【FRRouting】BGP网络的Route-Map配置(部分Community支持)

预计阅读需要37分钟

微信扫一扫,分享到朋友圈

【FRRouting】BGP网络的Route-Map配置(部分Community支持)
1

前言

因为咱的hetzner硬盘爆炸了,在重新上线IX内的对等,正好挺久没维护了,咱又是个FRRouting用户,于是今天就花了几个小时写了下新的路由配置。(有点久没写,部分可能有问题,至少目前测试是没问题的 逃)

V4和V6拆的也比较散,以及该配置对RPKI有问题的是不会收的(Not Found可以收,invalid拒绝)。

Peer可用的community

  • 1000 将 local-preference 设置为 1000
  • 65501 加长1 as path
  • 65502 加长2 as path
  • 65503 加长3 as path
  • 65281 NO_EXPORT
  • 65284/65000 NO_PEER
  • 666 黑洞

标识用community

  • 4010/4086 标识提供Transit服务的IPV4 (未完善)
  • 6010/6086 标识提供Transit服务的IPV6 (未完善)
  • 10000/10086 对外广播的路由
  • 10010 在IXP里广播的路由
  • 4000 RPKI Valid的IPV4
  • 4001 RPKI Not Found的IPV4
  • 6000 RPKI Valid的IPV6
  • 6001 RPKI Not Found的IPV6
  • 3000x 从x地区学习到的
  • 2000x 从x地区导出的
  • 9886 自己的路由
  • 6666 OSPF6中的得到的路由

实现的route-map

  • DOWNSTREAMV6IN IPV6下游 in
  • DOWNSTREAMV6OUT IPV6下游 out
  • DOWNSTREAMV4IN IPV4下游 in
  • DOWNSTREAMV4OUT IPV4下游 out
  • RPKI 通用 in out
  • UPSTRAMSV6OUT IPV6上游 out
  • UPSTRAMSV4OUT IPV4上游 out
  • DENYALL 通用 in out
  • IXPV4OUT IPV4的IXP out
  • IXPV6OUT IPV6的IXP out
  • NOEXPORTV6 用于针对只需默认路由的IPV6 Peer out
  • NOEXPORTV4 用于针对只需默认路由的IPV4 Peer out
  • MYPERFIXV6 自己的IPV6 PREFIX
  • MYPERFIXV4 自己的IPV4 PREFIX

配置的prefix-list

  • ASSETV6 IPV6自动过滤,通过BGPQ3/BGPQ4 指定AS-SET进行生成
  • ASSETV4 IPV4自动过滤,通过BGPQ3/BGPQ4 指定AS-SET进行生成
  • TRANSITV6 IPV6 导出白名单
  • TRANSITV4 IPV4 导出白名单
  • WHITELISTV4 IPV4 导入白名单
  • WHITELISTV6 IPV6 导入白名单
  • IXPV6 IXP内IPV6 导出白名单
  • IXPV4 IXP内IPV4 导出白名单
  • MYPREFIXV4 自己的IPV4列表(通过指定ASN自动生成)
  • MYPREFIXV6 自己的IPV6列表(通过指定ASN自动生成)

最终配置

记得将ASN替换成自己的或者公用的。以及必须要配置rpki(基本都验证rpki)



