JunOS Secure BGP Template

/* ... begin template ... */

version 4.3R3;

/* JUNOS 4.3R3 Secure BGP template */

routing-options {

    options {

        /* Turn off DNS resolution */

        no-resolve;

    }

    static {

        /* This is our aggregate static route */

        route 1.88.0.0/19 discard;

        /* More specific routes used with discard route above.  Remove these

     if using an IGP to discover internal routes. */

        route 1.88.50.0/24 next-hop 192.168.50.5;

        route 1.88.55.0/24 next-hop 192.168.50.8;

        route 1.88.75.128/25 next-hop 192.168.50.10;

        /* Route to loopback of our iBGP peer */

        route 172.17.70.2/32 next-hop 192.168.50.2;

  /* Black-hole routes for traffic destined to these networks */

  route 0.0.0.0/8 discard;

        route 1.0.0.0/8 discard;

        route 2.0.0.0/8 discard;

  route 5.0.0.0/8 discard;

  route 7.0.0.0/8 discard;

        route 10.0.0.0/8 discard;

        route 23.0.0.0/8 discard;

        route 27.0.0.0/8 discard;

        route 31.0.0.0/8 discard;

  route 36.0.0.0/8 discard;

  route 37.0.0.0/8 discard;

  route 39.0.0.0/8 discard;

  route 41.0.0.0/8 discard;

  route 42.0.0.0/8 discard;

  route 49.0.0.0/8 discard;

  route 50.0.0.0/8 discard;

        route 73.0.0.0/8 discard;

        route 74.0.0.0/8 discard;

        route 75.0.0.0/8 discard;

        route 76.0.0.0/8 discard;

        route 77.0.0.0/8 discard;

        route 78.0.0.0/8 discard;

        route 79.0.0.0/8 discard;

        route 89.0.0.0/8 discard;

        route 90.0.0.0/8 discard;

        route 91.0.0.0/8 discard;

        route 92.0.0.0/8 discard;

        route 93.0.0.0/8 discard;

        route 94.0.0.0/8 discard;

        route 95.0.0.0/8 discard;

        route 96.0.0.0/8 discard;

        route 97.0.0.0/8 discard;

        route 98.0.0.0/8 discard;

        route 99.0.0.0/8 discard;

        route 100.0.0.0/8 discard;

        route 101.0.0.0/8 discard;

        route 102.0.0.0/8 discard;

        route 103.0.0.0/8 discard;

        route 104.0.0.0/8 discard;

        route 105.0.0.0/8 discard;

        route 106.0.0.0/8 discard;

        route 107.0.0.0/8 discard;

        route 108.0.0.0/8 discard;

        route 109.0.0.0/8 discard;

        route 110.0.0.0/8 discard;

        route 111.0.0.0/8 discard;

        route 112.0.0.0/8 discard;

        route 113.0.0.0/8 discard;

        route 114.0.0.0/8 discard;

        route 115.0.0.0/8 discard;

        route 116.0.0.0/8 discard;

        route 117.0.0.0/8 discard;

        route 118.0.0.0/8 discard;

        route 119.0.0.0/8 discard;

        route 120.0.0.0/8 discard;

        route 121.0.0.0/8 discard;

        route 122.0.0.0/8 discard;

        route 123.0.0.0/8 discard;

        route 127.0.0.0/8 discard;

  route 128.0.0.0/16 discard;

        route 169.254.0.0/16 discard;

        route 172.16.0.0/12 discard;

        route 173.0.0.0/8 discard;

        route 174.0.0.0/8 discard;

        route 175.0.0.0/8 discard;

        route 176.0.0.0/8 discard;

        route 177.0.0.0/8 discard;

        route 178.0.0.0/8 discard;

        route 179.0.0.0/8 discard;

        route 180.0.0.0/8 discard;

        route 181.0.0.0/8 discard;

        route 182.0.0.0/8 discard;

        route 183.0.0.0/8 discard;

        route 184.0.0.0/8 discard;

        route 185.0.0.0/8 discard;

        route 186.0.0.0/8 discard;

        route 187.0.0.0/8 discard;

        route 189.0.0.0/8 discard;

        route 190.0.0.0/8 discard;

        route 192.0.2.0/24 discard;

        route 192.168.0.0/16 discard;

        route 197.0.0.0/8 discard;

        route 198.18.0.0/15 discard;

        route 223.0.0.0/8 discard;

        route 240.0.0.0/4 discard;

    }

    /* Our AS Number */

    autonomous-system 111;

    /* Export the policy that turns on flow based load balancing */

    forwarding-table {

       export load-balancing;

    }

    /* Keep certain announcements from entering the routing table,

 but permit specific discard routes to remain there.  Use

 'show route martians' to view them. */

    martians {   

        0.0.0.0/8 longer; 

        1.0.0.0/8 longer;

        2.0.0.0/8 longer;

  5.0.0.0/8 longer;

  7.0.0.0/8 longer;

        10.0.0.0/8 longer;

