hostname BGP log file /var/log/quagga/bgpd.log log monitor log stdout log syslog password Quagga enable password Quagga access-list DN42 permit 172.20.0.0/14 # Address Allocation for Private Internets ipv6 access-list DN42 permit fd00::/8 # Unique Local IPv6 Unicast Addresses ip as-path access-list DN42 permit ^(424242....)+ ip prefix-list DN42 seq 5 permit 172.20.0.0/14 le 31 # Address Allocation for Private Internets ipv6 prefix-list DN42 seq 5 permit fd00::/8 le 64 # Unique Local IPv6 Unicast Addresses access-list Internet deny 0.0.0.0/32 # "This host on this network" access-list Internet deny 0.0.0.0/8 # "This network" access-list Internet permit 10.0.0.0/8 # Private-Use access-list Internet permit 100.64.0.0/10 # Shared Address Space access-list Internet deny 127.0.0.0/8 # Loopback access-list Internet permit 169.254.0.0/16 # Link Local access-list Internet permit 172.16.0.0/12 # Private-Use access-list Internet permit 192.0.0.0/29 # IPv4 Service Continuity Prefix access-list Internet deny 192.0.0.8/32 # IPv4 dummy address access-list Internet permit 192.0.0.9/32 # Port Control Protocol Anycast access-list Internet permit 192.0.0.10/32 # Traversal Using Relays around NAT Anycast access-list Internet deny 192.0.0.170/32 # NAT64/DNS64 Discovery access-list Internet deny 192.0.0.171/32 # NAT64/DNS64 Discovery access-list Internet deny 192.0.0.0/24 # IETF Protocol Assignments access-list Internet deny 192.0.2.0/24 # Documentation (TEST-NET-1) access-list Internet permit 192.31.196.0/24 # AS112-v4 access-list Internet permit 192.52.193.0/24 # AMT access-list Internet deny 192.88.99.0/24 # Deprecated (6to4 Relay Anycast) access-list Internet permit 192.168.0.0/16 # Private-Use access-list Internet permit 192.175.48.0/24 # Direct Delegation AS112 Service access-list Internet permit 198.18.0.0/15 # Benchmarking access-list Internet deny 198.51.100.0/24 # Documentation (TEST-NET-2) access-list Internet deny 203.0.113.0/24 # Documentation (TEST-NET-3) access-list Internet deny 240.0.0.0/4 # Reserved access-list Internet deny 255.255.255.255/32 # Limited Broadcast access-list Internet permit any # RFC 6890, RFC 8190; https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml ipv6 access-list Internet deny ::/128 # Unspecified Address ipv6 access-list Internet deny ::1/128 # Loopback Address ipv6 access-list Internet deny ::ffff:0:0/96 # IPv4-mapped Address ipv6 access-list Internet permit 64:ff9b::/96 # IPv4-IPv6 Translat. ipv6 access-list Internet permit 64:ff9b:1::/48 # IPv4-IPv6 Translat. ipv6 access-list Internet permit 100::/64 # Discard-Only Address Block ipv6 access-list Internet permit 2001::/32 # TEREDO ipv6 access-list Internet permit 2001:1::1/128 # Port Control Protocol Anycast ipv6 access-list Internet permit 2001:1::2/128 # Traversal Using Relays around NAT Anycast ipv6 access-list Internet permit 2001:2::/48 # Benchmarking ipv6 access-list Internet permit 2001:3::/32 # AMT ipv6 access-list Internet permit 2001:4:112::/48 # AS112-v6 ipv6 access-list Internet deny 2001:10::/28 # Deprecated (previously ORCHID) ipv6 access-list Internet permit 2001:20::/28 # ORCHIDv2 ipv6 access-list Internet permit 2001:30::/28 # Drone Remote ID Protocol Entity Tags (DETs) Prefix ipv6 access-list Internet deny 2001:db8::/32 # Documentation ipv6 access-list Internet deny 2001::/23 # IETF Protocol Assignments ipv6 access-list Internet permit 2002::/16 # 6to4 ipv6 access-list Internet permit 2620:4f:8000::/48 # Direct Delegation AS112 Service ipv6 access-list Internet permit fc00::/7 # Unique-Local ipv6 access-list Internet permit fe80::/10 # Link-Local Unicast ipv6 access-list Internet permit 2000::/3 # RFC 6890, RFC 8190; https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml ip as-path