iBGP example ------------ ! no logging console ! switch off annoying console messages logging buffer 4096 ! log messages go to memory buffer ! interface loopback 0 description All routers need a Loopback interface ip address 198.6.30.254 255.255.255.255 ! interface ethernet 0 ip address 192.5.1.1 255.255.255.0 ip ospf message-digest key 1 md5 ! interface ethernet 1 ip address 198.6.30.1 255.255.255.240 ! router ospf 1 log-adjacency-changes passive-interface default no passive-interface ethernet 0 network 192.5.1.0 0.0.0.255 area 0 network 198.6.30.0 0.0.0.15 area 0 network 198.6.30.254 0.0.0.0 area 0 area 0 authentication message-digest ! ip bgp-community new-format ! use RFC1998 community format ! router bgp 100 ! 100 is our AS number log-neighbor-changes ! log neighbor changes no synchronization ! switch off IGP synchronization no auto-summary ! switch off auto-summisation bgp dampening ! enable BGP flap damping network 198.6.30.0 mask 255.255.255.0 ! don't forget ip route command network 192.5.1.0 mask 255.255.255.0 ! first iBGP peer neighbor 198.6.30.252 remote-as 100 ! same as own AS => this is iBGP neighbor 198.6.30.252 version 4 ! hardwire to version 4 - safe neighbor 198.6.30.252 description iBGP with X ! description line for documentation neighbor 198.6.30.252 update-source loopback 0 ! iBGP runs between loopbacks neighbor 198.6.30.252 send-community ! send communities for iBGP ! second iBGP peer neighbor 198.6.30.253 remote-as 100 neighbor 198.6.30.253 version 4 neighbor 198.6.30.253 description iBGP with Y neighbor 198.6.30.253 update-source loopback 0 neighbor 198.6.30.253 send-community ! ip route 198.6.30.0 255.255.255.0 null0 250 ! needed for BGP network statement ip route 192.5.1.0 255.255.255.0 null0 250 ! needed for BGP network statement ! eBGP with peer -------------- This example uses prefix-lists to filter what you send to your peer, and what your peer sends to you. This is very safe as you have to explicitly configure each network into the prefix-list. router bgp 100 log-neighbor-changes no synchronization no auto-summary bgp dampening network 198.6.30.0 mask 255.255.255.0 network 192.5.1.0 mask 255.255.255.0 ! first iBGP peer neighbor 198.6.30.252 remote-as 100 neighbor 198.6.30.252 version 4 neighbor 198.6.30.252 description iBGP with X neighbor 198.6.30.252 update-source loopback 0 neighbor 198.6.30.252 send-community ! second iBGP peer neighbor 198.6.30.253 remote-as 100 neighbor 198.6.30.253 version 4 neighbor 198.6.30.253 description iBGP with Y neighbor 198.6.30.253 update-source loopback 0 neighbor 198.6.30.253 send-community ! eBGP neighbour neighbor 193.5.1.1 remote-as 200 ! Peer ISP's AS Number neighbor 193.5.1.1 version 4 ! Hardware for safety neighbor 193.5.1.1 description eBGP with Peer ! Description line neighbor 193.5.1.1 prefix-list to-AS200 out ! Filter outbound prefixes!! neighbor 193.5.1.1 prefix-list from-AS200 in ! Filter inbound prefixes!! ! ip route 198.6.30.0 255.255.255.0 null0 250 ip route 192.5.1.0 255.255.255.0 null0 250 ! ! allow my networks out only - stops me from providing unintentional transit ! ip prefix-list to-AS200 permit 198.6.30.0/24 ip prefix-list to-AS200 permit 192.5.1.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! allow their networks in only - stops them from sending prefixes I don't want ! ip prefix-list from-AS200 permit 193.5.0.0/19 ip prefix-list from-AS200 deny 0.0.0.0/0 le 32 ! eBGP with peer -------------- This example uses AS PATH filters to filter what you send to your peer, and what you receive from your peer. This method is less safe than using prefix lists as it assumes that you trust your peer not to originate prefixes he is not entitled to originate. router bgp 100 log-neighbor-changes no synchronization no auto-summary bgp dampening network 198.6.30.0 mask 255.255.255.0 network 192.5.1.0 mask 255.255.255.0 ! first iBGP peer neighbor 198.6.30.252 remote-as 100 neighbor 198.6.30.252 version 4 neighbor 198.6.30.252 description iBGP with X neighbor 198.6.30.252 update-source loopback 0 neighbor 198.6.30.252 send-community ! second iBGP peer neighbor 198.6.30.253 remote-as 100 neighbor 198.6.30.253 version 4 neighbor 198.6.30.253 description iBGP with Y neighbor 198.6.30.253 update-source loopback 0 neighbor 198.6.30.253 send-community ! eBGP neighbour neighbor 193.5.1.1 remote-as 200 ! Peer ISP's AS Number neighbor 193.5.1.1 version 4 ! Hardware for safety neighbor 193.5.1.1 description eBGP with Peer ! Description line neighbor 193.5.1.1 filter-list 1 out ! Filter outbound ASes!! neighbor 193.5.1.1 filter-list 2 in ! Filter inbound ASes!! ! ip route 198.6.30.0 255.255.255.0 null0 250 ip route 192.5.1.0 255.255.255.0 null0 250 ! ! allow my AS out only - stops me from providing unintentional transit ! ip as-path access-list 1 permit ^$ ip as-path access-list 1 deny .