Annotation of src/etc/bgpd.conf, Revision 1.9
1.9 ! claudio 1: # $OpenBSD: bgpd.conf,v 1.8 2007/03/29 13:37:35 claudio Exp $
1.1 henning 2: # sample bgpd configuration file
3: # see bgpd.conf(5)
4:
5: #macros
1.5 henning 6: peer1="10.1.0.2"
7: peer2="10.1.0.3"
1.1 henning 8:
9: # global configuration
10: AS 65001
1.2 henning 11: router-id 10.0.0.1
1.7 henning 12: # holdtime 180
13: # holdtime min 3
14: # listen on 127.0.0.1
15: # listen on ::1
16: # fib-update no
17: # route-collector no
1.2 henning 18: # log updates
1.3 henning 19: # network 10.0.1.0/24
1.1 henning 20:
21: # neighbors and peers
22: group "peering AS65002" {
23: remote-as 65002
24: neighbor $peer1 {
25: descr "AS 65001 peer 1"
1.3 henning 26: announce self
27: tcp md5sig password mekmitasdigoat
1.1 henning 28: }
29: neighbor $peer2 {
1.5 henning 30: descr "AS 65001 peer 2"
1.3 henning 31: announce all
1.5 henning 32: local-address 10.0.0.8
33: ipsec esp ike
1.1 henning 34: }
35: }
36:
1.5 henning 37: group "peering AS65042" {
38: descr "peering AS 65042"
39: local-address 10.0.0.8
40: ipsec ah ike
41: neighbor 10.2.0.1
42: neighbor 10.2.0.2
43: }
44:
1.1 henning 45: neighbor 10.0.1.0 {
46: remote-as 65003
47: descr upstream
48: multihop 2
1.2 henning 49: local-address 10.0.0.8
50: passive
1.3 henning 51: holdtime 180
52: holdtime min 3
53: announce none
54: tcp md5sig key deadbeef
1.5 henning 55: }
56:
57: neighbor 10.0.2.0 {
58: remote-as 65004
59: descr upstream2
60: local-address 10.0.0.8
61: ipsec ah ike
62: }
63:
64: neighbor 10.0.0.0/24 {
65: descr "template for local peers"
1.6 henning 66: }
67:
68: neighbor 10.2.1.1 {
69: remote-as 65023
70: local-address 10.0.0.8
71: ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
72: aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
73: ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
74: aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
1.1 henning 75: }
76:
1.4 henning 77: # filter out prefixes longer than 24 or shorter than 8 bits
78: deny from any
1.8 claudio 79: allow from any inet prefixlen 8 - 24
1.4 henning 80:
1.9 ! claudio 81: # accept a default route (since the previous rule blocks this)
! 82: #allow from any prefix 0.0.0.0/0
1.4 henning 83:
84: # filter bogus networks
85: deny from any prefix 10.0.0.0/8 prefixlen >= 8
86: deny from any prefix 172.16.0.0/12 prefixlen >= 12
87: deny from any prefix 192.168.0.0/16 prefixlen >= 16
88: deny from any prefix 169.254.0.0/16 prefixlen >= 16
89: deny from any prefix 192.0.2.0/24 prefixlen >= 24
90: deny from any prefix 224.0.0.0/4 prefixlen >= 4
91: deny from any prefix 240.0.0.0/4 prefixlen >= 4