mirror of
https://github.com/openbsd/src.git
synced 2025-01-04 15:25:38 -08:00
Make the example bgpd.conf work with 4byte ASN out of the box.
Use local-as in community and large-community stanzas since that will be expanded at runtime. For communities that only work with 2byte ASN the filter will never match (or nothing will be set / deleted) since a 4byte ASN can never match. We want an bgpd.conf example ruleset that is sensible, works and is a good starting point for beginners. In other words we should not add traps to the config. OK deraadt@ job@
This commit is contained in:
parent
7502f20057
commit
4cf1cdd067
@ -1,8 +1,8 @@
|
|||||||
# $OpenBSD: bgpd.conf,v 1.25 2024/08/29 12:58:57 claudio Exp $
|
# $OpenBSD: bgpd.conf,v 1.26 2024/12/18 16:00:26 claudio Exp $
|
||||||
# example bgpd configuration file, see bgpd.conf(5)
|
# example bgpd configuration file, see bgpd.conf(5)
|
||||||
|
|
||||||
# define our own ASN as a macro
|
# define our own ASN as a macro
|
||||||
ASN="65001"
|
ASN="4200000001"
|
||||||
|
|
||||||
# global configuration
|
# global configuration
|
||||||
AS $ASN
|
AS $ASN
|
||||||
@ -50,7 +50,7 @@ prefix-set bogons {
|
|||||||
# Generate routes for the networks our ASN will originate.
|
# Generate routes for the networks our ASN will originate.
|
||||||
# The communities (read 'tags') are later used to match on what
|
# The communities (read 'tags') are later used to match on what
|
||||||
# is announced to EBGP neighbors
|
# is announced to EBGP neighbors
|
||||||
network prefix-set mynetworks set large-community $ASN:1:1
|
network prefix-set mynetworks set large-community local-as:1:1
|
||||||
|
|
||||||
# assume simple network with 3 routers in IBGP full mesh
|
# assume simple network with 3 routers in IBGP full mesh
|
||||||
group "ibgp mesh" {
|
group "ibgp mesh" {
|
||||||
@ -91,8 +91,8 @@ group "upstreams" {
|
|||||||
|
|
||||||
# Outbound EBGP: only allow self originated networks to ebgp peers
|
# Outbound EBGP: only allow self originated networks to ebgp peers
|
||||||
# Don't leak any routes from upstream or peering sessions. This is done
|
# Don't leak any routes from upstream or peering sessions. This is done
|
||||||
# by checking for routes that are tagged with the large-community $ASN:1:1
|
# by checking for routes that are tagged with the large-community local-as:1:1
|
||||||
allow to ebgp prefix-set mynetworks large-community $ASN:1:1
|
allow to ebgp prefix-set mynetworks large-community local-as:1:1
|
||||||
|
|
||||||
# deny more-specifics of our own originated prefixes
|
# deny more-specifics of our own originated prefixes
|
||||||
deny quick from ebgp prefix-set mynetworks or-longer
|
deny quick from ebgp prefix-set mynetworks or-longer
|
||||||
@ -103,8 +103,8 @@ allow to ibgp
|
|||||||
|
|
||||||
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
|
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
|
||||||
# https://tools.ietf.org/html/rfc7454#section-11
|
# https://tools.ietf.org/html/rfc7454#section-11
|
||||||
match from ebgp set { community delete $ASN:* }
|
match from ebgp set { community delete local-as:* }
|
||||||
match from ebgp set { large-community delete $ASN:*:* }
|
match from ebgp set { large-community delete local-as:*:* }
|
||||||
|
|
||||||
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
|
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
|
||||||
# and longer than 48 or shorter than 16 bits for IPv6.
|
# and longer than 48 or shorter than 16 bits for IPv6.
|
||||||
|
Loading…
Reference in New Issue
Block a user