-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathcisco-nxos.config
38 lines (33 loc) · 1.06 KB
/
cisco-nxos.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
! This configuration uses vlan-maps to block the BGP traffic for the IXPs
! Assumption: IX peering vlan 10
!
! ACL IPV4: Basic ACL to match BGP, note it _must_ be a permit based.
ip access-list ACL-BLOCK-BGP
10 permit tcp A.B.C.0/YY eq bgp A.B.C.0/YY
20 permit tcp A.B.C.0/YY A.B.C.0/YY eq bgp
!
ip access-list ACL-PERMIT-ALL
10 permit ip any any
!
! ACL IPV6: Basic ACL to match BGP, note it _must_ be a permit based.
ipv6 access-list ACL-BLOCK-BGP6
10 permit tcp XX::XX/YY eq bgp XX:XX/YY
20 permit tcp XX:XX/YY XX:XX/YY eq bgp
!
ipv6 access-list ACL-PERMIT-ALL6
10 permit ipv6 any any
!
! VLAN access-map is almost like a route-map for VLANs, matching on the ACL and drop.
vlan access-map VAM-BGP 10
match ip address ACL-BLOCK-BGP
match ipv6 address ACL-BLOCK-BGP6
action drop
statistics per-entry
! Forward everything else that does not match the ACL located in VAM seq 10.
vlan access-map VAM-BGP 20
match ip address ACL-PERMIT-ALL
match ipv6 address ACL-PERMIT-ALL6
action forward
!
! Now trigger the filter.
vlan filter VAM-BGP vlan-list 10