JunOS Secure BGP Template

/* ... begin template ... */

version 4.3R3;

/* JUNOS 4.3R3 Secure BGP template */

routing-options {

options {

/* Turn off DNS resolution */

no-resolve;

}

static {

/* This is our aggregate static route */

route 1.88.0.0/19 discard;

/* More specific routes used with discard route above. Remove these

if using an IGP to discover internal routes. */

route 1.88.50.0/24 next-hop 192.168.50.5;

route 1.88.55.0/24 next-hop 192.168.50.8;

route 1.88.75.128/25 next-hop 192.168.50.10;

/* Route to loopback of our iBGP peer */

route 172.17.70.2/32 next-hop 192.168.50.2;

/* Black-hole routes for traffic destined to these networks */

route 0.0.0.0/8 discard;

route 1.0.0.0/8 discard;

route 2.0.0.0/8 discard;

route 5.0.0.0/8 discard;

route 7.0.0.0/8 discard;

route 10.0.0.0/8 discard;

route 23.0.0.0/8 discard;

route 27.0.0.0/8 discard;

route 31.0.0.0/8 discard;

route 36.0.0.0/8 discard;

route 37.0.0.0/8 discard;

route 39.0.0.0/8 discard;

route 41.0.0.0/8 discard;

route 42.0.0.0/8 discard;

route 49.0.0.0/8 discard;

route 50.0.0.0/8 discard;

route 73.0.0.0/8 discard;

route 74.0.0.0/8 discard;

route 75.0.0.0/8 discard;

route 76.0.0.0/8 discard;

route 77.0.0.0/8 discard;

route 78.0.0.0/8 discard;

route 79.0.0.0/8 discard;

route 89.0.0.0/8 discard;

route 90.0.0.0/8 discard;

route 91.0.0.0/8 discard;

route 92.0.0.0/8 discard;

route 93.0.0.0/8 discard;

route 94.0.0.0/8 discard;

route 95.0.0.0/8 discard;

route 96.0.0.0/8 discard;

route 97.0.0.0/8 discard;

route 98.0.0.0/8 discard;

route 99.0.0.0/8 discard;

route 100.0.0.0/8 discard;

route 101.0.0.0/8 discard;

route 102.0.0.0/8 discard;

route 103.0.0.0/8 discard;

route 104.0.0.0/8 discard;

route 105.0.0.0/8 discard;

route 106.0.0.0/8 discard;

route 107.0.0.0/8 discard;

route 108.0.0.0/8 discard;

route 109.0.0.0/8 discard;

route 110.0.0.0/8 discard;

route 111.0.0.0/8 discard;

route 112.0.0.0/8 discard;

route 113.0.0.0/8 discard;

route 114.0.0.0/8 discard;

route 115.0.0.0/8 discard;

route 116.0.0.0/8 discard;

route 117.0.0.0/8 discard;

route 118.0.0.0/8 discard;

route 119.0.0.0/8 discard;

route 120.0.0.0/8 discard;

route 121.0.0.0/8 discard;

route 122.0.0.0/8 discard;

route 123.0.0.0/8 discard;

route 127.0.0.0/8 discard;

route 128.0.0.0/16 discard;

route 169.254.0.0/16 discard;

route 172.16.0.0/12 discard;

route 173.0.0.0/8 discard;

route 174.0.0.0/8 discard;

route 175.0.0.0/8 discard;

route 176.0.0.0/8 discard;

route 177.0.0.0/8 discard;

route 178.0.0.0/8 discard;

route 179.0.0.0/8 discard;

route 180.0.0.0/8 discard;

route 181.0.0.0/8 discard;

route 182.0.0.0/8 discard;

route 183.0.0.0/8 discard;

route 184.0.0.0/8 discard;

route 185.0.0.0/8 discard;

route 186.0.0.0/8 discard;

route 187.0.0.0/8 discard;

route 189.0.0.0/8 discard;

route 190.0.0.0/8 discard;

route 192.0.2.0/24 discard;

route 192.168.0.0/16 discard;

route 197.0.0.0/8 discard;

route 198.18.0.0/15 discard;

route 223.0.0.0/8 discard;

route 240.0.0.0/4 discard;

}

/* Our AS Number */

autonomous-system 111;

/* Export the policy that turns on flow based load balancing */

forwarding-table {

export load-balancing;

}

/* Keep certain announcements from entering the routing table,

but permit specific discard routes to remain there. Use

'show route martians' to view them. */

martians {

0.0.0.0/8 longer;

1.0.0.0/8 longer;

2.0.0.0/8 longer;

5.0.0.0/8 longer;

7.0.0.0/8 longer;

10.0.0.0/8 longer;

23.0.0.0/8 longer;

27.0.0.0/8 longer;

