forked from colinbodor/projectton
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCiscoIOSXR.conf
More file actions
71 lines (56 loc) · 2.37 KB
/
CiscoIOSXR.conf
File metadata and controls
71 lines (56 loc) · 2.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
! Created by Kelvin Tran - https://www.linkedin.com/in/tran-kelvin
! Ensure that you have a non-default route to the Project TON BGP Route Server
router static address-family ipv4 unicast 162.208.89.180/32 <insert routing exit point here>
! Create null routes for RTBH next-hop addresses
router static address-family ipv4 unicast 192.0.2.1/32 null0
router static address-family ipv6 unicast 2001:DB8:0:DEAD:BEEF::1/128 null0
! Create a community-set with community for all country-coded prefixes
community-set CS_CountryCodedRoutes
65535:3166
end-set
! Create a community-set with communities for specific country codes you want to allow
community-set CS_CountryCodes
! Add in communities in the form of 3166:x, where x is the ISO 3166-designated country code of the country you wish to match
end-set
! Create a community-set with community for all blackholed prefixes
community-set CS_BlackHole
65535:666
end-set
route-policy TON_RTBH_RPL
# If statement to match any explicitly-marked attackers and apply blackholing
if community matches-any CS_BlackHole then
set local-preference 400
set next-hop 192.0.2.1
set next-hop 2001:DB8:0:DEAD:BEEF::1
endif
# If statement to match any explicitly defined countries to block
if community matches-any CS_CountryCodes then
set local-preference 400
set next-hop 192.0.2.1
set next-hop 2001:DB8:0:DEAD:BEEF::1
endif
# If statement to ensure that all other countries are allowed through
if community matches-any CS_CountryCodedRoutes then
drop
endif
end-policy
router bgp <YOUR ASN HERE>
! (Optional) Configure BGP Router ID using the command:
! bgp router-id <YOUR 32-BIT OCTET NOTATION ROUTER-ID HERE>
address-family ipv4 unicast
exit
neighbor 162.208.89.180
remote-as 4212345678
ebgp-multihop
address-family ipv4 unicast
route-policy TON_RTBH_RPL in
! IOS-XR, by default, adheres to behaviors described in RFC 8212 (https://tools.ietf.org/html/rfc8212), by blocking all eBGP routes by default without a routing-policy attached at the BGP point of insertion (POI)
! Therefore, no routing policy is needed outbound to block exports, as IOS-XR will not allow BGP exports to occur without an explicitly defined RPL that passes/explicitly accepts ('done') routes that should be exported.
! (Optional) Enable ipv6 unicast address-family with:
! address-family ipv6 unicast
! route-policy TON_RTBH_RPL in
root
commit
end
! Verify BGP neighbor status
show bgp ipv4 unicast summary