You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
468 lines
13 KiB
468 lines
13 KiB
{{ "policy-options"|progress }} {
|
|
|
|
{#
|
|
prefix-list V6 {
|
|
2001:db9::/32;
|
|
}
|
|
prefix-list V4 {
|
|
192.0.2.0/24;
|
|
}
|
|
#}
|
|
|
|
policy-statement EXPORT-PROTECT-reject {
|
|
term 10 {
|
|
from as-path-group NEVER-TO-UPSTREAM-OR-PEERS;
|
|
then reject;
|
|
}
|
|
}
|
|
|
|
route-filter-list BOGONS-IPv4 {
|
|
0.0.0.0/8 orlonger;
|
|
10.0.0.0/8 orlonger;
|
|
100.64.0.0/10 orlonger;
|
|
127.0.0.0/8 orlonger;
|
|
169.254.0.0/16 orlonger;
|
|
172.16.0.0/12 orlonger;
|
|
192.0.0.0/24 orlonger;
|
|
192.0.2.0/24 orlonger;
|
|
192.168.0.0/16 orlonger;
|
|
198.18.0.0/15 orlonger;
|
|
198.51.100.0/24 orlonger;
|
|
203.0.113.0/24 orlonger;
|
|
224.0.0.0/4 orlonger;
|
|
240.0.0.0/4 orlonger;
|
|
}
|
|
|
|
route-filter-list BOGONS-IPv6 {
|
|
::/128 exact;
|
|
::1/128 exact;
|
|
::ffff:0:0/96 orlonger;
|
|
::/96 orlonger;
|
|
100::/64 orlonger;
|
|
2001:10::/28 orlonger;
|
|
2001:db8::/32 orlonger;
|
|
fc00::/7 orlonger;
|
|
fe80::/10 orlonger;
|
|
fec0::/10 orlonger;
|
|
ff00::/8 orlonger;
|
|
}
|
|
|
|
route-filter-list DFZ-IPv4 {
|
|
0.0.0.0/0 prefix-length-range /8-/24;
|
|
}
|
|
|
|
route-filter-list DFZ-IPv6 {
|
|
::/0 prefix-length-range /20-/48;
|
|
}
|
|
|
|
policy-statement BOGONS-reject {
|
|
term 24 {
|
|
from {
|
|
family inet;
|
|
route-filter-list BOGONS-IPv4;
|
|
}
|
|
then reject;
|
|
}
|
|
term 26 {
|
|
from {
|
|
family inet6;
|
|
route-filter-list BOGONS-IPv6;
|
|
}
|
|
then reject;
|
|
}
|
|
}
|
|
|
|
policy-statement DEFAULT-accept {
|
|
term 14 {
|
|
from {
|
|
family inet;
|
|
route-filter 0.0.0.0/0 exact;
|
|
}
|
|
then accept;
|
|
}
|
|
term 16 {
|
|
from {
|
|
family inet6;
|
|
route-filter ::/0 exact;
|
|
}
|
|
then accept;
|
|
}
|
|
}
|
|
|
|
policy-statement DFZ-accept {
|
|
term 14 {
|
|
from {
|
|
family inet;
|
|
route-filter 0.0.0.0/0 exact;
|
|
}
|
|
then accept;
|
|
}
|
|
term 16 {
|
|
from {
|
|
family inet6;
|
|
route-filter ::/0 exact;
|
|
}
|
|
then accept;
|
|
}
|
|
}
|
|
|
|
policy-statement IBGP-import-IPv4 {
|
|
then accept;
|
|
}
|
|
policy-statement IBGP-import-IPv6 {
|
|
then accept;
|
|
}
|
|
policy-statement IBGP-export-IPv4 {
|
|
term 10 {
|
|
from {
|
|
protocol [ direct static ];
|
|
}
|
|
then {
|
|
local-preference add 900;
|
|
next-hop self;
|
|
accept;
|
|
}
|
|
}
|
|
term 25 {
|
|
from {
|
|
protocol bgp;
|
|
route-type external;
|
|
}
|
|
then {
|
|
next-hop self;
|
|
accept;
|
|
}
|
|
}
|
|
term 29 {
|
|
from {
|
|
protocol bgp;
|
|
community COMMUNITY-AS59811-BLACKHOLE;
|
|
route-type external;
|
|
}
|
|
then {
|
|
next-hop 193.162.44.0;
|
|
accept;
|
|
}
|
|
}
|
|
term 30 {
|
|
from {
|
|
protocol bgp;
|
|
route-type external;
|
|
}
|
|
then {
|
|
next-hop self;
|
|
accept;
|
|
}
|
|
}
|
|
term 40 {
|
|
from protocol bgp;
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement IBGP-export-IPv6 {
|
|
term 10 {
|
|
from {
|
|
protocol [ direct static ];
|
|
}
|
|
then {
|
|
local-preference add 900;
|
|
next-hop self;
|
|
accept;
|
|
}
|
|
}
|
|
term 25 {
|
|
from {
|
|
protocol bgp;
|
|
route-type external;
|
|
}
|
|
then {
|
|
next-hop self;
|
|
accept;
|
|
}
|
|
}
|
|
term 29 {
|
|
from {
|
|
protocol bgp;
|
|
community COMMUNITY-AS59811-BLACKHOLE;
|
|
route-type external;
|
|
}
|
|
then {
|
|
next-hop 2a10:f0c0::;
|
|
accept;
|
|
}
|
|
}