        23.0.0.0/8 longer;

        27.0.0.0/8 longer;

        31.0.0.0/8 longer;

  36.0.0.0/8 longer;

  37.0.0.0/8 longer;

  39.0.0.0/8 longer;

  41.0.0.0/8 longer;

  42.0.0.0/8 longer;

  49.0.0.0/8 longer;

  50.0.0.0/8 longer;

        73.0.0.0/8 longer;

        74.0.0.0/8 longer;

        75.0.0.0/8 longer;

        76.0.0.0/8 longer;

        77.0.0.0/8 longer;

        78.0.0.0/8 longer;

        79.0.0.0/8 longer;

        89.0.0.0/8 longer;

        90.0.0.0/8 longer;

        91.0.0.0/8 longer;

        92.0.0.0/8 longer;

        93.0.0.0/8 longer;

        94.0.0.0/8 longer;

        95.0.0.0/8 longer;

        96.0.0.0/8 longer;

        97.0.0.0/8 longer;

        98.0.0.0/8 longer;

        99.0.0.0/8 longer;

        100.0.0.0/8 longer;

        101.0.0.0/8 longer;

        102.0.0.0/8 longer;

        103.0.0.0/8 longer;

        104.0.0.0/8 longer;

        105.0.0.0/8 longer;

        106.0.0.0/8 longer;

        107.0.0.0/8 longer;

        108.0.0.0/8 longer;

        109.0.0.0/8 longer;

        110.0.0.0/8 longer;

        111.0.0.0/8 longer;

        112.0.0.0/8 longer;

        113.0.0.0/8 longer;

        114.0.0.0/8 longer;

        115.0.0.0/8 longer;

        116.0.0.0/8 longer;

        117.0.0.0/8 longer;

        118.0.0.0/8 longer;

        119.0.0.0/8 longer;

        120.0.0.0/8 longer;

        121.0.0.0/8 longer;

        122.0.0.0/8 longer;

        123.0.0.0/8 longer;

        127.0.0.0/8 longer;

  128.0.0.0/16 longer;

        169.254.0.0/16 longer;

        172.16.0.0/12 longer;

        173.0.0.0/8 longer;

        174.0.0.0/8 longer;

        175.0.0.0/8 longer;

        176.0.0.0/8 longer;

        177.0.0.0/8 longer;

        178.0.0.0/8 longer;

        179.0.0.0/8 longer;

        180.0.0.0/8 longer;

        181.0.0.0/8 longer;

        182.0.0.0/8 longer;

        183.0.0.0/8 longer;

        184.0.0.0/8 longer;

        185.0.0.0/8 longer;

        186.0.0.0/8 longer;

        187.0.0.0/8 longer;

        189.0.0.0/8 longer;

        190.0.0.0/8 longer;

        192.0.2.0/24 longer;

        192.168.0.0/16 longer;

        197.0.0.0/8 longer;

        198.18.0.0/15 longer;

        223.0.0.0/8 longer;

        240.0.0.0/4 longer;

    }

}

/* Routing protocol configuration */

protocols {

    bgp {

        /* Log additional BGP information to aid in troubleshooting.  To

     view, use 'show log log-bgp' */

  traceoptions {

            /* Rotate through 5 files at 1mb each */

            file log-bgp size 1m files 5;

            /* Trace BGP state transitions */

            flag state;

            /* Trace BGP normal events */

            flag normal;

  }

        /* Log BGP neighbor changes */

        log-updown;

        /* Enable bgp route flap damping */

        damping;

        /* Keep private AS numbers 64512-65535 from leaking out */

        remove-private;

        family inet {

            any {

                /* MUST take into account current routing table size and keep

a CLOSE watch on this.  Otherwise do NOT use!  Prefit

limits can be applied at the group level instead if

desired. */

                prefix-limit {

  /* Tear down connection when routes reach maximum */             

                    maximum 130000;

  /* Start issuing warning messages at teardown percent */

                    teardown 90;

                }

            }

        }

        /* iBGP peer-group with AS 111.  Peer-groups save typing and CPU

     cycles when multiple neighbors exist with same policy */

        group iBGP_111 {

            type internal;

            description "iBGP with AS 111";

            /* Set my address to that of lo0 */

            local-address 172.17.70.1;

            authentication-key bgpwith111;

            /* Set next-hop-self for eBGP routes sent to our iBGP peer */

            export next-hop-self;

            /* The following is assumed if not entered */

            peer-as 111;

            /* Loopback address of our internal peer */

            neighbor 172.17.70.2;

        }

        /* eBGP peer-group with AS 222 */

        group eBGP_222 {

            type external;

            description "eBGP with AS 222";

            authentication-key bgpwith222;

            /* Inbound filtering: Remove bogons, small prefixes, private ASN

          advertisements, and set damping parameters. */

            import [ nobogons nosmallprefixes noprivateasns damping ];

            /* Only announce our netblock */

            export announce;

            peer-as 222;

            /* Allow installation of equal cost BGP paths into inet.0

   (routing table), one of which is then selected at random */

            multipath;

            neighbor 10.10.10.1;

        }

        /* eBGP peer-group with AS 333 */

        group eBGP_333 {

            type external;

            description "eBGP with AS 333";

            authentication-key bgpwith333;

            import [ nobogons nosmallprefixes noprivateasns damping ];

            export announce;

            peer-as 333;

            multipath;

            neighbor 10.10.5.1;

        }

    }

}

/* Route filtering configuration */

policy-options {

    /* List of root-servers.net as of 09/11/01. 