bgp community-list 1 seq 5 permit 9886:1000
bgp community-list 10 seq 5 permit 9886:10000
bgp community-list 11 seq 5 permit 9886:65501
bgp community-list 12 seq 5 permit 9886:65502
bgp community-list 13 seq 5 permit 9886:65503
bgp community-list 40 seq 5 permit 9886:4010
bgp community-list 40 seq 10 permit 9886:4086
bgp community-list 60 seq 5 permit 9886:6010
bgp community-list 60 seq 10 permit 9886:6086
bgp community-list 66 seq 5 permit 9886:666
bgp community-list 95 seq 5 permit 65535:65281
bgp community-list 95 seq 10 permit 9886:65281
bgp community-list 96 seq 5 permit 65535:65284
bgp community-list 96 seq 10 permit 65500:65000
bgp community-list 96 seq 15 permit 9886:65000
!
!
route-map DOWNSTREAMV6IN permit 100
 match community 1
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set community 9886:1000 9886:6000 9886:6010 9886:30003 additive
 set local-preference 1000
exit
!
route-map DOWNSTREAMV6IN permit 110
 match community 11
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set as-path prepend 9886
 set community 9886:6000 9886:6010 9886:30003 9886:65501 additive
 set local-preference 1000
exit
!
route-map DOWNSTREAMV6IN permit 115
 match community 11
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set as-path prepend 9886
 set community 9886:6001 9886:6010 9886:30003 9886:65501 additive
exit
!
route-map DOWNSTREAMV6IN permit 120
 match community 12
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set as-path prepend 9886 9886
 set community 9886:6000 9886:6010 9886:30003 9886:65502 additive
exit
!
route-map DOWNSTREAMV6IN permit 125
 match community 12
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set as-path prepend 9886 9886
 set community 9886:6001 9886:6010 9886:30003 9886:65502 additive
exit
!
route-map DOWNSTREAMV6IN permit 130
 match community 13
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set as-path prepend 9886 9886 9886
 set community 9886:6000 9886:6010 9886:30003 9886:65503 additive
exit
!
route-map DOWNSTREAMV6IN permit 135
 match community 13
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set as-path prepend 9886 9886 9886
 set community 9886:6001 9886:6010 9886:30003 9886:65503 additive
exit
!
route-map DOWNSTREAMV6IN permit 660
 match community 66
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set community 9886:6000 9886:6010 9886:30003 blackhole additive
 set ipv6 next-hop global 100::
exit
!
route-map DOWNSTREAMV6IN permit 665
 match community 66
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set community 9886:6001 9886:6010 9886:30003 blackhole additive
 set ipv6 next-hop global 100::
exit
!
route-map DOWNSTREAMV6IN permit 950
 match community 95
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set community 9886:6000 9886:6010 9886:30003 no-export additive
exit
!
route-map DOWNSTREAMV6IN permit 955
 match community 95
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set community 9886:6001 9886:6010 9886:30003 no-export additive
exit
!
route-map DOWNSTREAMV6IN permit 960
 match community 96
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set community 9886:6000 9886:6010 9886:30003 no-peer additive
exit
!
route-map DOWNSTREAMV6IN permit 965
 match community 96
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set community 9886:6001 9886:6010 9886:30003 no-peer additive
exit
!
route-map DOWNSTREAMV6IN permit 1000
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set community 9886:6000 9886:6010 9886:30003 additive
exit
!
route-map DOWNSTREAMV6IN permit 1010
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set community 9886:6001 9886:6010 9886:30003 additive
exit
!
route-map DOWNSTREAMV6IN permit 65500
 match ipv6 address prefix-list WHITELISTV6
 match rpki valid
 set community 9886:6000 9886:6086 9886:30003 additive