access-list Internet permit ^$ ip as-path access-list Internet permit ^(23456)+ # Replace the contents of the parenthesis with the ASN of your peer - Duplicate this line for each of your peers ip prefix-list Internet seq 5 deny 0.0.0.0/32 # "This host on this network" ip prefix-list Internet seq 10 deny 0.0.0.0/8 # "This network" ip prefix-list Internet seq 15 deny 10.0.0.0/8 # Private-Use ip prefix-list Internet seq 20 deny 100.64.0.0/10 # Shared Address Space ip prefix-list Internet seq 25 deny 127.0.0.0/8 # Loopback ip prefix-list Internet seq 30 deny 169.254.0.0/16 # Link Local ip prefix-list Internet seq 35 deny 172.16.0.0/12 # Private-Use ip prefix-list Internet seq 40 deny 192.0.0.0/29 # IPv4 Service Continuity Prefix ip prefix-list Internet seq 45 deny 192.0.0.8/32 # IPv4 dummy address ip prefix-list Internet seq 50 permit 192.0.0.9/32 # Port Control Protocol Anycast ip prefix-list Internet seq 55 permit 192.0.0.10/32 # Traversal Using Relays around NAT Anycast ip prefix-list Internet seq 60 deny 192.0.0.170/32 # NAT64/DNS64 Discovery ip prefix-list Internet seq 65 deny 192.0.0.171/32 # NAT64/DNS64 Discovery ip prefix-list Internet seq 70 deny 192.0.0.0/24 # IETF Protocol Assignments ip prefix-list Internet seq 75 deny 192.0.2.0/24 # Documentation (TEST-NET-1) ip prefix-list Internet seq 80 permit 192.31.196.0/24 # AS112-v4 ip prefix-list Internet seq 85 permit 192.52.193.0/24 # AMT ip prefix-list Internet seq 90 deny 192.88.99.0/24 # Deprecated (6to4 Relay Anycast) ip prefix-list Internet seq 95 deny 192.168.0.0/16 # Private-Use ip prefix-list Internet seq 100 permit 192.175.48.0/24 # Direct Delegation AS112 Service ip prefix-list Internet seq 105 deny 198.18.0.0/15 # Benchmarking ip prefix-list Internet seq 110 deny 198.51.100.0/24 # Documentation (TEST-NET-2) ip prefix-list Internet seq 115 deny 203.0.113.0/24 # Documentation (TEST-NET-3) ip prefix-list Internet seq 120 deny 240.0.0.0/4 # Reserved ip prefix-list Internet seq 125 deny 255.255.255.255/32 # Limited Broadcast ip prefix-list Internet seq 130 permit 0.0.0.0/0 le 30 # RFC 6890, RFC 8190; https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml ipv6 prefix-list Internet seq 5 deny ::/128 # Unspecified Address ipv6 prefix-list Internet seq 10 deny ::1/128 # Loopback Address ipv6 prefix-list Internet seq 15 deny ::ffff:0:0/96 # IPv4-mapped Address ipv6 prefix-list Internet seq 20 permit 64:ff9b::/96 # IPv4-IPv6 Translat. ipv6 prefix-list Internet seq 25 deny 64:ff9b:1::/48 # IPv4-IPv6 Translat. ipv6 prefix-list Internet seq 30 deny 100::/64 # Discard-Only Address Block ipv6 prefix-list Internet seq 35 deny 2001::/32 # TEREDO ipv6 prefix-list Internet seq 40 permit 2001:1::1/128 # Port Control Protocol Anycast ipv6 prefix-list Internet seq 45 permit 2001:1::2/128 # Traversal Using Relays around NAT Anycast ipv6 prefix-list Internet seq 50 deny 2001:2::/48 # Benchmarking ipv6 prefix-list Internet seq 55 permit 2001:3::/32 le 64 # AMT ipv6 prefix-list Internet seq 60 permit 2001:4:112::/48 le 64 # AS112-v6 ipv6 prefix-list Internet seq 65 deny 2001:10::/28 # Deprecated (previously ORCHID) ipv6 prefix-list Internet seq 70 permit 2001:20::/28 le 64 # ORCHIDv2 ipv6 prefix-list Internet seq 75 permit 2001:30::/28 le 64 # Drone Remote ID Protocol Entity Tags (DETs) Prefix ipv6 prefix-list Internet seq 80 deny 2001:db8::/32 # Documentation ipv6 prefix-list Internet seq 85 deny 2001::/23 # IETF Protocol Assignments ipv6 prefix-list Internet seq 90 deny 2002::/16 # 6to4 ipv6 prefix-list Internet seq 95 permit 2620:4f:8000::/48 le 64 # Direct Delegation AS112 Service ipv6 prefix-list Internet seq 100 deny fc00::/7 # Unique-Local ipv6 prefix-list Internet seq 105 deny fe80::/10 # Link-Local Unicast ipv6 prefix-list Internet seq 