Difference between revisions of "Automatic Bogon Firewalling Using uRPF and Team Cymru"
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
| + | <PRE> | ||
ip bgp-community new-format | ip bgp-community new-format | ||
| + | </PRE> | ||
| + | <PRE> | ||
ip community-list expanded CYMRU-BOGONS permit 65000:888 | ip community-list expanded CYMRU-BOGONS permit 65000:888 | ||
| − | + | ||
ip route 192.0.2.1 255.255.255.255 Null0 name NULL_ROUTE_FOR_CYMRU_BOGONS | ip route 192.0.2.1 255.255.255.255 Null0 name NULL_ROUTE_FOR_CYMRU_BOGONS | ||
| − | + | ||
route-map CYMRU-BOGONS permit 10 | route-map CYMRU-BOGONS permit 10 | ||
description BOGONS LIST FOR URPF FILTERING | description BOGONS LIST FOR URPF FILTERING | ||
match community CYMRU-BOGONS | match community CYMRU-BOGONS | ||
set ip next-hop 192.0.2.1 | set ip next-hop 192.0.2.1 | ||
| − | + | ||
ip prefix-list CYMRU-OUT seq 10 deny 0.0.0.0/0 le 32 | ip prefix-list CYMRU-OUT seq 10 deny 0.0.0.0/0 le 32 | ||
| − | + | </PRE> | |
| + | |||
| + | <PRE> | ||
router bgp 65504 | router bgp 65504 | ||
bgp log-neighbor-changes | bgp log-neighbor-changes | ||
| Line 21: | Line 26: | ||
neighbor 2000:B00:B00:10::2 peer-group CYMRU | neighbor 2000:B00:B00:10::2 peer-group CYMRU | ||
neighbor 2000:C00:C00:10::2 peer-group CYMRU | neighbor 2000:C00:C00:10::2 peer-group CYMRU | ||
| − | + | ||
address-family ipv4 | address-family ipv4 | ||
neighbor CYMRU soft-reconfiguration inbound | neighbor CYMRU soft-reconfiguration inbound | ||
| Line 31: | Line 36: | ||
no synchronization | no synchronization | ||
exit-address-family | exit-address-family | ||
| − | + | </PRE> | |
| + | |||
| + | <PRE> | ||
access-list 100 remark ---- ACL FOR URPF ---- | access-list 100 remark ---- ACL FOR URPF ---- | ||
access-list 100 permit udp any eq bootps any eq bootpc | access-list 100 permit udp any eq bootps any eq bootpc | ||
access-list 100 deny ip any any | access-list 100 deny ip any any | ||
| − | + | ||
interface FastEthernet0 | interface FastEthernet0 | ||
description EXTERNAL | description EXTERNAL | ||
ip verify unicast reverse-path 100 | ip verify unicast reverse-path 100 | ||
| − | + | </PRE> | |
| + | <PRE> | ||
| + | ip prefix-list CYMRU_NAT-T_FIX seq 10 permit 192.168.0.0/16 | ||
| − | |||
| − | |||
| − | |||
route-map CYMRU-BOGONS deny 5 | route-map CYMRU-BOGONS deny 5 | ||
description TO FIX NAT-T | description TO FIX NAT-T | ||
match ip address prefix-list CYMRU_NAT-T_FIX | match ip address prefix-list CYMRU_NAT-T_FIX | ||
match community CYMRU-BOGONS | match community CYMRU-BOGONS | ||
| − | + | </PRE> | |
Revision as of 09:39, 8 November 2013
ip bgp-community new-format
ip community-list expanded CYMRU-BOGONS permit 65000:888 ip route 192.0.2.1 255.255.255.255 Null0 name NULL_ROUTE_FOR_CYMRU_BOGONS route-map CYMRU-BOGONS permit 10 description BOGONS LIST FOR URPF FILTERING match community CYMRU-BOGONS set ip next-hop 192.0.2.1 ip prefix-list CYMRU-OUT seq 10 deny 0.0.0.0/0 le 32
router bgp 65504 bgp log-neighbor-changes neighbor CYMRU peer-group neighbor CYMRU remote-as 65000 neighbor CYMRU description CYMRU BOGONS LIST neighbor CYMRU ebgp-multihop 255 neighbor CYMRU password 7 1234567890 neighbor CYMRU update-source Loopback6 neighbor 2000:B00:B00:10::2 peer-group CYMRU neighbor 2000:C00:C00:10::2 peer-group CYMRU address-family ipv4 neighbor CYMRU soft-reconfiguration inbound neighbor CYMRU prefix-list CYMRU-OUT out neighbor CYMRU route-map CYMRU-BOGONS in neighbor 2000:B00:B00:10::2 activate neighbor 2000:C00:C00:10::2 activate no auto-summary no synchronization exit-address-family
access-list 100 remark ---- ACL FOR URPF ---- access-list 100 permit udp any eq bootps any eq bootpc access-list 100 deny ip any any interface FastEthernet0 description EXTERNAL ip verify unicast reverse-path 100
ip prefix-list CYMRU_NAT-T_FIX seq 10 permit 192.168.0.0/16 route-map CYMRU-BOGONS deny 5 description TO FIX NAT-T match ip address prefix-list CYMRU_NAT-T_FIX match community CYMRU-BOGONS