exit
!
route-map DOWNSTREAMV6IN permit 65505
 match ipv6 address prefix-list WHITELISTV6
 match rpki notfound
 set community 9886:6001 9886:6086 9886:30003 additive
exit
!
route-map DOWNSTREAMV6IN deny 65530
 match rpki invalid
exit
!
route-map DOWNSTREAMV6IN deny 65535
exit
!
route-map DOWNSTREAMV6OUT deny 950
 match community 95
exit
!
route-map DOWNSTREAMV6OUT deny 960
 match community 96
exit
!
route-map DOWNSTREAMV6OUT permit 10000
 match rpki valid
 set local-preference 110
exit
!
route-map DOWNSTREAMV6OUT permit 10010
 match rpki notfound
 set local-preference 90
exit
!
route-map DOWNSTREAMV6OUT deny 65530
 match rpki invalid
exit
!
route-map NOEXPORTV6 permit 10
 match ipv6 address prefix-list DEFAULTROUTEV6
 set community no-export
exit
!
route-map UPSTRAMSV6OUT permit 1000
 match ipv6 address prefix-list TRANSITV6
 match rpki valid
 set community 9886:6000 9886:10000 9886:10086 9886:20003 additive
exit
!
route-map UPSTRAMSV6OUT permit 1010
 match ipv6 address prefix-list TRANSITV6
 match rpki notfound
 set community 9886:6001 9886:10000 9886:10086 9886:20003 additive
exit
!
route-map UPSTRAMSV6OUT permit 1100
 match ipv6 address prefix-list MYPREFIXV6
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map UPSTRAMSV6OUT permit 1110
 match ipv6 address prefix-list MYPREFIXV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map UPSTRAMSV6OUT permit 2000
 match community 10
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set community 9886:6000 9886:10000 9886:20003 additive
exit
!
route-map UPSTRAMSV6OUT permit 2010
 match community 10
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set community 9886:6001 9886:10000 9886:20003 additive
exit
!
route-map UPSTRAMSV6OUT deny 65530
 match rpki invalid
exit
!
route-map UPSTRAMSV6OUT deny 65535
exit
!
route-map IXPV6OUT permit 1000
 match ipv6 address prefix-list TRANSITV6
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV6OUT permit 1010
 match ipv6 address prefix-list TRANSITV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV6OUT permit 1200
 match ipv6 address prefix-list MYPREFIXV6
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map IXPV6OUT permit 1210
 match ipv6 address prefix-list MYPREFIXV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map IXPV6OUT permit 1100
 match ipv6 address prefix-list IXPV6
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV6OUT permit 1110
 match ipv6 address prefix-list IXPV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV6OUT permit 2000
 match community 10
 match ipv6 address prefix-list ASSETV6
 match rpki valid
 set community 9886:6000 9886:10010 9886:20003 additive
exit
!
route-map IXPV6OUT permit 2010
 match community 10
 match ipv6 address prefix-list ASSETV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:20003 additive
exit
!
route-map IXPV6OUT deny 65530
 match rpki invalid
exit
!
route-map IXPV6OUT deny 65535
exit
!
route-map DOWNSTREAMV4IN permit 100
 match community 1
 match ip address prefix-list ASSETV4
 match rpki valid
 set community 9886:1000 9886:4000 9886:4010 9886:30003 additive
 set local-preference 1000
exit
!
route-map DOWNSTREAMV4IN permit 110
 match community 11
 match ip address prefix-list ASSETV4
 match rpki valid
 set as-path prepend 9886
 set community 9886:4000 9886:4010 9886:30003 9886:65501 additive
 set local-preference 1000
exit
!
route-map DOWNSTREAMV4IN permit 115
 match community 11
 match ip address prefix-list ASSETV4
 match rpki notfound
 set as-path prepend 9886
 set community 9886:4001 9886:4010 9886:30003 9886:65501 additive
exit
!
route-map DOWNSTREAMV4IN permit 120
 match community 12
 match ip address prefix-list ASSETV4
 match rpki valid
 set as-path prepend 9886 9886
 set community 9886:6000 9886:6010 9886:30003 9886:65502 additive
