![[BACK]](/icons/back.gif){kind=icon}
Return to bgpd.conf CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc|
Return to bgpd.conf CVS log | Up to [local] / src / etc |
| File: [local] / src / etc / Attic / bgpd.conf (download)
Revision 1.12, Wed Jan 19 07:36:40 2011 UTC (13 years, 4 months ago) by claudio
Add 2001:2::/48 (prefix used for benchmarking) to the list of non-routeable prefixes. While there sort list. Diff provided by Andre Keller. |
# $OpenBSD: bgpd.conf,v 1.12 2011/01/19 07:36:40 claudio Exp $
# sample bgpd configuration file
# see bgpd.conf(5)
#macros
peer1="10.1.0.2"
peer2="10.1.0.3"
# global configuration
AS 65001
router-id 10.0.0.1
# holdtime 180
# holdtime min 3
# listen on 127.0.0.1
# listen on ::1
# fib-update no
# route-collector no
# log updates
# network 10.0.1.0/24
# restricted socket for bgplg(8)
# socket "/var/www/logs/bgpd.rsock" restricted
# neighbors and peers
group "peering AS65002" {
remote-as 65002
neighbor $peer1 {
descr "AS 65001 peer 1"
announce self
tcp md5sig password mekmitasdigoat
}
neighbor $peer2 {
descr "AS 65001 peer 2"
announce all
local-address 10.0.0.8
ipsec esp ike
}
}
group "peering AS65042" {
descr "peering AS 65042"
local-address 10.0.0.8
ipsec ah ike
neighbor 10.2.0.1
neighbor 10.2.0.2
}
neighbor 10.0.1.0 {
remote-as 65003
descr upstream
multihop 2
local-address 10.0.0.8
passive
holdtime 180
holdtime min 3
announce none
tcp md5sig key deadbeef
}
neighbor 10.0.2.0 {
remote-as 65004
descr upstream2
local-address 10.0.0.8
ipsec ah ike
}
neighbor 10.0.0.0/24 {
descr "template for local peers"
}
neighbor 10.2.1.1 {
remote-as 65023
local-address 10.0.0.8
ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
}
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
deny from any
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48
# accept a default route (since the previous rule blocks this)
#allow from any prefix 0.0.0.0/0
# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 127.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 198.18.0.0/15 prefixlen >= 15
deny from any prefix 198.51.100.0/24 prefixlen >= 24
deny from any prefix 203.0.113.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8 # multicast