policy prefix-list v4-bogons rule 110 prefix '198.51.100.0/24'
set policy prefix-list v4-bogons rule 120 action 'permit'
set policy prefix-list v4-bogons rule 120 le '32'
set policy prefix-list v4-bogons rule 120 prefix '203.0.113.0/24'
set policy prefix-list v4-bogons rule 130 action 'permit'
set policy prefix-list v4-bogons rule 130 le '32'
set policy prefix-list v4-bogons rule 130 prefix '224.0.0.0/4'
set policy prefix-list v4-bogons rule 140 action 'permit'
set policy prefix-list v4-bogons rule 140 le '32'
set policy prefix-list v4-bogons rule 140 prefix '240.0.0.0/4'
as-path filter in use:
set policy as-path-list bogon-asns description 'Drop Bogon ASNs'
set policy as-path-list bogon-asns rule 10 action 'permit'
set policy as-path-list bogon-asns rule 10 regex '_0_'
set policy as-path-list bogon-asns rule 20 action 'permit'
set policy as-path-list bogon-asns rule 20 regex '_23456_'
set policy as-path-list bogon-asns rule 30 action 'permit'
set policy as-path-list bogon-asns rule 30 regex '_((6449[6-9])|(64[5-9][0-9][0-9]))_'
set policy as-path-list bogon-asns rule 40 action 'permit'
set policy as-path-list bogon-asns rule 40 regex '_(6[5-9][0-9][0-9][0-9])_'
set policy as-path-list bogon-asns rule 50 action 'permit'
set policy as-path-list bogon-asns rule 50 regex '_([7-9][0-9][0-9][0-9][0-9])_'
set policy as-path-list bogon-asns rule 60 action 'permit'
set policy as-path-list bogon-asns rule 60 regex '_((1[0-2][0-9][0-9][0-9][0-9])|(130[0-9][0-9][0-9]))_'
set policy as-path-list bogon-asns rule 70 action 'permit'
set policy as-path-list bogon-asns rule 70 regex '_((1310[0-6][0-9])|(13107[0-1]))_'
set policy as-path-list bogon-asns rule 80 action 'permit'
set policy as-path-list bogon-asns rule 80 regex '_(42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9])_'
set policy as-path-list bogon-asns rule 90 action 'permit'
set policy as-path-list bogon-asns rule 90 regex '_(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_'
set policy as-path-list bogon-asns rule 100 action 'permit'
set policy as-path-list bogon-asns rule 100 regex '_(4294[0-8][0-9][0-9][0-9][0-9][0-9])_'
set policy as-path-list bogon-asns rule 110 action 'permit'
set policy as-path-list bogon-asns rule 110 regex '_((42949[0-5][0-9][0-9][0-9][0-9])|(429496[0-6][0-9][0-9][0-9]))_'
set policy as-path-list bogon-asns rule 120 action 'permit'
set policy as-path-list bogon-asns rule 120 regex '_((4294967[0-1][0-9][0-9])|(42949672[0-8][0-9])|(429496729[0-5]))_'
3 Likes
@roedie It’s very kind of you to share such a detailed piece of configuration, especially with the rpki checks and the setting of localpref etc.
Thank you ever so much for sharing - I’m sure more than a few people will get a lot of value out of this.
Very detailed! Many thanks, I’ll try this.
It can be a really useful article in the configuration blueprints!