|
|
term 30 {
|
|
from {
|
|
protocol bgp;
|
|
route-type external;
|
|
}
|
|
then {
|
|
next-hop self;
|
|
accept;
|
|
}
|
|
}
|
|
term 40 {
|
|
from protocol bgp;
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
policy-statement LOAD-BALANCING {
|
|
then {
|
|
load-balance per-packet;
|
|
}
|
|
}
|
|
|
|
policy-statement CONDITIONAL-DEFAULT-IPv4 {
|
|
term 10 {
|
|
from {
|
|
protocol bgp;
|
|
route-filter 198.41.0.0/24 exact; /* a.root-servers.net */
|
|
route-filter 192.228.79.0/24 exact; /* b.root-servers.net */
|
|
route-filter 192.33.4.0/24 exact; /* c.root-servers.net */
|
|
route-filter 128.8.0.0/16 exact; /* d.root-servers.net */
|
|
route-filter 192.203.230.0/24 exact; /* e.root-servers.net */
|
|
route-filter 192.5.5.0/24 exact; /* f.root-servers.net */
|
|
route-filter 192.112.36.0/24 exact; /* g.root-servers.net */
|
|
route-filter 128.63.0.0/16 exact; /* h.root-servers.net */
|
|
route-filter 192.36.148.0/24 exact; /* i.root-servers.net */
|
|
route-filter 192.58.128.0/24 exact; /* j.root-servers.net */
|
|
route-filter 193.0.14.0/24 exact; /* k.root-servers.net */
|
|
route-filter 198.32.64.0/24 exact; /* l.root-servers.net */
|
|
route-filter 202.12.27.0/24 exact; /* m.root-servers.net */
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
policy-statement CONDITIONAL-DEFAULT-IPv6 {
|
|
term 10 {
|
|
from {
|
|
protocol bgp;
|
|
route-filter 2001:503:ba3e::/48 exact; /* a.root-servers.net */
|
|
route-filter 2001:500:2f::/48 exact; /* b.root-servers.net */
|
|
route-filter 2001:500:1::/48 exact; /* c.root-servers.net */
|
|
route-filter 2001:500:2d::/48 exact; /* d.root-servers.net */
|
|
route-filter 2001:500:a8::/48 exact; /* e.root-servers.net */
|
|
route-filter 2001:500:2f::/48 exact; /* f.root-servers.net */
|
|
route-filter 2001:500:12::/48 exact; /* g.root-servers.net */
|
|
route-filter 2001:500:1::/48 exact; /* h.root-servers.net */
|
|
route-filter 2001:7fe::/33 exact; /* i.root-servers.net */
|
|
route-filter 2001:503:c27::/48 exact; /* j.root-servers.net */
|
|
route-filter 2001:7fd::/48 exact; /* k.root-servers.net */
|
|
route-filter 2001:500:9f::/48 exact; /* l.root-servers.net */
|
|
route-filter 2001:dc3::/32 exact; /* m.root-servers.net */
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
policy-statement LINX-LON1-IPv4-IN {
|
|
term 4 {
|
|
from {
|
|
family inet;
|
|
route-filter 0.0.0.0/0 prefix-length-range /0-/7;
|
|
route-filter 0.0.0.0/0 prefix-length-range /25-/32;
|
|
}
|
|
then reject;
|
|
}
|
|
term 6 {
|
|
from as-path-group LINX-LON1-ASPATH-DEPREFER;
|
|
then {
|
|
metric 10;
|
|
local-preference 400;
|
|
accept;
|
|
}
|
|
}
|
|
term 10 {
|
|
then {
|
|
metric 10;
|
|
local-preference 500;
|
|
accept;
|
|
}
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
policy-statement LINX-LON1-IPv4-OUT {
|
|
term 5 {
|
|
from {
|
|
family inet;
|
|
route-filter 0.0.0.0/0 prefix-length-range /0-/7;
|
|
route-filter 0.0.0.0/0 prefix-length-range /25-/32;
|
|
}
|
|
then reject;
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
policy-statement LINX-LON1-IPv6-IN {
|
|
term 4 {
|
|
from {
|
|
family inet6;
|
|
route-filter ::/0 prefix-length-range /0-/16;
|
|
route-filter ::/0 prefix-length-range /49-/128;
|
|
}
|
|
then reject;
|
|
}
|
|
term 6 {
|
|
from as-path-group LINX-LON1-ASPATH-DEPREFER;
|
|
then {
|
|
metric 10;
|
|
local-preference 400;