* ! ! allow their AS in only - stops them from sending ASes I don't want ! ip as-path access-list 2 permit ^200$ ip as-path access-list 2 deny .* ! eBGP with upstream ------------------ This example assumes the upstream is sending the full routing table router bgp 100 log-neighbor-changes no synchronization no auto-summary bgp dampening network 198.6.30.0 mask 255.255.255.0 network 192.5.1.0 mask 255.255.255.0 ! first iBGP peer neighbor 198.6.30.252 remote-as 100 neighbor 198.6.30.252 version 4 neighbor 198.6.30.252 description iBGP with X neighbor 198.6.30.252 update-source loopback 0 neighbor 198.6.30.252 send-community ! second iBGP peer neighbor 198.6.30.253 remote-as 100 neighbor 198.6.30.253 version 4 neighbor 198.6.30.253 description iBGP with Y neighbor 198.6.30.253 update-source loopback 0 neighbor 198.6.30.253 send-community ! eBGP neighbour neighbor 193.5.1.1 remote-as 300 ! Upstream ISP's AS Number neighbor 193.5.1.1 version 4 ! Hardware for safety neighbor 193.5.1.1 description eBGP with Upstream ! Description line neighbor 193.5.1.1 prefix-list to-AS300 out ! Filter outbound prefixes!! neighbor 193.5.1.1 prefix-list from-AS300 in ! Filter inbound prefixes!! ! ip route 198.6.30.0 255.255.255.0 null0 250 ip route 192.5.1.0 255.255.255.0 null0 250 ! ! allow my networks out only ! ip prefix-list to-AS200 permit 198.6.30.0/24 ip prefix-list to-AS200 permit 192.5.1.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! take all the prefixes they send apart from special use addresses and ! my own address space ! ip prefix-list from-AS300 deny 0.0.0.0/8 le 32 ! block all special use addresses ip prefix-list from-AS300 deny 10.0.0.0/8 le 32 ip prefix-list from-AS300 deny 127.0.0.0/8 le 32 ip prefix-list from-AS300 deny 169.254.0.0/16 le 32 ip prefix-list from-AS300 deny 172.16.0.0/12 le 32 ip prefix-list from-AS300 deny 192.0.2.0/24 le 32 ip prefix-list from-AS300 deny 192.168.0.0/16 le 32 ip prefix-list from-AS300 deny 224.0.0.0/3 le 32 ip prefix-list from-AS300 deny 0.0.0.0/0 ge 25 ! deny all prefixes > /24 ip prefix-list from-AS300 deny 198.6.30.0/24 le 32 ! block my own address from upstream ip prefix-list from-AS300 deny 192.5.1.0/24 le 32 ip prefix-list from-AS300 permit 0.0.0.0/0 le 32 ! let in everything else ! eBGP with upstream ------------------ This example assumes the upstream is sending just the default route router bgp 100 log-neighbor-changes no synchronization no auto-summary bgp dampening network 198.6.30.0 mask 255.255.255.0 network 192.5.1.0 mask 255.255.255.0 ! first iBGP peer neighbor 198.6.30.252 remote-as 100 neighbor 198.6.30.252 version 4 neighbor 198.6.30.252 description iBGP with X neighbor 198.6.30.252 update-source loopback 0 neighbor 198.6.30.252 send-community ! second iBGP peer neighbor 198.6.30.253 remote-as 100 neighbor 198.6.30.253 version 4 neighbor 198.6.30.253 description iBGP with Y neighbor 198.6.30.253 update-source loopback 0 neighbor 198.6.30.253 send-community ! eBGP neighbour neighbor 193.5.1.1 remote-as 300 ! Upstream ISP's AS Number neighbor 193.5.1.1 version 4 ! Hardware for safety neighbor 193.5.1.1 description eBGP with Upstream ! Description line neighbor 193.5.1.1 prefix-list to-AS300 out ! Filter outbound prefixes!! neighbor 193.5.1.1 prefix-list from-AS300 in ! Filter inbound prefixes!! ! ip route 198.6.30.0 255.255.255.0 null0 250 ip route 192.5.1.0 255.255.255.0 null0 250 ! ! allow my networks out only ! ip prefix-list to-AS200 permit 198.6.30.0/24 ip prefix-list to-AS200 permit 192.5.1.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! take just the default route from my upstream ! ip prefix-list from-AS300 permit 0.0.0.0/0 ip prefix-list from-AS300 deny 0.0.0.0/0 le 32 !