exit
!
route-map DOWNSTREAMV4IN permit 125
 match community 12
 match ip address prefix-list ASSETV4
 match rpki notfound
 set as-path prepend 9886 9886
 set community 9886:4001 9886:4010 9886:30003 9886:65502 additive
exit
!
route-map DOWNSTREAMV4IN permit 130
 match community 13
 match ip address prefix-list ASSETV4
 match rpki valid
 set as-path prepend 9886 9886 9886
 set community 9886:4000 9886:4010 9886:30003 9886:65503 additive
exit
!
route-map DOWNSTREAMV4IN permit 135
 match community 13
 match ip address prefix-list ASSETV4
 match rpki notfound
 set as-path prepend 9886 9886 9886
 set community 9886:4001 9886:4010 9886:30003 9886:65503 additive
exit
!
route-map DOWNSTREAMV4IN permit 660
 match community 66
 match ip address prefix-list ASSETV4
 match rpki valid
 set community 9886:4000 9886:4010 9886:30003 blackhole additive
 set ip next-hop 127.0.0.1
exit
!
route-map DOWNSTREAMV4IN permit 665
 match community 66
 match ip address prefix-list ASSETV4
 match rpki notfound
 set community 9886:4001 9886:4010 9886:30003 blackhole additive
 set ip next-hop 127.0.0.1
exit
!
route-map DOWNSTREAMV4IN permit 950
 match community 95
 match ip address prefix-list ASSETV4
 match rpki valid
 set community 9886:4000 9886:4010 9886:30003 no-export additive
exit
!
route-map DOWNSTREAMV4IN permit 955
 match community 95
 match ip address prefix-list ASSETV4
 match rpki notfound
 set community 9886:4001 9886:4010 9886:30003 no-export additive
exit
!
route-map DOWNSTREAMV4IN permit 960
 match community 96
 match ip address prefix-list ASSETV4
 match rpki valid
 set community 9886:4000 9886:4010 9886:30003 no-peer additive
exit
!
route-map DOWNSTREAMV4IN permit 965
 match community 96
 match ip address prefix-list ASSETV4
 match rpki notfound
 set community 9886:4001 9886:4010 9886:30003 no-peer additive
exit
!
route-map DOWNSTREAMV4IN permit 1000
 match ip address prefix-list ASSETV4
 match rpki valid
 set community 9886:4000 9886:4010 9886:30003 additive
exit
!
route-map DOWNSTREAMV4IN permit 1010
 match ip address prefix-list ASSETV4
 match rpki notfound
 set community 9886:4001 9886:4010 9886:30003 additive
exit
!
route-map DOWNSTREAMV4IN permit 65500
 match ip address prefix-list WHITELISTV4
 match rpki valid
 set community 9886:4000 9886:4086 9886:30003 additive
exit
!
route-map DOWNSTREAMV4IN permit 65505
 match ip address prefix-list WHITELISTV4
 match rpki notfound
 set community 9886:4001 9886:4086 9886:30003 additive
exit
!
route-map DOWNSTREAMV4IN deny 65530
 match rpki invalid
exit
!
route-map DOWNSTREAMV4IN deny 65535
exit
!
route-map DOWNSTREAMV4OUT deny 950
 match community 95
exit
!
route-map DOWNSTREAMV4OUT deny 960
 match community 96
exit
!
route-map DOWNSTREAMV4OUT permit 10000
 match rpki valid
 set local-preference 110
exit
!
route-map DOWNSTREAMV4OUT permit 10010
 match rpki notfound
 set local-preference 90
exit
!
route-map DOWNSTREAMV4OUT deny 65530
 match rpki invalid
exit
!
route-map NOEXPORTV4 permit 10
 match ip address prefix-list DEFAULTROUTEV4 
 set community no-export
exit
!
route-map UPSTRAMSV4OUT permit 1000
 match ip address prefix-list TRANSITV4
 match rpki valid
 set community 9886:4000 9886:10000 9886:10086 9886:20003 additive
exit
!
route-map UPSTRAMSV4OUT permit 1010
 match ip address prefix-list TRANSITV4
 match rpki notfound
 set community 9886:4001 9886:10000 9886:10086 9886:20003 additive
exit
!
route-map UPSTRAMSV4OUT permit 1100
 match ip address prefix-list MYPREFIXV4
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map UPSTRAMSV4OUT permit 1110
 match ip address prefix-list MYPREFIXV4
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map UPSTRAMSV4OUT permit 2000
 match community 10
 match ip address prefix-list ASSETV4
 match rpki valid