 Refer to RIPE-229 [6] on keeping this list current. */

    prefix-list root-servers.net {

        128.8.0.0/16;

        128.9.0.0/16;

        128.63.0.0/16;

        192.5.4.0/23;

        192.33.4.0/24;

        192.36.148.0/24;

        192.112.36.0/24;

        192.203.230.0/24;

        193.0.14.0/24;

        198.32.64.0/24;

        198.41.0.0/24;

        202.12.27.0/24;

    }

    /* Match what we configured as our static aggregate netblock */

    policy-statement announce {

        term 1 {

            from {

                protocol static;

                route-filter 1.88.0.0/19 exact;

            }

            then accept;

        }

        term 2 {

            then reject;

        }

    }

    /* Martians list will reject bogon routes not listed here. Don't want

 multicast address range listed in the martian list.  */

    policy-statement nobogons {

        from route-filter 224.0.0.0/4 orlonger reject;

}

/* Reject advertisements that contain private AS numbers. */

policy-statement noprivateasns {

    from as-path private;

    then reject;

}

/* AS-PATH referenced in the noprivateasns policy. */

as-path private 64512-65535;

    /* Drop prefixes larger than /27.  Other BGP policies may vary */

    policy-statement nosmallprefixes {

        from route-filter 0.0.0.0/0 prefix-length-range /27-/32 reject;

}

    /* Set next-hop to self.  Used for eBGP routes sent to iBGP peers */

    policy-statement next-hop-self {

        then {

            next-hop self;

        }

    }

    /* Configure load balancing.  IP1 ASIC performs packet load balancing on

 up to 8 equal cost paths.  IP2 ASIC performs flow based load balancing

 on up to 16 equal cost paths.  Use only if you have an IP2 ASIC. */

    policy-statement load-balancing {

        then {

            load-balance per-packet;

      }

    }

    /* Configure our damping policy according to RIPE-229 and an updated set

 of DNS netblocks. */

    policy-statement damping {

        /* Do NOT dampen DNS root-servers */

        term 1 {

            from {

                prefix-list root-servers.net;

            }

            then {

                damping damp-none;

                /* Ignore rest of terms and jump to next policy called */

                next policy;

            }

        }

        /* Dampen according to prefix length.  JunOS penalises on withdraw

     and on readvertise. So one flap attracts a total penalty of 2000.

     An attribute change attracts a penalty of 500. */

        term 2 {

            from {

    /* Lower penalty for prefixes of size /21 and smaller */

                route-filter 0.0.0.0/0 upto /21 damping damp-short;

    /* Medium penalty for prefixes of size /22 to /23 */

                route-filter 0.0.0.0/0 upto /23 damping damp-medium;

          /* Higher penalty for prefixes of size /24 and larger */

                route-filter 0.0.0.0/0 orlonger damping damp-long;

            }

            then {

                next policy;

            }

        }

    }

    /* Min: 30 min, Max: 60 min, dampen at 3 flaps */

    damping damp-long {

        half-life 30;

        reuse 1640;

        suppress 6000;

        max-suppress 60;

    }

    /* Min: 15 min, Max: 45 min, dampen at 3 flaps */

    damping damp-medium {

        half-life 15;

        reuse 1500;

        suppress 6000;

        max-suppress 45;

    }

    /* Min: 10 min, Max: 30 min, dampen at 3 flaps */

    damping damp-short {

        half-life 10;

        reuse 3000;

        suppress 6000;

        max-suppress 30;

    }

    /* Do not dampen.  Referenced for DNS root-servers */

    damping damp-none {

        disable;

    }

}

/* Firewall filtering rules need to be applied to an interface.  In this case

   it should be merged with existing firewall policy and applied to lo0. */

firewall {

    filter router-protect {

  /* Drop and log all unexpected BGP connection attempts */

        term 1 {

            from {

                address {

                    0.0.0.0/0;

                    10.10.5.1/32 except;

                    10.10.10.1/32 except;

  172.17.70.1/32 except;

                    172.17.70.2/32 except;

                }

                protocol tcp;

                port bgp;

            }

            then {

count manage-discard-bgp;

discard;

            }

        }

  term 2 {

            then {

                /* Allow all other traffic */

                count manage-accept-other;

                accept;

            }

        }

    }

}

 

/* ... end template ... */

本文地址：http://com.8s8s.com/it/it32582.htm