policy

The as-path-list named “ACME” has one rule that prevents our routers from advertising the routes that are not originating from our AS to the BGP peer and thereby avoiding our routers from transiting the traffic that was not originated in our AS between ISPs.

The prefix-list “BlackHole-Export” is only in the router connected to Cogent and our IP that we want to blackhole must be put in this rule.

The prefix-list “eBGP-Bogons” is to prevent  receiving bogus BGP advertisements, however this is a dynamic situation and some rules in this prefix-list are outdated. It also includes our own public subnets which is to avoid receiving our own routes if they are being advertised by someone else.

The prefix-list “ospf” is permit all routes and is used in the route-map “ospf”

The prefix-list “IPv6-Bogon” filters out Bogon and martian IPv6 routes. It allows the routes within global scope 2000::/3 except those reserved by IANA ( 2001::/32 ,  2001:2::/48 and 2001:db8::/32 ) which don’t have global scope.

The prefix-list “ospfv3” is IPv6 permit all routes and is used in the route-map “ospfv3”

Route-map “BlackHole-Export” allows only subnets that match the prefix-list BlackHole-Export. This route-map is applied to the blackhole BGP session with Cogent in order to make sure that the particular IP is blackholed. Route-map “IPv6-Bogon” is based on prefix list “IPv6-Bogon”

Route-map “cogent” denies all the subnets that match prefix-list “eBGP-Bogons” and allows all other subnets. This route-map is applied to routes received from ISP through eBGP session.

Route-map “ebgp” allows the route that their AS path matches with as-path-list “ACME” and the implicit deny blocks the rest. This route-map is applied to routes advertised to ISP through eBGP session.

Route-map “ospf” permits routes that match with prefix-list “ospf”. There is an implicit deny at the end.

Route-map “ospfv3” permits routes that match with prefix-list “ospfv3”. There is an implicit deny at the end.

-Both IPv4 and IPv6 BGP sessions can carry both IPv4 and IPv6 routes.

-For each BGP network to be advertised we need an exact route in routing table. Either learned through OSPF or a manually defined static route

-Always more specific route takes place. So the blackhole static routes defined for BGP, will not be installed in FIB.

protocols bgp 3xxx
(ACME AS is 3xxxx) IPv6 networks that are advertised through BGP are 2605:b900:1::/48, 26xx:xxxx::/48, 26xx:xxxx::/32

“neighbor 38.x.x.x” is eBGP session with Cogent. The route map “ebgp” is applied to the exported (advertised) routes to make sure that we only advertise our own networks. Route-map “cogent” is applied to imported routes (received) in order to filter the Bogon routes. Cogent AS is 1xxx.

“neighbor 66.28.8.1” is the blackhole eBGP session with Cogent.

“neighbor 199.x.x.x” is the iBGP session with Router1. nexthop-self is necessary in order to Router1 know that the next hop for route advertised by Router0 is Router0 itself.

“neighbor 20xx:xxx:x:xx::x:x” is the IPv6 eBGP session with Cogent. The route-map “ebgp” guarantees that we only advertise our own routes and don’t become transit between ISPs.

“neighbor 26xx:xxxx::2” is the IPv6 iBGP session with Router1.

IPv4 networks that are advertised through BGP are 199.x.x.0/21, 199.x.x.0/23, 199.x.x.0/23, 199.103.60.0/22, 208.x.x.0/22, 208.x.x.0/22, 208.x.x.x/32(Blackhole), 208.x.x.0/24 (Client’s subnet)

Router0 has OSPF neighborship with Router1,Core0 and Core1

protocols ospf

Interfaces eth1, eth2, eth3 and loopback participate in OSPF. Which means they form neighborship with neighboring OSPF interfaces.

“redistribute static” redistributes static routes (which includes directly connected networks) to OSPF using route-map “ospf” which permits all IPv4

“default-information originate” advertises Router0’s default gateway as default gateway to neighboring devices.

protocols ospfv3

We redistribute both static and connected using route-map “ospfv3” which permits all IPv6.

OSPFv3 can be used for routing both IPv4 and IPv6 but we use it here only for routing IPv6.

protocols static

“route 0.0.0.0/0” is the default gateway and next-hop is the IP of the Cogent device connected to Router0.

“route 199.x.x.0/21” the only purpose of this route to blackhole is that we can advertise it this prefix through BGP.

“route 199.x.x.0/23” the only purpose of this route to blackhole is that we can advertise it this prefix through BGP. We don’t receive this route through OSPF because this subnet is not used in our network.

“route6 ::/0” is the default gateway for IPv6 similar to “route 0.0.0.0/0” for IPv4.

“route6 26x:xxxx:1::/48” , “route6 26xx:xxxx::/32”  and “route6 26xx:xxxx::/48” routes to blackhole are for the purpose of being able to advertise them through BGP. The subnets that we use and the router receives through OSPFv3 are /64.

For the BGP blackhole also we add a static route so that BGP advertises that IP.

————————————————–

The BGP filter on Cogent side is like this:

prefix-set AS3xxxx-in

  38.x.x.x/32,

  199.x.x.0/21 le 24,

  208.x.x.0/22 le 24,

  208.x.x.0/22 le 24,

  208.x.x.0/24

end-set

38.x.x.x/32 is from a previous configuration and can be removed.