 set community 9886:4000 9886:10000 9886:20003 additive
exit
!
route-map UPSTRAMSV4OUT permit 2010
 match community 10
 match ip address prefix-list ASSETV4
 match rpki notfound
 set community 9886:4001 9886:10000 9886:20003 additive
exit
!
route-map UPSTRAMSV4OUT deny 65530
 match rpki invalid
exit
!
route-map UPSTRAMSV4OUT deny 65535
exit
!
route-map IXPV4OUT permit 1000
 match ip address prefix-list TRANSITV4
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV4OUT permit 1010
 match ip address prefix-list TRANSITV4
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV4OUT permit 1100
 match ip address prefix-list IXPV4
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV4OUT permit 1110
 match ip address prefix-list IXPV4
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:20003 additive
exit
!
route-map IXPV4OUT permit 1200
 match ip address prefix-list MYPREFIXV4
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map IXPV4OUT permit 1210
 match ip address prefix-list MYPREFIXV4
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map IXPV4OUT permit 2000
 match community 10
 match ip address prefix-list ASSETV4
 match rpki valid
 set community 9886:6000 9886:10010 9886:20003 additive
exit
!
route-map IXPV4OUT permit 2010
 match community 10
 match ip address prefix-list ASSETV4
 match rpki notfound
 set community 9886:6001 9886:10010 9886:20003 additive
exit
!
route-map IXPV4OUT deny 65530
 match rpki invalid
exit
!
route-map IXPV4OUT deny 65535
exit
!
route-map DENYALL deny 5
exit
!
route-map RPKI permit 10
 match rpki notfound
 set local-preference 110
exit
!
route-map RPKI permit 20
 match rpki valid
 set local-preference 90
exit
!
route-map RPKI deny 30
 match rpki invalid
exit
!
route-map MYPERFIXV6 permit 100
 match source-protocol ospf6
 match ipv6 address prefix-list MYPREFIXV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:6666 9886:20003  additive
 set as-path prepend 9886 9886
exit
!
route-map MYPERFIXV6 permit 110
 match source-protocol ospf6
 match ipv6 address prefix-list MYPREFIXV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:6666 9886:20003  additive
 set as-path prepend 9886 9886
exit
!
route-map MYPERFIXV6 permit 1000
 match ipv6 address prefix-list MYPREFIXV6
 match rpki valid
 set community 9886:6000 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map MYPERFIXV6 permit 1010
 match ipv6 address prefix-list MYPREFIXV6
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map MYPERFIXV6 deny 65530
 match rpki invalid
exit
!
route-map MYPERFIXV6 deny 65535
exit
!
route-map MYPERFIXV4 permit 100
 match source-protocol ospf
 match ip address prefix-list MYPREFIXV4
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:6666 9886:20003  additive
 set as-path prepend 9886 9886
exit
!
route-map MYPERFIXV4 permit 110
 match source-protocol ospf
 match ip address prefix-list MYPREFIXV4
 match rpki notfound
 set community 9886:6001 9886:10010 9886:10086 9886:9886 9886:6666 9886:20003  additive
 set as-path prepend 9886 9886
exit
!
route-map MYPERFIXV4 permit 1000
 match ip address prefix-list MYPREFIXV4
 match rpki valid
 set community 9886:4000 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map MYPERFIXV4 permit 1010
 match ip address prefix-list MYPREFIXV4
 match rpki notfound
 set community 9886:4001 9886:10010 9886:10086 9886:9886 9886:20003 additive
exit
!
route-map MYPERFIXV4 deny 65530
 match rpki invalid
exit
!
route-map MYPERFIXV4 deny 65535
exit
!
本文由 发布在 RBQ.AI,转载此文请保持文章完整性,并请附上文章来源(RBQ.AI)及本页链接。
原文链接:https://rbq.ai/p/1462/
咱很菜的,是个智障。 人设非常容易崩。
上一篇

【OpenSK】开源安全密钥 - 你的下一个Yubikey何必是Yubikey

下一篇

【网络配置】常用的一些网络配置记录 一

你也可能喜欢

1 条评论

  1. 好耶,yf大佬tql

    0 回复

发表评论

您的电子邮件地址不会被公开。 必填项已用 * 标注

提示:点击验证后方可评论!

插入图片

排行榜

    抱歉,30天内未发布文章!

相关文章

文章聚合

返回顶部