forked from colinbodor/projectton
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCisco.conf
57 lines (57 loc) · 2.12 KB
/
Cisco.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
! Created by Mark Leonard of YYC Net Lab.
! Feel free to contact me with improvements or suggestions via GitHub:
! https://github.com/colinbodor/projectton
!
! Create null routes for blackholes:
ip route 192.0.2.1 255.255.255.255 Null0
ipv6 route 2001:DB8:0:DEAD:BEEF::1/128 Null0
!
! Create a prefix list that allows nothing out:
ip prefix-list PFL_v4NoPrefixes seq 10 deny 0.0.0.0/0 le 32
!
ip community-list standard CL_CountryCodes permit 65535:3166
!
! These are provided for reference. When there are multiple communities
! listed by the same community list it acts as a logical "or":
! ip community-list standard CL_BlockCountry permit 3166:1234
! ip community-list standard CL_BlockCountry permit 3166:5678
!
ip community-list standard CL_Blackhole permit 65535:666
!
route-map RM-CC_Blackhole permit 100
description Blackhole anything with the Blackhole Community set
match community CL_Blackhole
set ip next-hop 192.0.2.1
set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
! route-map RM-CC_Blackhole permit 200
! description Blackhole specific countries
! match community CL_BlockCountry
! set ip next-hop 192.0.2.1
! set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
route-map RM-CC_Blackhole deny 999
description Do not blackhole all the Countries
match community CL_CountryCodes
!
!
router bgp %YOUR ASN%
neighbor rr1.projectton.com peer-group
neighbor rr1.projectton.com remote-as 4212345678
neighbor rr1.projectton.com ebgp-multihop 32
neighbor 162.208.89.180 peer-group rr1.projectton.com
address-family ipv4
neighbor rr1.projectton.com prefix-list PFL_v4NoPrefixes out
neighbor rr1.projectton.com route-map RM-CC_Blackhole in
neighbor rr1.projectton.com activate
!
!
! (Optional) Enable "loose uRPF" on upstream interfaces:
! interface %UPSTREAM INTERFACE%
! ip verify unicast source reachable-via any [allow-default]
! ! see: https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding
! !
! (Optional) Show the number of uRPF drops:
! #sh ip traffic | sec Drop
! Drop: 60 encapsulation failed, 0 unresolved, 0 no adjacency
! 0 no route, 23606805 unicast RPF, 0 forced drop