31.0.0.0/8 longer;

36.0.0.0/8 longer;

37.0.0.0/8 longer;

39.0.0.0/8 longer;

41.0.0.0/8 longer;

42.0.0.0/8 longer;

49.0.0.0/8 longer;

50.0.0.0/8 longer;

73.0.0.0/8 longer;

74.0.0.0/8 longer;

75.0.0.0/8 longer;

76.0.0.0/8 longer;

77.0.0.0/8 longer;

78.0.0.0/8 longer;

79.0.0.0/8 longer;

89.0.0.0/8 longer;

90.0.0.0/8 longer;

91.0.0.0/8 longer;

92.0.0.0/8 longer;

93.0.0.0/8 longer;

94.0.0.0/8 longer;

95.0.0.0/8 longer;

96.0.0.0/8 longer;

97.0.0.0/8 longer;

98.0.0.0/8 longer;

99.0.0.0/8 longer;

100.0.0.0/8 longer;

101.0.0.0/8 longer;

102.0.0.0/8 longer;

103.0.0.0/8 longer;

104.0.0.0/8 longer;

105.0.0.0/8 longer;

106.0.0.0/8 longer;

107.0.0.0/8 longer;

108.0.0.0/8 longer;

109.0.0.0/8 longer;

110.0.0.0/8 longer;

111.0.0.0/8 longer;

112.0.0.0/8 longer;

113.0.0.0/8 longer;

114.0.0.0/8 longer;

115.0.0.0/8 longer;

116.0.0.0/8 longer;

117.0.0.0/8 longer;

118.0.0.0/8 longer;

119.0.0.0/8 longer;

120.0.0.0/8 longer;

121.0.0.0/8 longer;

122.0.0.0/8 longer;

123.0.0.0/8 longer;

127.0.0.0/8 longer;

128.0.0.0/16 longer;

169.254.0.0/16 longer;

172.16.0.0/12 longer;

173.0.0.0/8 longer;

174.0.0.0/8 longer;

175.0.0.0/8 longer;

176.0.0.0/8 longer;

177.0.0.0/8 longer;

178.0.0.0/8 longer;

179.0.0.0/8 longer;

180.0.0.0/8 longer;

181.0.0.0/8 longer;

182.0.0.0/8 longer;

183.0.0.0/8 longer;

184.0.0.0/8 longer;

185.0.0.0/8 longer;

186.0.0.0/8 longer;

187.0.0.0/8 longer;

189.0.0.0/8 longer;

190.0.0.0/8 longer;

192.0.2.0/24 longer;

192.168.0.0/16 longer;

197.0.0.0/8 longer;

198.18.0.0/15 longer;

223.0.0.0/8 longer;

240.0.0.0/4 longer;

}

}

/* Routing protocol configuration */

protocols {

bgp {

/* Log additional BGP information to aid in troubleshooting. To

view, use 'show log log-bgp' */

traceoptions {

/* Rotate through 5 files at 1mb each */

file log-bgp size 1m files 5;

/* Trace BGP state transitions */

flag state;

/* Trace BGP normal events */

flag normal;

}

/* Log BGP neighbor changes */

log-updown;

/* Enable bgp route flap damping */

damping;

/* Keep private AS numbers 64512-65535 from leaking out */

remove-private;

family inet {

any {

/* MUST take into account current routing table size and keep

a CLOSE watch on this. Otherwise do NOT use! Prefit

limits can be applied at the group level instead if

desired. */

prefix-limit {

/* Tear down connection when routes reach maximum */

maximum 130000;

/* Start issuing warning messages at teardown percent */

teardown 90;

}

}

}

/* iBGP peer-group with AS 111. Peer-groups save typing and CPU

cycles when multiple neighbors exist with same policy */

group iBGP_111 {

type internal;

description "iBGP with AS 111";

/* Set my address to that of lo0 */

local-address 172.17.70.1;

authentication-key bgpwith111;

/* Set next-hop-self for eBGP routes sent to our iBGP peer */

export next-hop-self;

/* The following is assumed if not entered */

peer-as 111;

/* Loopback address of our internal peer */

neighbor 172.17.70.2;

}

/* eBGP peer-group with AS 222 */

group eBGP_222 {

type external;

description "eBGP with AS 222";

authentication-key bgpwith222;

/* Inbound filtering: Remove bogons, small prefixes, private ASN

advertisements, and set damping parameters. */

import [ nobogons nosmallprefixes noprivateasns damping ];

/* Only announce our netblock */

export announce;

peer-as 222;

/* Allow installation of equal cost BGP paths into inet.0

(routing table), one of which is then selected at random */

multipath;

neighbor 10.10.10.1;

}

/* eBGP peer-group with AS 333 */

group eBGP_333 {

type external;

description "eBGP with AS 333";

authentication-key bgpwith333;

import [ nobogons nosmallprefixes noprivateasns damping ];

export announce;

peer-as 333;

multipath;

neighbor 10.10.5.1;

}

}

}

/* Route filtering configuration */

policy-options {

/* List of root-servers.net as of 09/11/01.

