From ccb2561dd509f33d552ff60a05a63dd3bf28a94e Mon Sep 17 00:00:00 2001 From: Marek Isalski Date: Sun, 26 Jun 2022 16:05:13 +0100 Subject: [PATCH] got core-to-agg working --- README.txt | 33 +++++++++- .../junos-v21-core-router/policy-options.j2 | 61 +++++++++++++++++++ includes/junos-v21-core-router/protocols.j2 | 28 +++++++++ 3 files changed, 119 insertions(+), 3 deletions(-) diff --git a/README.txt b/README.txt index 9b9c2b0..1985afc 100644 --- a/README.txt +++ b/README.txt @@ -1,5 +1,32 @@ + +# IPv6 Address Plan + +2a04:1840::/29 Business Static /48-/52 (was acquired from FibreWiFi) +2a0b:8640::/29 Residential /56 (was acquired from Dyfed IT) Accept IPv6 /40-/48 from Aggregation +2a0d:a0c0::/29 Acquired from LonsdaleNET (will become like 2a0b:8640::/29 if required) +2a10:f0c0::/29 Core and Loopbacks (not announced to DFZ) + + 2a10:f0c0::/48 Core Linknets and Loopbacks + 2a01:f0c0:0001:0001:0067::/80 Linknets from cr1.tn2 (1 from 193.162.44.1) via NNC067 to Aggregation + 2a01:f0c0:0002:0002:0068::/80 Linknets from cr1.ld5 (2 from 193.162.44.2) via NNC068 to Aggregation + 2a01:f0c0:0003:0003:0069::/80 Linknets from cr1.ma1 (3 from 193.162.44.3) via NNC069 to Aggregation + 2a01:f0c0:0004:0004:0070::/80 Linknets from cr1.pue (4 from 193.162.44.4) via NNC070 to Aggregation + + 2a01:f0c0:ssss:cccc:nnnn:yyyy:zzzz:1/112 ssss = site + cccc = core router + nnnn = NNI number + yyyy = outer VLAN tag (S-tag, probably 0) + zzzz = inner VLAN tag (C-tag, Neos usual VLAN tagging) + ::c001 = core + ::a001 = agg + +# Communities + +59811:2 => routes learned from ASNs that Voneus meets at 2 (or more) locations + 59811:666 => /24 = only send to Voxility /32 = announce to RTBH on ixs/upstreams/UTRS + 65535:666 => COMMUNITY-AS59811-BLACKHOLE 59811:6500x => originated from site @@ -45,9 +72,9 @@ LOCAL PREFERENCES 200 => transit 300 => transit (up-pref) -400 => peering (de-pref) -500 => peering -600 => peering (up-pref) +400 => peering (de-pref) - default for IX route-servers +500 => peering - default for direct sessions over IX +600 => peering (up-pref) - default for PNI 700 => downstream (de-pref) 800 => downstream diff --git a/includes/junos-v21-core-router/policy-options.j2 b/includes/junos-v21-core-router/policy-options.j2 index 85dedb0..817f6f0 100644 --- a/includes/junos-v21-core-router/policy-options.j2 +++ b/includes/junos-v21-core-router/policy-options.j2 @@ -426,6 +426,65 @@ then reject; } + policy-statement AGGREGATION-import { + term 40 { + from { + {% for prefix in 'accept-ipv4-32-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv4 %} + route-filter {{ prefix.prefix }} prefix-length-range /32-/32; + {% endif %}{% endfor %} + {% for prefix in 'accept-ipv4-32-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv4 %} + route-filter {{ prefix.prefix }} prefix-length-range /32-/32; + {% endif %}{% endfor %} + } + then accept; + } + term 61 { + from { + {% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %} + route-filter {{ prefix.prefix }} prefix-length-range /40-/48; + {% endif %}{% endfor %} + {% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %} + route-filter {{ prefix.prefix }} prefix-length-range /40-/48; + {% endif %}{% endfor %} + } + then accept; + } + term 62 { + from { + {% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %} + route-filter {{ prefix.prefix }} prefix-length-range /48-/52; + {% endif %}{% endfor %} + {% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %} + route-filter {{ prefix.prefix }} prefix-length-range /48-/52; + {% endif %}{% endfor %} + } + then accept; + } + then reject; + } + + policy-statement AGGREGATION-export { + term 4 { + from { + route-filter 0.0.0.0/0 exact; + } + then { + next-hop self; + accept; + } + } + term 6 { + from { + route-filter ::/0 exact; + } + then { + next-hop self; + accept; + } + } + then reject; + } + {% for community in ''|get_bgp_communities %} community {{ community.slug }} members {% if " " in community.value %}[ {{ community.value }} ]{% else %}{{ community.value }}{% endif %};{% endfor %} @@ -438,6 +497,8 @@ as-path FAELIX-DEPREFER "41495 .*"; } + as-list AGGREGATION members[ {% for asn in 'aggregation-linknet'|get_netbox_tagged_asns %}{{ asn.asn }} {% endfor %}]; + {% for asn in asns_requiring_prefixes|unique %} {% set prefixes = asn|get_prefixes_for_asn %} policy-statement AS{{ asn }}-import-IPv4 { diff --git a/includes/junos-v21-core-router/protocols.j2 b/includes/junos-v21-core-router/protocols.j2 index 5faccfb..f5460ac 100644 --- a/includes/junos-v21-core-router/protocols.j2 +++ b/includes/junos-v21-core-router/protocols.j2 @@ -95,6 +95,34 @@ {%- else %} /* not this ASN {{ bgp_router.local_autonomous_system.asn }} */ {%- endif %} + + group AGGREGATION-IPv4 { + family inet { + unicast; + } + import AGGREGATION-import; + export AGGREGATION-export; + + peer-as-list AGGREGATION; + + {% for prefix in 'aggregation-linknet'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv4 %} + allow {{ prefix.prefix }}; /* prefix.description */ + {% endif %}{% endfor %} + } + + group AGGREGATION-IPv6 { + family inet6 { + unicast; + } + import AGGREGATION-import; + export AGGREGATION-export; + + peer-as-list AGGREGATION; + + {% for prefix in 'aggregation-linknet'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %} + allow {{ prefix.prefix }}; /* prefix.description */ + {% endif %}{% endfor %} + } } isis { reference-bandwidth 100g;