maz
/
bgprtrmgr-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

BCP38

master
Marek Isalski 3 years ago
parent
77bf4eee07
commit
bf4a090c0d
2 changed files with 80 additions and 1 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +74
    -1
      includes/junos-v21-core-router/firewall.j2
  2. +6
    -0
      includes/junos-v21-core-router/interfaces.j2

+ 74
- 1
includes/junos-v21-core-router/firewall.j2
View File

@ -24,9 +24,55 @@
{%- endif %}
{%- endfor %}
{%- set as_set_prefixes = 59811|get_prefixes_for_asn %}
{%- set linknets_ipv4 = [] %}
{%- set linknets_ipv6 = [] %}
{% for interface in device_interfaces %}
{%- set interface_tags = [] %}
{%- for tag in interface.tags %}
{%- do interface_tags.append(tag.slug) %}
{%- endfor %}
{%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %}
{%- for address in interface|get_addresses %}
{%- if address|ipv4 %}
{%- do linknets_ipv4.append(address.address.split("/")[0]) %}
{%- elif address|ipv6 %}
{%- do linknets_ipv6.append(address.address.split("/")[0]) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{% endfor %}
family inet {
filter control-plane-protection-IPv4 {
filter BCP38-edge-IPv4 {
term allow-AS59811-set {
from {
source-address {
{% for prefix in as_set_prefixes['ipv4'] %}
{{ prefix['prefix'] }};
{% endfor %}
}
}
then {
accept
}
}
term allow-interfaces {
from {
source-address {
{%- for address in linknets_ipv4 %}
{{ address }};
{%- endfor %}
}
}
then {
accept
}
}
}
filter control-plane-protection-IPv4 {
{% if bgp_multihop_prefixes_v4 %}
term allow-multihop-bgp {
from {
@ -118,6 +164,33 @@
}
}
family inet6 {
filter BCP38-edge-IPv6 {
term allow-AS59811-set {
from {
source-address {
{% for prefix in as_set_prefixes['ipv6'] %}
{{ prefix['prefix'] }};
{% endfor %}
}
}
then {
accept
}
}
term allow-interfaces {
from {
source-address {
{%- for address in linknets_ipv6 %}
{{ address }};
{%- endfor %}
}
}
then {
accept
}
}
}
filter control-plane-protection-IPv6 {
{% if bgp_multihop_prefixes_v6 %}
term allow-multihop-bgp {

+ 6
- 0
includes/junos-v21-core-router/interfaces.j2
View File

@ -22,6 +22,9 @@
filter {
input control-plane-protection-IPv4;
{%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %}
output BCP38-edge-IPv4;
{%- endif %}
}
}
family inet6 {
@ -37,6 +40,9 @@
filter {
input control-plane-protection-IPv6;
{%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %}
output BCP38-edge-IPv6;
{%- endif %}
}
}
{%- set tags = interface.tags|tags_to_map %}

Write Preview
Loading…
Cancel
Save