110 permit 2000::/3 le 56 # RFC 6890, RFC 8190; https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml ipv6 prefix-list Internet seq 115 permit ff3e::/32 ge 96 le 96 # Source-Specific Multicast ipv6 prefix-list Internet seq 120 permit ::/0 le 64 # RFC 6890, RFC 8190; https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml bgp multiple-instance router bgp 4242420017 # When this Autonomous System Number equals the neighbour's "remote-as" the adjacency will be IBGP otherwise the adjacency will be EBGP; legal values include 64512 through 65534 and 4200000000 through 4294967294 for peers inside of the confederation, or the Autonomous System Number can be the same as the "bgp confederation identifier" for this router to announce this confederation broadly no bgp always-compare-med # This parameter must be configured consistently throughout the AS, including the confederation bgp bestpath as-path confed bgp bestpath as-path multipath-relax bgp client-to-client reflection # This is redundant until "route-reflector-client" is configured # bgp confederation identifier 4242420017 # This is the Autonomous System Number which we will be known externally as # bgp confederation peers 23456 # These are the Autonomous System Numbers inside of this confederation, possible values include 23456 and Private ASNs 64512 through 65534 and 4200000000 through 4294967294 no bgp default ipv4-unicast no bgp deterministic-med # Do you trust all of your neighbours to insert equivalent values? bgp enforce-first-as # This ensures that our neighbours are not using an ASN other than that by which we know them as # This must be deconfigured when connected to a Route Server bgp fast-external-failover bgp graceful-restart bgp log-neighbor-changes bgp network import-check maximum-paths 64 maximum-paths ibgp 64 redistribute babel # redistribute connected redistribute isis # redistribute kernel redistribute nhrp redistribute ospf # redistribute pim # Not implemented redistribute rip # redistribute static neighbor IBGP peer-group neighbor IBGP remote-as 4242420017 neighbor IBGP activate neighbor IBGP allowas-in 1 # How loopy shalt we be? neighbor IBGP attribute-unchanged neighbor IBGP capability dynamic neighbor IBGP capability orf prefix-list both neighbor IBGP capability route-refresh neighbor IBGP filter-list DN42 in # This utilises the "access-list" neighbor IBGP filter-list DN42 out # This utilises the "access-list" neighbor IBGP filter-list Internet in # This utilises the "access-list" neighbor IBGP filter-list Internet out # This utilises the "access-list" # neighbor IBGP local-as 23456 no-prepend # neighbor IBGP next-hop-self # This must not be configured when "route-reflector-client" is # This must not be configured when more than two EBGP peers are within the same broadcast domain # This must be configured when connected to a Non-Broadcast Multiple Access network that is not any-to-any neighbor IBGP password Quagga neighbor IBGP prefix-list DN42 in neighbor IBGP prefix-list DN42 out neighbor IBGP prefix-list Internet in neighbor IBGP prefix-list Internet out # neighbor IBGP route-reflector-client # A Route Reflector is an alternative to full mesh IBGP, where it is akin to a Bridge in a spanning tree, in this instance there is a Route Reflector at every branch # neighbor IBGP route-server-client # A Route Server concerns only EBGP peering and only makes sense when combined with "route-map" directives neighbor IBGP send-community both neighbor IBGP soft-reconfiguration inbound neighbor IBGP ttl-security hops 254 # Use 254 to ensure that all of the peers are directly connected; otherwise if any of the peers are multihop, decrement this value until all of the peering sessions are up - this has to be done in