Refer to RIPE-229 [6] on keeping this list current. */

prefix-list root-servers.net {

128.8.0.0/16;

128.9.0.0/16;

128.63.0.0/16;

192.5.4.0/23;

192.33.4.0/24;

192.36.148.0/24;

192.112.36.0/24;

192.203.230.0/24;

193.0.14.0/24;

198.32.64.0/24;

198.41.0.0/24;

202.12.27.0/24;

}

/* Match what we configured as our static aggregate netblock */

policy-statement announce {

term 1 {

from {

protocol static;

route-filter 1.88.0.0/19 exact;

}

then accept;

}

term 2 {

then reject;

}

}

/* Martians list will reject bogon routes not listed here. Don't want

multicast address range listed in the martian list. */

policy-statement nobogons {

from route-filter 224.0.0.0/4 orlonger reject;

}

/* Reject advertisements that contain private AS numbers. */

policy-statement noprivateasns {

from as-path private;

then reject;

}

/* AS-PATH referenced in the noprivateasns policy. */

as-path private 64512-65535;

/* Drop prefixes larger than /27. Other BGP policies may vary */

policy-statement nosmallprefixes {

from route-filter 0.0.0.0/0 prefix-length-range /27-/32 reject;

}

/* Set next-hop to self. Used for eBGP routes sent to iBGP peers */

policy-statement next-hop-self {

then {

next-hop self;

}

}

/* Configure load balancing. IP1 ASIC performs packet load balancing on

up to 8 equal cost paths. IP2 ASIC performs flow based load balancing

on up to 16 equal cost paths. Use only if you have an IP2 ASIC. */

policy-statement load-balancing {

then {

load-balance per-packet;

}

}

/* Configure our damping policy according to RIPE-229 and an updated set

of DNS netblocks. */

policy-statement damping {

/* Do NOT dampen DNS root-servers */

term 1 {

from {

prefix-list root-servers.net;

}

then {

damping damp-none;

/* Ignore rest of terms and jump to next policy called */

next policy;

}

}

/* Dampen according to prefix length. JunOS penalises on withdraw

and on readvertise. So one flap attracts a total penalty of 2000.

An attribute change attracts a penalty of 500. */

term 2 {

from {

/* Lower penalty for prefixes of size /21 and smaller */

route-filter 0.0.0.0/0 upto /21 damping damp-short;

/* Medium penalty for prefixes of size /22 to /23 */

route-filter 0.0.0.0/0 upto /23 damping damp-medium;

/* Higher penalty for prefixes of size /24 and larger */

route-filter 0.0.0.0/0 orlonger damping damp-long;

}

then {

next policy;

}

}

}

/* Min: 30 min, Max: 60 min, dampen at 3 flaps */

damping damp-long {

half-life 30;

reuse 1640;

suppress 6000;

max-suppress 60;

}

/* Min: 15 min, Max: 45 min, dampen at 3 flaps */

damping damp-medium {

half-life 15;

reuse 1500;

suppress 6000;

max-suppress 45;

}

/* Min: 10 min, Max: 30 min, dampen at 3 flaps */

damping damp-short {

half-life 10;

reuse 3000;

suppress 6000;

max-suppress 30;

}

/* Do not dampen. Referenced for DNS root-servers */

damping damp-none {

disable;

}

}

/* Firewall filtering rules need to be applied to an interface. In this case

it should be merged with existing firewall policy and applied to lo0. */

firewall {

filter router-protect {

/* Drop and log all unexpected BGP connection attempts */

term 1 {

from {

address {

0.0.0.0/0;

10.10.5.1/32 except;

10.10.10.1/32 except;

172.17.70.1/32 except;

172.17.70.2/32 except;

}

protocol tcp;

port bgp;

}

then {

count manage-discard-bgp;

discard;

}

}

term 2 {

then {

/* Allow all other traffic */

count manage-accept-other;

accept;

}

}

}

}

/* ... end template ... */

• ·Hibernate入门 - 包作用详解
• ·制作可以执行的 JAR 文件包及 jar 命令
• ·智能代理在网络教学平台设计中的应用与开发
• ·自动语音识别技术(ASR)在聋哑儿童计算机辅助
• ·Application Note: Secur
• ·JunOS Loose ISP Prefix
• ·RMI、CORBA、IIOP简单实例－－2.
• ·如何在web上实现等待提示。
• ·RMI、CORBA、IIOP简单实例－－1.
• ·JunOS Strict ISP Prefix