|
|
accept;
|
|
}
|
|
}
|
|
term 10 {
|
|
then {
|
|
metric 10;
|
|
local-preference 500;
|
|
accept;
|
|
}
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
policy-statement LINX-LON1-IPv6-OUT {
|
|
term 5 {
|
|
from {
|
|
family inet6;
|
|
route-filter ::/0 prefix-length-range /0-/16;
|
|
route-filter ::/0 prefix-length-range /25-/32;
|
|
}
|
|
then reject;
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
policy-statement UPSTREAM-export-IPv4 {
|
|
term 1 {
|
|
from {
|
|
community COMMUNITY-ORIGIN-AS59811;
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement UPSTREAM-import-IPv4 {
|
|
term 1 {
|
|
from {
|
|
family inet;
|
|
route-filter 0.0.0.0/0 prefix-length-range /8-/24;
|
|
}
|
|
then {
|
|
accept; /* XXX this needs to go! */
|
|
}
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement UPSTREAM-export-IPv6 {
|
|
term 1 {
|
|
from {
|
|
community COMMUNITY-ORIGIN-AS59811;
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement UPSTREAM-import-IPv6 {
|
|
term 1 {
|
|
from {
|
|
family inet6;
|
|
route-filter ::/0 prefix-length-range /16-/48;
|
|
}
|
|
then {
|
|
accept; /* XXX this needs to go! */
|
|
}
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement PEER-export-IPv4 {
|
|
term 1 {
|
|
from {
|
|
community COMMUNITY-ORIGIN-AS59811;
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement PEER-import-IPv4 {
|
|
term 1 {
|
|
from {
|
|
family inet;
|
|
route-filter 0.0.0.0/0 prefix-length-range /8-/24;
|
|
}
|
|
then {
|
|
community delete COMMUNITY-AS59811-STAR;
|
|
accept; /* XXX this needs to go! */
|
|
}
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement PEER-export-IPv6 {
|
|
term 1 {
|
|
from {
|
|
community COMMUNITY-ORIGIN-AS59811;
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement PEER-import-IPv6 {
|
|
term 1 {
|
|
from {
|
|
family inet6;
|
|
route-filter ::/0 prefix-length-range /16-/48;
|
|
}
|
|
then {
|
|
community delete COMMUNITY-AS59811-STAR;
|
|
accept; /* XXX this needs to go! */
|
|
}
|
|
}
|
|
then reject;
|
|
}
|
|
|
|
{% for community in ''|get_bgp_communities %}
|
|
community {{ community.slug }} members {% if " " in community.value %}[ {{ community.value }} ]{% else %}{{ community.value }}{% endif %};{% endfor %}
|
|
|
|
as-path-group NEVER-TO-UPSTREAM-OR-PEERS {
|
|
as-path TIER1-IN-PATH ".* (7018|3320|3257|6830|3356|2914|5511|3491|1239|6453|6762|1299|12956|701|6461) .*";
|
|
as-path TIER2-IN-PATH ".* (4134|4809|7473|174|7922|6939|9002|1273|2828|4637) .*";
|
|
}
|
|
|
|
as-path-group LINX-LON1-ASPATH-DEPREFER {
|
|
as-path FAELIX-DEPREFER "41495 .*";
|
|
}
|
|
|
|
{% for asn in asns_requiring_prefixes|unique %}
|
|
{% set prefixes = asn|get_prefixes_for_asn %}
|
|
policy-statement AS{{ asn }}-import-IPv4 {
|
|
term 1 {
|
|
from {
|
|
family inet;
|
|
{% for prefix in prefixes['ipv4'] %}
|
|
route-filter {{ prefix['prefix'] }} {% if prefix['exact'] %}exact{% else %}upto /{{ prefix['less-equal'] }}{% endif %};
|
|
{% endfor %}
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
policy-statement AS{{ asn }}-import-IPv6 {
|
|
term 1 {
|
|
from {
|
|
family inet6;
|
|
{% for prefix in prefixes['ipv6'] %}
|
|
route-filter {{ prefix['prefix'] }} {% if prefix['exact'] %}exact{% else %}upto /{{ prefix['less-equal'] }}{% endif %};
|
|
{% endfor %}
|
|
}
|
|
then accept;
|
|
}
|
|
then reject;
|
|
}
|
|
{% endfor %}
|
|
}
|