concert with the operator of the neighbouring AS # neighbor peer-group IBGP # neighbor peer-group IBGP address-family ipv4 multicast aggregate-address 232.0.0.0/8 as-set # Source-Specific Multicast neighbor IBGP activate network 224.0.0.0/4 backdoor pathlimit 255 # Cold Potato exit-address-family address-family ipv4 unicast neighbor IBGP activate network 0.0.0.0/1 backdoor pathlimit 255 # Cold Potato network 128.0.0.0/2 backdoor pathlimit 255 # Cold Potato network 192.0.0.0/3 backdoor pathlimit 255 # Cold Potato exit-address-family address-family ipv6 multicast # aggregate-address ff0e::/16 as-set # Global Scope # Not implemented # aggregate-address ff3e::/32 as-set # Source-Specific Multicast # Not implemented neighbor IBGP activate # network ff00::/8 backdoor pathlimit 255 # Cold potato # Not implemented exit-address-family address-family ipv6 unicast neighbor IBGP activate # network 2000::/3 backdoor pathlimit 255 # Cold Potato # Not implemented redistribute babel # redistribute connected redistribute isis # redistribute kernel redistribute nhrp redistribute ospf6 redistribute ripng # redistribute static exit-address-family # Routing Policy Specification Language mandatory attributes # # as-set Class # as-set: ASnumber:AS-Legal-Entity # mnt-by: Legal-Entity-MNT # mnt-by: # https://www.rfc-editor.org/rfc/rfc2622#section-5.1 # https://www.rfc-editor.org/rfc/rfc4012#section-4.1 # # aut-num Class # aut-num: ASnumber # admin-c: Role-Legal-Entity-IRR # as-name: Legal-Entity # mnt-by: Legal-Entity-MNT # mnt-by: # https://www.rfc-editor.org/rfc/rfc2622#section-3.1 # https://www.rfc-editor.org/rfc/rfc2622#section-6 # https://www.rfc-editor.org/rfc/rfc4012#section-2.5 # # dictionary Class # dictionary: RPSL # mnt-by: Legal-Entity-MNT # mnt-by: # https://www.rfc-editor.org/rfc/rfc2622#section-7 # https://www.rfc-editor.org/rfc/rfc4012#section-2.2 # https://www.rfc-editor.org/rfc/rfc4012#section-2.3 # # filter-set Class # filter-set: FLTR-Legal-Entity # filter: { 0.0.0.0/32^+, 0.0.0.0/8^+, 10.0.0.0/8^+, 100.64.0.0/10^+, 127.0.0.0/8^+, 169.254.0.0/16^+, 172.16.0.0/12^+, 192.0.0.0/29^+, 192.0.0.8/32^+, 192.0.0.9/32, 192.0.0.10/32, 192.0.0.170/32^+, 192.0.0.171/32^+, 192.0.0.0/24^+, 192.0.2.0/24^+, 192.31.196.0/24, 192.52.193.0/24, 192.88.99.0/24^+, 192.168.0.0/16^+, 192.175.48.0/24, 198.18.0.0/15^+, 198.51.100.0/24^+, 203.0.113.0/24^+, 240.0.0.0/4^+, 255.255.255.255/32^+, 0.0.0.0/0^0-30, ::/128^+, ::1/128^+, ::ffff:0:0/96^+, 64:ff9b::/96, 64:ff9b:1::/48^+, 100::/64^+, 2001::/32^+, 2001:1::1/128, 2001:1::2/128, 2001:2::/48^+, 2001:3::/32^32-64, 2001:4:112::/48^48-64, 2001:10::/28^+, 2001:20::/28^28-64, 2001:30::/28^28-64, 2001:db8::/32^+, 2001::/23^+, 2002::/16^+, 2620:4f:8000::/48^48-64, fc00::/7^+, fe80::/10^+, 2000::/3^3-56, ff3e::/32^96, ::/0^0-64 }; # mnt-by: Legal-Entity-MNT # mnt-by: # https://www.rfc-editor.org/rfc/rfc2622#section-5.4 # https://www.rfc-editor.org/rfc/rfc4012#section-4.3 # # inetnum objects # inetnum: 192.0.2.0 - 192.0.2.255 # admin-c: Role-Legal-Entity-IRR # admin-c: # changed: role@example.net YYYYMMDD # changed: # country: ISO 3166 alpha-2 # country: # descr: Legal-Entity TEST-NET-1 # descr: # mnt-by: Legal-Entity-MNT # mnt-by: # netname: RIR 192.0.2.0/24 # source: IRR # tech-c: Role-Legal-Entity-IRR # tech-c: # https://www.rfc-editor.org/rfc/rfc2725#section-9.3 # # RFC 2725 Extensions # inet6num: 2001:db8::/32 # admin-c: Role-Legal-Entity-IRR # admin-c: # changed: role@example.net YYYYMMDD # changed: # country: ISO 3166 alpha-2 # country: # descr: Legal-Entity Documentation # descr: # mnt-by: Legal-Entity-MNT # mnt-by: # netname: RIR 2001:db8::/32 # source: IRR # tech-c: Role-Legal-Entity-IRR # tech-c: # https://www.rfc-editor.org/rfc/rfc4012#section-5 # This is equal to that which the Regional Internet Registry has allocated # # inet-rtr Class # inet-rtr: router.example.net # ifaddr: 2001:db8::EUI-64 masklen 64 # ifaddr: # local-as: ASnumber # mnt-by: Legal-Entity-MNT # mnt-by: # https://www.rfc-editor.org/rfc/rfc2622#section-9 # https://www.rfc-editor.org/rfc/rfc4012#section-4.5 # # key-cert object # key-cert: echo "PGPKEY-`gpg --list-sigs | awk '$1=="sig" && $2=="3" {last=$3} END {print last}'`" # certif: echo "`gpg --armor --export | awk 'NF>0' | awk 'NR>1 {print "+" "\t" $0; next} 1'`" # changed: role@example.net YYYYMMDD # changed: # fingerpr: echo "`gpg --fingerprint | awk '/^ / {print}' | awk '{gsub(/^ +/,"")}1'`" # method: PGP # mnt-by: Legal-Entity-MNT # mnt-by: # owner: Role, Legal-Entity # owner: # source: IRR # https://www.rfc-editor.org/rfc/rfc2726#section-2.1 # # mntner Class # mntner: Legal-Entity-MNT # admin-c: Role-Legal-Entity-IRR # admin-c: # auth: echo "PGPKEY-`gpg --list-sigs | awk '$1=="sig" && $2=="3" {last=$3} END {print last}'`" # changed: role@example.net YYYYMMDD # changed: # descr: Legal-Entity Maintainer # mnt-by: Legal-Entity-MNT # mnt-by: # referral-by: Legal-Entity-MNT # referral-by: # source: IRR # tech-c: Role-Legal-Entity-IRR # tech-c: # upd-to: role@example.net # upd-to: # https://www.rfc-editor.org/rfc/rfc2622#section-3.1 # https://www.rfc-editor.org/rfc/rfc2725#section-10.1 # # peering-set Class # peering-set: PRNG-Legal-Entity # mnt-by: Legal-Entity-MNT # mnt-by: # peering: Peer's_ASnumber at 2001:db8::EUI-64_of_Peer # peering: # https://www.rfc-editor.org/rfc/rfc2622#section-5.6 # https://www.rfc-editor.org/rfc/rfc4012#section-4.4 # # person Class # nic-hdl: Person-Legal-Entity-IRR # address: Location # address: ISO 3166 alpha-2 # e-mail: christian_name-surname@example.net # e-mail: # mnt-by: Legal-Entity-MNT # mnt-by: # person: Christian_Name Surname # phone: E.164 # phone: # https://www.rfc-editor.org/rfc/rfc2622#section-3.2 # # role Class # nic-hdl: Role-Legal-Entity-IRR # address: Location # address: ISO 3166 alpha-2 # e-mail: role@example.net # e-mail: # mnt-by: Legal-Entity-MNT # mnt-by: # phone: E.164 # phone: # role: Role # https://www.rfc-editor.org/rfc/rfc2622#section-3.3 # # route Class # route: 192.0.2.0/24 # mnt-by: Legal-Entity-MNT # mnt-by: # origin: ASnumber # https://www.rfc-editor.org/rfc/rfc2622#section-4 # # route6 Class # route6: 2001:db8::/64 # mnt-by: Legal-Entity-MNT # mnt-by: # origin: ASnumber # https://www.rfc-editor.org/rfc/rfc4012#section-3 # These are for what is configured in your network - for IPv6 the prefix will always be 64 # The alternative is to invert the logic by specifying that the route class is equal to the inetnum class and then using the "holes:" attribute to list the prefixes which have not been configured in your network # # route-set Class # route-set: RS-Legal-Entity # mnt-by: Legal-Entity-MNT # mnt-by: # https://www.rfc-editor.org/rfc/rfc2622#section-5.2 # https://www.rfc-editor.org/rfc/rfc4012#section-4.2 # # rtr-set Class # rtr-set: RTRS-Legal-Entity # mnt-by: Legal-Entity-MNT # mnt-by: # https://www.rfc-editor.org/rfc/rfc2622#section-5.5 # https://www.rfc-editor.org/rfc/rfc4012#section-4.6 # # Changes to the RIPE/RPSL Schema # as-block: ASnumber-ASnumber # admin-c: Role-Legal-Entity-IRR # admin-c: # changed: role@example.net YYYYMMDD # changed: # mnt-by: Legal-Entity-MNT # mnt-by: # source: IRR # tech-c: Role-Legal-Entity-IRR # tech-c: # https://www.rfc-editor.org/rfc/rfc2725#section-10.1 # This implies that if a Confederation is to be configured with public Autonomous Systems numbers, that the Regional Internet Registry must delegate a range of Autonomous System numbers in a contiguous sequence to the maintainer during their initial registration of attributes.