diff --git a/README.md b/README.md index 336fc87..834afe0 100644 --- a/README.md +++ b/README.md @@ -154,70 +154,10 @@ For both scenario, ICMP/ICMPv6 **MAY** be narrowed down to types used in `ping`/ # Vendors ## Arista - -We still do not have configuration suggestions for Arista. - -Suggested by: DE-CIX - -``` -ip access-list rs_protection_v4 - 10 permit icmp 80.81.192.0/21 80.81.192.0/21 - 30 permit tcp 80.81.192.0/21 eq bgp 80.81.192.0/21 - 31 permit tcp 80.81.192.0/21 80.81.192.0/21 eq bgp - 40 permit udp 80.81.192.0/21 eq bfd 80.81.192.0/21 - 41 permit udp 80.81.192.0/21 80.81.192.0/21 eq bfd - 50 deny ip any any - -ipv6 access-list rs_protection_v6 - 10 permit icmpv6 2001:7f8::/64 2001:7f8::/64 - 11 permit icmpv6 2001:7f8::/64 fe80::/10 - 12 permit icmpv6 2001:7f8::/64 ff00::/8 - 20 permit icmpv6 fe80::/10 2001:7f8::/64 - 21 permit icmpv6 fe80::/10 fe80::/10 - 22 permit icmpv6 fe80::/10 ff00::/8 - 30 permit tcp 2001:7f8::/64 eq bgp 2001:7f8::/64 - 31 permit tcp 2001:7f8::/64 2001:7f8::/64 eq bgp - 40 permit udp 2001:7f8::/64 eq bfd 2001:7f8::/64 - 41 permit udp 2001:7f8::/64 2001:7f8::/64 eq bfd - 50 deny ipv6 any any - -interface * - ip access-group rs_protection_v4 out - ipv6 access-group rs_protection_v6 out -``` - - +[Arista example from DE-CIX](examples/arista-decix.md) ## Cisco - -Suggested by: DE-CIX - -``` -ipv4 access-list rs_protection_v4 - 10 permit icmp 80.81.192.0/21 80.81.192.0/21 - 30 permit tcp 80.81.192.0/21 eq bgp 80.81.192.0/21 - 31 permit tcp 80.81.192.0/21 80.81.192.0/21 eq bgp - 40 permit udp 80.81.192.0/21 eq bfd 80.81.192.0/21 - 41 permit udp 80.81.192.0/21 80.81.192.0/21 eq bfd - 50 deny ipv4 any any - -ipv6 access-list rs_protection_v6 - 10 permit icmpv6 2001:7f8::/64 2001:7f8::/64 - 11 permit icmpv6 2001:7f8::/64 fe80::/10 - 12 permit icmpv6 2001:7f8::/64 ff00::/8 - 20 permit icmpv6 fe80::/10 2001:7f8::/64 - 21 permit icmpv6 fe80::/10 fe80::/10 - 22 permit icmpv6 fe80::/10 ff00::/8 - 30 permit tcp 2001:7f8::/64 eq bgp 2001:7f8::/64 - 31 permit tcp 2001:7f8::/64 2001:7f8::/64 eq bgp - 40 permit udp 2001:7f8::/64 eq bfd 2001:7f8::/64 - 41 permit udp 2001:7f8::/64 2001:7f8::/64 eq bfd - 50 deny ipv6 any any - -interface * - ipv4 access-group rs_protection_v4 egress - ipv6 access-group rs_protection_v6 egress -``` +[Cisco example from DE-CIX](examples/cisco-decix.md) ## Extreme @@ -225,89 +165,7 @@ We still have no suggestion for Extreme. ## Juniper -Suggested by: Stavros Konstantaras - AMS-IX -Verified by: - -### STEP 1 - Define the prefix list that contains the Peering LAN IP address - -``` -set policy-options prefix-list PL-PEERING-LAN 80.249.208.0/21 -``` - -### STEP 2 - Define the firewall filter that controls the incoming traffic - -#### STEP 2.1 Accept IPv4 ARP - -``` -set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv4-arp from ether-type arp -set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv4-arp then accept -``` - -#### STEP 2.2 Increase the CoS queue for the IPv4 BGP Traffic - -``` -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority from ether-type ipv4 -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority from ip-protocol tcp -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority from port bgp -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority then forwarding-class network-control -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority then next term -``` - -#### STEP 2.3 - Rate limit all IPv4 traffic to 1Gbps - -``` -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ether-type ipv4 -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-destination-address 80.249.208.255/32 -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-protocol tcp -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-protocol udp -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-protocol icmp -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from source-prefix-list PL-PEERING-LAN -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic then policer PC-1G -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic then accept -``` - -#### STEP 2.4 - Accept IPv6-ND except IPv6-RAs - -``` -set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd from ether-type ipv6 -set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd from icmp-type-except router-advertisement -set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd from ipv6-next-header icmp6 -set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd then accept -``` - -#### STEP 2.5 Increase the CoS queue for the IPv6 BGP Traffic - -``` -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority from port bgp -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority from ipv6-next-header tcp -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority then forwarding-class network-control -set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority then next term -``` - -#### STEP 2.6 Rate limit all IPv6 Traffic to 1Gbps - -``` -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic from ether-type ipv6 -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic from ipv6-destination-address 2001:7f8:1::a500:6777:1/128 -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic from ipv6-source-prefix-list PL-PEERING-LAN-V6 -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic then policer PC-1G -set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic then accept - -``` - -#### STEP 2.7 Discard all other traffic - -``` -set firewall family vpls filter IP-ERL-OUT-501 term discard-all then discard -``` - -### STEP 3 Apply the filter to the interface - -``` -set interfaces xe-X/X/X:X unit YYY family vpls filter output IP-ERL-OUT-501 -``` - - +[Juniper example from AMS-IX](examples/juniper-amsix.md) ## Mikrotik @@ -315,501 +173,8 @@ We still do not have configuration suggestions for Mikrotik. ## Nokia -### Nokia SR OS - -Suggested by: Matthias Wichtlhuber - DE-CIX -Verified by: Greg Hankins - Nokia - -``` -qos - sap-egress name "rs_protection" create - description "Egress RS Protection VPLS " - queue 1 create - exit - queue 2 create - rate 5000 - exit - queue 4 create - mbs 0 kilobytes - exit - fc af create - queue 4 - exit - fc be create - queue 1 - exit - fc l2 create - queue 2 - exit - ip-criteria - entry 10 create - description "Allow ICMP between RS/Peers" - match protocol "icmp" - src-ip - dst-ip - exit - action fc "be" - exit - entry 40 create - description "Allow BGP between RS/Peers" - match protocol tcp - src-ip - dst-ip - src-port eq 179 - exit - action fc "be" - exit - entry 41 create - description "Allow BGP between RS/Peers" - match protocol tcp - src-ip - dst-ip - dst-port eq 179 - exit - action fc "be" - exit - entry 50 create - description "Allow BFD between RS/Peers" - match protocol udp - src-ip - dst-ip - src-port eq 3784 - exit - action fc "be" - exit - entry 51 create - description "Allow BFD between RS/Peers" - match protocol udp - src-ip - dst-ip - dst-port eq 3784 - exit - action fc "be" - exit - entry 1000 create - description "Catch-All and drop" - match - exit - action fc "af" - exit - exit - ipv6-criteria - entry 10 create - description "Allow link-local ICMPv6 NS/NA between RS/Peers" - match next-header ipv6-icmp - src-ip fe80::/10 - exit - action fc "be" - exit - entry 11 create - description "Allow GUA sourced ICMPv6 NS/NA between RS/Peers" - match next-header ipv6-icmp - src-ip - dst-ip ff00::/8 - exit - action fc "be" - exit - entry 12 create - description "Allow GUA ICMPv6 between RS/Peers" - match next-header ipv6-icmp - src-ip - dst-ip - exit - action fc "be" - exit - entry 40 create - description "Allow BGP between RS/Peers" - match next-header tcp - src-ip - dst-ip - src-port eq 179 - exit - action fc "be" - exit - entry 41 create - description "Allow BGP between RS/Peers" - match next-header tcp - src-ip - dst-ip - dst-port eq 179 - exit - action fc "be" - exit - entry 50 create - description "Allow BFD between RS/Peers" - match next-header udp - src-ip - dst-ip - src-port eq 3784 - exit - action fc "be" - exit - entry 51 create - description "Allow BFD between RS/Peers" - match next-header udp - src-ip - dst-ip - dst-port eq 3784 - exit - action fc "be" - exit - entry 1000 create - description "Catch-All and drop" - match - exit - action fc "af" - exit - exit - exit - exit -... - service - vpls customer 1 create - sap create - egress - qos - queue-override - queue 1 create - rate - exit - exit - filter mac - exit - exit - exit - exit - -``` - -### Nokia SR Linux - -Suggested by: DE-CIX - -``` -acl { - acl-filter rs_protection_v4 type ipv4 { - entry 10 { - match { - ipv4 { - source-ip { - prefix 80.81.192.0/21 - } - destination-ip { - prefix 80.81.192.0/21 - } - protocol icmp - } - } - action { - accept { - } - } - } - entry 30 { - match { - ipv4 { - source-ip { - prefix 80.81.192.0/21 - } - destination-ip { - prefix 80.81.192.0/21 - } - protocol tcp - } - transport { - source-port { - value bgp - } - } - } - action { - accept { - } - } - } - entry 31 { - match { - ipv4 { - source-ip { - prefix 80.81.192.0/21 - } - destination-ip { - prefix 80.81.192.0/21 - } - protocol tcp - } - transport { - destination-port { - value bgp - } - } - } - action { - accept { - } - } - } - entry 40 { - match { - ipv4 { - source-ip { - prefix 80.81.192.0/21 - } - destination-ip { - prefix 80.81.192.0/21 - } - protocol udp - } - transport { - source-port { - value bfd - } - } - } - action { - accept { - } - } - } - entry 41 { - match { - ipv4 { - source-ip { - prefix 80.81.192.0/21 - } - destination-ip { - prefix 80.81.192.0/21 - } - protocol udp - } - transport { - destination-port { - value bfd - } - } - } - action { - accept { - } - } - } - entry 50 { - action { - drop { - } - } - } - } - acl-filter rs_protection_v6 type ipv6 { - entry 10 { - match { - ipv6 { - source-ip { - prefix 2001:7f8::/64 - } - destination-ip { - prefix 2001:7f8::/64 - } - next-header icmp6 - } - } - action { - accept { - } - } - } - entry 11 { - match { - ipv6 { - source-ip { - prefix 2001:7f8::/64 - } - destination-ip { - prefix fe80::/10 - } - next-header icmp6 - } - } - action { - accept { - } - } - } - entry 12 { - match { - ipv6 { - source-ip { - prefix 2001:7f8::/64 - } - destination-ip { - prefix ff00::/8 - } - } - next-header icmp6 - } - action { - accept { - } - } - } - entry 20 { - match { - ipv6 { - source-ip { - prefix fe80::/10 - } - destination-ip { - prefix 2001:7f8::/64 - } - next-header icmp6 - } - } - action { - accept { - } - } - } - entry 21 { - match { - ipv6 { - source-ip { - prefix fe80::/10 - } - destination-ip { - prefix fe80::/10 - } - next-header icmp6 - } - } - action { - accept { - } - } - } - entry 22 { - match { - ipv6 { - source-ip { - prefix fe80::/10 - } - destination-ip { - prefix ff00::/8 - } - } - next-header icmp6 - } - action { - accept { - } - } - } - entry 30 { - match { - ipv6 { - source-ip { - prefix 2001:7f8::/64 - } - destination-ip { - prefix 2001:7f8::/64 - } - next-header tcp - } - transport { - source-port { - value bgp - } - } - } - action { - accept { - } - } - } - entry 31 { - match { - ipv6 { - source-ip { - prefix 2001:7f8::/64 - } - destination-ip { - prefix 2001:7f8::/64 - } - next-header tcp - } - transport { - destination-port { - value bgp - } - } - } - action { - accept { - } - } - } - entry 40 { - match { - ipv6 { - source-ip { - prefix 2001:7f8::/64 - } - destination-ip { - prefix 2001:7f8::/64 - } - next-header udp - } - transport { - source-port { - value bfd - } - } - } - action { - accept { - } - } - } - entry 41 { - match { - ipv6 { - source-ip { - prefix 2001:7f8::/64 - } - destination-ip { - prefix 2001:7f8::/64 - } - protocol udp - } - transport { - destination-port { - value bfd - } - } - } - action { - accept { - } - } - } - entry 50 { - action { - drop { - } - } - } - } - interface * { - output { - acl-filter rs_protection_v4 type ipv4 { - } - acl-filter rs_protection_v6 type ipv6 { - } - } - } -} -``` - - + - [SR OS example from DE-CIX](examples/nokia-sros-decix.md) + - [SR Linux example from DE-CIX](examples/nokia-srlinux-decix.md) # Notes diff --git a/examples/arista-decix.md b/examples/arista-decix.md new file mode 100644 index 0000000..00eea03 --- /dev/null +++ b/examples/arista-decix.md @@ -0,0 +1,29 @@ +## Arista + +Suggested by: DE-CIX +``` +ip access-list rs_protection_v4 + 10 permit icmp 80.81.192.0/21 80.81.192.0/21 + 30 permit tcp 80.81.192.0/21 eq bgp 80.81.192.0/21 + 31 permit tcp 80.81.192.0/21 80.81.192.0/21 eq bgp + 40 permit udp 80.81.192.0/21 eq bfd 80.81.192.0/21 + 41 permit udp 80.81.192.0/21 80.81.192.0/21 eq bfd + 50 deny ip any any + +ipv6 access-list rs_protection_v6 + 10 permit icmpv6 2001:7f8::/64 2001:7f8::/64 + 11 permit icmpv6 2001:7f8::/64 fe80::/10 + 12 permit icmpv6 2001:7f8::/64 ff00::/8 + 20 permit icmpv6 fe80::/10 2001:7f8::/64 + 21 permit icmpv6 fe80::/10 fe80::/10 + 22 permit icmpv6 fe80::/10 ff00::/8 + 30 permit tcp 2001:7f8::/64 eq bgp 2001:7f8::/64 + 31 permit tcp 2001:7f8::/64 2001:7f8::/64 eq bgp + 40 permit udp 2001:7f8::/64 eq bfd 2001:7f8::/64 + 41 permit udp 2001:7f8::/64 2001:7f8::/64 eq bfd + 50 deny ipv6 any any + +interface * + ip access-group rs_protection_v4 out + ipv6 access-group rs_protection_v6 out +``` diff --git a/examples/cisco-decix.md b/examples/cisco-decix.md new file mode 100644 index 0000000..3bb2a32 --- /dev/null +++ b/examples/cisco-decix.md @@ -0,0 +1,30 @@ +## Cisco + +Suggested by: DE-CIX + +``` +ipv4 access-list rs_protection_v4 + 10 permit icmp 80.81.192.0/21 80.81.192.0/21 + 30 permit tcp 80.81.192.0/21 eq bgp 80.81.192.0/21 + 31 permit tcp 80.81.192.0/21 80.81.192.0/21 eq bgp + 40 permit udp 80.81.192.0/21 eq bfd 80.81.192.0/21 + 41 permit udp 80.81.192.0/21 80.81.192.0/21 eq bfd + 50 deny ipv4 any any + +ipv6 access-list rs_protection_v6 + 10 permit icmpv6 2001:7f8::/64 2001:7f8::/64 + 11 permit icmpv6 2001:7f8::/64 fe80::/10 + 12 permit icmpv6 2001:7f8::/64 ff00::/8 + 20 permit icmpv6 fe80::/10 2001:7f8::/64 + 21 permit icmpv6 fe80::/10 fe80::/10 + 22 permit icmpv6 fe80::/10 ff00::/8 + 30 permit tcp 2001:7f8::/64 eq bgp 2001:7f8::/64 + 31 permit tcp 2001:7f8::/64 2001:7f8::/64 eq bgp + 40 permit udp 2001:7f8::/64 eq bfd 2001:7f8::/64 + 41 permit udp 2001:7f8::/64 2001:7f8::/64 eq bfd + 50 deny ipv6 any any + +interface * + ipv4 access-group rs_protection_v4 egress + ipv6 access-group rs_protection_v6 egress +``` diff --git a/examples/juniper-amsix.md b/examples/juniper-amsix.md new file mode 100644 index 0000000..65f027d --- /dev/null +++ b/examples/juniper-amsix.md @@ -0,0 +1,83 @@ +## Juniper + + - Suggested by: Stavros Konstantaras - AMS-IX + - Verified by: + +### STEP 1 - Define the prefix list that contains the Peering LAN IP address + +``` +set policy-options prefix-list PL-PEERING-LAN 80.249.208.0/21 +``` + +### STEP 2 - Define the firewall filter that controls the incoming traffic + +#### STEP 2.1 Accept IPv4 ARP + +``` +set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv4-arp from ether-type arp +set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv4-arp then accept +``` + +#### STEP 2.2 Increase the CoS queue for the IPv4 BGP Traffic + +``` +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority from ether-type ipv4 +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority from ip-protocol tcp +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority from port bgp +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority then forwarding-class network-control +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv4-bgp-priority then next term +``` + +#### STEP 2.3 - Rate limit all IPv4 traffic to 1Gbps + +``` +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ether-type ipv4 +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-destination-address 80.249.208.255/32 +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-protocol tcp +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-protocol udp +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from ip-protocol icmp +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic from source-prefix-list PL-PEERING-LAN +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic then policer PC-1G +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv4-traffic then accept +``` + +#### STEP 2.4 - Accept IPv6-ND except IPv6-RAs + +``` +set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd from ether-type ipv6 +set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd from icmp-type-except router-advertisement +set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd from ipv6-next-header icmp6 +set firewall family vpls filter IP-ERL-OUT-501 term accept-ipv6-icmpnd then accept +``` + +#### STEP 2.5 Increase the CoS queue for the IPv6 BGP Traffic + +``` +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority from port bgp +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority from ipv6-next-header tcp +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority then forwarding-class network-control +set firewall family vpls filter IP-ERL-OUT-501 term increase-ipv6-bgp-priority then next term +``` + +#### STEP 2.6 Rate limit all IPv6 Traffic to 1Gbps + +``` +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic from ether-type ipv6 +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic from ipv6-destination-address 2001:7f8:1::a500:6777:1/128 +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic from ipv6-source-prefix-list PL-PEERING-LAN-V6 +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic then policer PC-1G +set firewall family vpls filter IP-ERL-OUT-501 term rate-limit-valid-ipv6-traffic then accept + +``` + +#### STEP 2.7 Discard all other traffic + +``` +set firewall family vpls filter IP-ERL-OUT-501 term discard-all then discard +``` + +### STEP 3 Apply the filter to the interface + +``` +set interfaces xe-X/X/X:X unit YYY family vpls filter output IP-ERL-OUT-501 +``` diff --git a/examples/nokia-srlinux-decix.md b/examples/nokia-srlinux-decix.md new file mode 100644 index 0000000..b2237c9 --- /dev/null +++ b/examples/nokia-srlinux-decix.md @@ -0,0 +1,327 @@ +## Nokia SR Linux + +Suggested by: DE-CIX + +``` +acl { + acl-filter rs_protection_v4 type ipv4 { + entry 10 { + match { + ipv4 { + source-ip { + prefix 80.81.192.0/21 + } + destination-ip { + prefix 80.81.192.0/21 + } + protocol icmp + } + } + action { + accept { + } + } + } + entry 30 { + match { + ipv4 { + source-ip { + prefix 80.81.192.0/21 + } + destination-ip { + prefix 80.81.192.0/21 + } + protocol tcp + } + transport { + source-port { + value bgp + } + } + } + action { + accept { + } + } + } + entry 31 { + match { + ipv4 { + source-ip { + prefix 80.81.192.0/21 + } + destination-ip { + prefix 80.81.192.0/21 + } + protocol tcp + } + transport { + destination-port { + value bgp + } + } + } + action { + accept { + } + } + } + entry 40 { + match { + ipv4 { + source-ip { + prefix 80.81.192.0/21 + } + destination-ip { + prefix 80.81.192.0/21 + } + protocol udp + } + transport { + source-port { + value bfd + } + } + } + action { + accept { + } + } + } + entry 41 { + match { + ipv4 { + source-ip { + prefix 80.81.192.0/21 + } + destination-ip { + prefix 80.81.192.0/21 + } + protocol udp + } + transport { + destination-port { + value bfd + } + } + } + action { + accept { + } + } + } + entry 50 { + action { + drop { + } + } + } + } + acl-filter rs_protection_v6 type ipv6 { + entry 10 { + match { + ipv6 { + source-ip { + prefix 2001:7f8::/64 + } + destination-ip { + prefix 2001:7f8::/64 + } + next-header icmp6 + } + } + action { + accept { + } + } + } + entry 11 { + match { + ipv6 { + source-ip { + prefix 2001:7f8::/64 + } + destination-ip { + prefix fe80::/10 + } + next-header icmp6 + } + } + action { + accept { + } + } + } + entry 12 { + match { + ipv6 { + source-ip { + prefix 2001:7f8::/64 + } + destination-ip { + prefix ff00::/8 + } + } + next-header icmp6 + } + action { + accept { + } + } + } + entry 20 { + match { + ipv6 { + source-ip { + prefix fe80::/10 + } + destination-ip { + prefix 2001:7f8::/64 + } + next-header icmp6 + } + } + action { + accept { + } + } + } + entry 21 { + match { + ipv6 { + source-ip { + prefix fe80::/10 + } + destination-ip { + prefix fe80::/10 + } + next-header icmp6 + } + } + action { + accept { + } + } + } + entry 22 { + match { + ipv6 { + source-ip { + prefix fe80::/10 + } + destination-ip { + prefix ff00::/8 + } + } + next-header icmp6 + } + action { + accept { + } + } + } + entry 30 { + match { + ipv6 { + source-ip { + prefix 2001:7f8::/64 + } + destination-ip { + prefix 2001:7f8::/64 + } + next-header tcp + } + transport { + source-port { + value bgp + } + } + } + action { + accept { + } + } + } + entry 31 { + match { + ipv6 { + source-ip { + prefix 2001:7f8::/64 + } + destination-ip { + prefix 2001:7f8::/64 + } + next-header tcp + } + transport { + destination-port { + value bgp + } + } + } + action { + accept { + } + } + } + entry 40 { + match { + ipv6 { + source-ip { + prefix 2001:7f8::/64 + } + destination-ip { + prefix 2001:7f8::/64 + } + next-header udp + } + transport { + source-port { + value bfd + } + } + } + action { + accept { + } + } + } + entry 41 { + match { + ipv6 { + source-ip { + prefix 2001:7f8::/64 + } + destination-ip { + prefix 2001:7f8::/64 + } + protocol udp + } + transport { + destination-port { + value bfd + } + } + } + action { + accept { + } + } + } + entry 50 { + action { + drop { + } + } + } + } + interface * { + output { + acl-filter rs_protection_v4 type ipv4 { + } + acl-filter rs_protection_v6 type ipv6 { + } + } + } +} +``` diff --git a/examples/nokia-sros-decix.md b/examples/nokia-sros-decix.md new file mode 100644 index 0000000..05dc254 --- /dev/null +++ b/examples/nokia-sros-decix.md @@ -0,0 +1,165 @@ +## Nokia SR OS + +Suggested by: Matthias Wichtlhuber - DE-CIX +Verified by: Greg Hankins - Nokia + +``` +qos + sap-egress name "rs_protection" create + description "Egress RS Protection VPLS " + queue 1 create + exit + queue 2 create + rate 5000 + exit + queue 4 create + mbs 0 kilobytes + exit + fc af create + queue 4 + exit + fc be create + queue 1 + exit + fc l2 create + queue 2 + exit + ip-criteria + entry 10 create + description "Allow ICMP between RS/Peers" + match protocol "icmp" + src-ip + dst-ip + exit + action fc "be" + exit + entry 40 create + description "Allow BGP between RS/Peers" + match protocol tcp + src-ip + dst-ip + src-port eq 179 + exit + action fc "be" + exit + entry 41 create + description "Allow BGP between RS/Peers" + match protocol tcp + src-ip + dst-ip + dst-port eq 179 + exit + action fc "be" + exit + entry 50 create + description "Allow BFD between RS/Peers" + match protocol udp + src-ip + dst-ip + src-port eq 3784 + exit + action fc "be" + exit + entry 51 create + description "Allow BFD between RS/Peers" + match protocol udp + src-ip + dst-ip + dst-port eq 3784 + exit + action fc "be" + exit + entry 1000 create + description "Catch-All and drop" + match + exit + action fc "af" + exit + exit + ipv6-criteria + entry 10 create + description "Allow link-local ICMPv6 NS/NA between RS/Peers" + match next-header ipv6-icmp + src-ip fe80::/10 + exit + action fc "be" + exit + entry 11 create + description "Allow GUA sourced ICMPv6 NS/NA between RS/Peers" + match next-header ipv6-icmp + src-ip + dst-ip ff00::/8 + exit + action fc "be" + exit + entry 12 create + description "Allow GUA ICMPv6 between RS/Peers" + match next-header ipv6-icmp + src-ip + dst-ip + exit + action fc "be" + exit + entry 40 create + description "Allow BGP between RS/Peers" + match next-header tcp + src-ip + dst-ip + src-port eq 179 + exit + action fc "be" + exit + entry 41 create + description "Allow BGP between RS/Peers" + match next-header tcp + src-ip + dst-ip + dst-port eq 179 + exit + action fc "be" + exit + entry 50 create + description "Allow BFD between RS/Peers" + match next-header udp + src-ip + dst-ip + src-port eq 3784 + exit + action fc "be" + exit + entry 51 create + description "Allow BFD between RS/Peers" + match next-header udp + src-ip + dst-ip + dst-port eq 3784 + exit + action fc "be" + exit + entry 1000 create + description "Catch-All and drop" + match + exit + action fc "af" + exit + exit + exit + exit +... + service + vpls customer 1 create + sap create + egress + qos + queue-override + queue 1 create + rate + exit + exit + filter mac + exit + exit + exit + exit + +```