Skip to content

Instantly share code, notes, and snippets.

@pedrompcaetano

pedrompcaetano/rtr1

Created November 9, 2015 00:21
Show Gist options
  • Save pedrompcaetano/861d965f373ccd879a9d to your computer and use it in GitHub Desktop.
Save pedrompcaetano/861d965f373ccd879a9d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rtr1
rtr1/bgpd.conf:
rtr1/bgpd.conf:internal_peer="10.10.107.242"
rtr1/bgpd.conf:upstream1="10.20.136.161"
rtr1/bgpd.conf:upstream2="10.20.136.162"
rtr1/bgpd.conf:pt="{$upstream1, $upstream2 }"
rtr1/bgpd.conf:bgp_networks="{10.20.249.144/28, 10.10.106.0/23, 10.10.106.0/24, 10.10.107.0/24, 10.30.23.0/24 }"
rtr1/bgpd.conf:
rtr1/bgpd.conf:AS 65529
rtr1/bgpd.conf:router-id 10.20.136.165
rtr1/bgpd.conf:holdtime 3
rtr1/bgpd.conf:holdtime min 9
rtr1/bgpd.conf:listen on 0.0.0.0
rtr1/bgpd.conf:fib-update yes
rtr1/bgpd.conf:log updates
rtr1/bgpd.conf:network 10.20.249.144/28
rtr1/bgpd.conf:network 10.10.106.0/23
rtr1/bgpd.conf:network 10.10.106.0/24
rtr1/bgpd.conf:network 10.10.107.0/24
rtr1/bgpd.conf:network 10.30.23.0/24
rtr1/bgpd.conf:nexthop qualify via bgp
rtr1/bgpd.conf:
rtr1/bgpd.conf:
rtr1/bgpd.conf:group "peering PT" {
rtr1/bgpd.conf: remote-as 65025
rtr1/bgpd.conf: neighbor $upstream1 {
rtr1/bgpd.conf: announce self
rtr1/bgpd.conf: }
rtr1/bgpd.conf: neighbor $upstream2 {
rtr1/bgpd.conf: announce self
rtr1/bgpd.conf: }
rtr1/bgpd.conf:}
rtr1/bgpd.conf:
rtr1/bgpd.conf:neighbor $internal_peer {
rtr1/bgpd.conf: remote-as 65530
rtr1/bgpd.conf: announce default-route
rtr1/bgpd.conf: }
rtr1/bgpd.conf:match to any prefix 10.10.107.0/24 set prepend-self 2
rtr1/bgpd.conf:match to any prefix 10.20.249.144/28 set prepend-self 2
rtr1/bgpd.conf:
rtr1/bgpd.conf:deny from any
rtr1/bgpd.conf:
rtr1/bgpd.conf:allow from $upstream1 prefix 0.0.0.0/0 set localpref 150
rtr1/bgpd.conf:allow from $internal_peer prefix 0.0.0.0/0 set localpref 20
rtr1/bgpd.conf:allow from $upstream2 prefix 0.0.0.0/0
rtr1/bgpd.conf:
rtr1/bgpd.conf:deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122]
rtr1/bgpd.conf:deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918]
rtr1/bgpd.conf:deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598]
rtr1/bgpd.conf:deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122]
rtr1/bgpd.conf:deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927]
rtr1/bgpd.conf:deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918]
rtr1/bgpd.conf:deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737]
rtr1/bgpd.conf:deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918]
rtr1/bgpd.conf:deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544]
rtr1/bgpd.conf:deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737]
rtr1/bgpd.conf:deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737]
rtr1/bgpd.conf:deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast
rtr1/bgpd.conf:deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved
rtr1/bgpd.conf:
rtr1/bgpd.conf:deny from any prefix ::/8 prefixlen >= 8
rtr1/bgpd.conf:deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666]
rtr1/bgpd.conf:deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
rtr1/bgpd.conf:deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
rtr1/bgpd.conf:deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
rtr1/bgpd.conf:deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
rtr1/bgpd.conf:deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
rtr1/bgpd.conf:deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
rtr1/bgpd.conf:deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
rtr1/bgpd.conf:deny from any prefix ff00::/8 prefixlen >= 8 # multicast
rtr1/bgpd.conf:
rtr1/hostname.carp7401:up
rtr1/hostname.carp7401:group site2
rtr1/hostname.carp7401:10.10.107.252 netmask 255.255.255.240 carpdev vlan740 vhid 5 pass 3e2e04c8d1e1617447be3132
rtr1/hostname.carp7402:up
rtr1/hostname.carp7402:group site2
rtr1/hostname.carp7402:10.10.107.251 netmask 255.255.255.240 carpdev vlan740 vhid 6 pass 3e2e04c8d1e1617447be3132
rtr1/hostname.carp7403:up
rtr1/hostname.carp7403:group site1
rtr1/hostname.carp7403:10.10.107.253 netmask 255.255.255.240 carpdev vlan740 vhid 4 pass 3e2e04c8d1e1617447be3132 advskew 100
rtr1/hostname.carp7404:up
rtr1/hostname.carp7404:group site1
rtr1/hostname.carp7404:10.10.107.254 netmask 255.255.255.240 carpdev vlan740 vhid 3 pass 3e2e04c8d1e1617447be3132 advskew 100
rtr1/hostname.vlan46:up
rtr1/hostname.vlan46:inet 10.20.136.165 255.255.255.248 NONE vlan 710 vlandev vio0
rtr1/pf.conf:
rtr1/pf.conf:icmp_types = "{ echoreq, unreach }"
rtr1/pf.conf:
rtr1/pf.conf:set skip on lo
rtr1/pf.conf:
rtr1/pf.conf:block drop log all #block stateless traffic
rtr1/pf.conf:pass on vlan740 proto carp keep state
rtr1/pf.conf:pass on vlan1267 proto pfsync
rtr1/pf.conf:pass inet proto icmp icmp-type $icmp_types
rtr1/pf.conf:
rtr1/pf.conf:anchor "rdomain2" on rdomain 2 {
rtr1/pf.conf: pass in proto tcp to port { ssh www https } tag GOOD
rtr1/pf.conf: pass out from vio1:network to any
rtr1/pf.conf: block log quick ! tagged GOOD
rtr1/pf.conf: }
rtr1/sysctl.conf:net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
rtr1/sysctl.conf:net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
rtr1/sysctl.conf:net.inet.carp.log=3 # log level of carp(4) info, default 2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment